Configuring User, Group, And Global Policies - NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall Reference Manual

Dual wan gigabit firewall with ssl & ipsec vpn

Hide thumbs Also See for FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall:

Setup manual (9 pages)

Configuration (10 pages)

Use manual (9 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

Table of Contents

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

Configuring User, Group, and Global Policies

An administrator can define and apply user, group and global policies to predefined network

resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN

services. A specific hierarchy is invoked over which policies take precedence.

The VPN firewall policy hierarchy is defined as:

1. User Policies take precedence over all group policies.

2. Group Policies take precedence over all global policies.

3. If two or more user, group or global policies are configured, the most specific policy takes

precedence.

For example, a policy configured for a single IP address takes precedence over a policy configured

for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over

a policy applied to all IP addresses. If two or more IP address ranges are configured, then the

smallest address range takes precedence. Hostnames are treated the same as individual IP

addresses.

Network resources are prioritized just like other address ranges. However, the prioritization is

based on the individual address or address range, not the entire network resource.

For example, let's assume the following global policy configuration:

•

Policy 1: A Deny rule has been configured to block all services to the IP address range

10.0.0.0 – 10.0.0.255.

•

Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 – 10.0.1.10.

•

Policy 3: A Permit rule has been configured to allow FTP access to the predefined network

resource, FTP Servers. The FTP Servers network resource includes the following addresses:

10.0.0.5 – 10.0.0.20 and ftp.company.com, which resolves to 10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user attempted to

access:

•

An FTP server at 10.0.0.1, the user would be blocked by Policy 1.

•

An FTP server at 10.0.1.5, the user would be blocked by Policy 2.

•

An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address

range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1.

•

An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single

host name is more specific than the IP address range configured in Policy 2.

Virtual Private Networking Using SSL

v1.0, January 2010

6-15

Table of Contents

Troubleshooting

This manual is also suitable for:

Prosafe fvs336g

Configuring User, Group, And Global Policies - NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall Reference Manual

Configuring User, Group, and Global Policies

Troubleshooting

Related Manuals for NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall

Related Content for NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall

This manual is also suitable for:

Table of Contents