ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual page 285

Table 88 Firewall (continued)
LABEL
Allow
Asymmetrical
Route
Maximum
session per host
From Zone
To Zone
The following read-only fields summarize the rules you have created that apply to traffic traveling in the
selected packet direction.
#
Priority
Schedule
User
Source
Destination
Service
ZyWALL USG 300 User's Guide
DESCRIPTION
If an alternate gateway on the LAN has an IP address in the same subnet as the
ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is
called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the
connection, as the connection has not been acknowledged.
Select this check box to have the ZyWALL permit the use of asymmetrical route
topology on the network (not reset the connection).
Note: Allowing asymmetrical routes may let traffic from the WAN go
directly to the LAN without passing through the ZyWALL. A
better solution is to use virtual interfaces to put the ZyWALL
and the backup gateway on separate subnets. See
19.5 on page 283
Use this field to set the highest number of sessions that the ZyWALL will permit a
computer with the same IP address to have at one time.
When computers use peer to peer applications, such as file sharing applications,
they may use a large number of NAT sessions. If you do not limit the number of NAT
sessions a single client can establish, this can result in all of the available NAT
sessions being used. In this case, no additional NAT sessions can be established,
and users may not be able to access the Internet.
Each NAT session establishes a corresponding firewall session. Use this field to
limit the number of NAT/firewall sessions each client computer can establish
through the ZyWALL.
If your network has a small number of clients using peer to peer applications, you
can raise this number to ensure that their performance is not degraded by the
number of NAT sessions they can establish. If your network has a large number of
users using peer to peer applications, you can lower this number to ensure no single
client is using too many of the available NAT sessions.
This is the direction of travel of packets. Select from which zone the packets come
and to which zone the packets go.
Firewall rules are grouped based on the direction of travel of packets to which they
apply. For example, from LAN to LAN means packets traveling from a computer or
subnet on the LAN to either another computer or subnet on the LAN.
From any displays all the firewall rules for traffic going to a particular zone.
To any displays all the firewall rules for traffic coming from a particular zone.
From any to any displays all of the firewall rules.
To ZyWALL rules are for traffic that is destined for the ZyWALL and control which
computers can manage the ZyWALL.
This is the index number of your firewall rule. It is not associated with a specific rule.
This is the position of your firewall rule in the global rule list (including all through-
ZyWALL and to-ZyWALL rules). The ordering of your rules is important as rules are
applied in sequence.
This field tells you the schedule object that the rule uses. none means the rule is
active at all times if enabled.
This is the user name or user group name to which this firewall rule applies.
This displays the source address object to which this firewall rule applies.
This displays the destination address object to which this firewall rule applies.
This displays the service object to which this firewall rule applies.
for an example.
Chapter 19 Firewall
Section
285