Table of Contents
Advertisement
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from any
computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user
name only. If you also apply a schedule to the Security Policy, the user can only access the network at
the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel
Device and will be disabled after the user logs out of the Zyxel Device.
Session Limits
Accessing the Zyxel Device or network resources through the Zyxel Device requires a NAT session and
corresponding Security Policy session. Peer to peer applications, such as file sharing applications, may
use a large number of NAT sessions. A single client could use all of the available NAT sessions and
prevent others from connecting to or through the Zyxel Device. The Zyxel Device lets you limit the
number of concurrent NAT/Security Policy sessions a client can use.
25.4 The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device's LAN IP
address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or "triangle"
route. This causes the Zyxel Device to reset the connection, as the connection has not been
acknowledged.
You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset
the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel
Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your
network into logical sections over the same interface. See the chapter about interfaces for more
information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network
traffic must pass through the Zyxel Device to the LAN. The following steps and figure describe such a
scenario.
A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the
1
WAN.
The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2.
2
The reply from the WAN goes to the Zyxel Device.
3
The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1.
4
Chapter 25 Security Policy
ZyWALL ATP Series User's Guide
476
- Quick Links:
- Web Configurator
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
