Firewall; Chapter 18 Firewall; Firewall Overview - ZyXEL Communications UAG Series Cli Reference Manual

This chapter introduces the UAG's firewall and shows you how to configure your UAG's firewall.

18.1 Firewall Overview

The UAG's firewall is a stateful inspection firewall. The UAG restricts access by screening data
packets against defined access rules. It can also inspect sessions. For example, traffic from one
zone is not allowed unless it is initiated by a computer in another zone first.
A zone is a group of interfaces or VPN tunnels. Group the UAG's interfaces into different zones
based on your needs. You can configure firewall rules for data passing between zones or even
between interfaces and/or VPN tunnels in a zone.
This example shows the UAG's default firewall behavior for WAN to LAN traffic and how stateful
inspection works. A LAN user can initiate a Telnet session from within the LAN zone and the firewall
allows the response. However, the firewall blocks Telnet traffic initiated from the WAN zone and
destined for the LAN zone. The firewall allows VPN traffic between any of the networks.
Figure 18 Default Firewall Action
Your customized rules take precedence and override the UAG's default settings. The UAG checks the
schedule, user name (user's login name on the UAG), source IP address, destination IP address and
IP protocol type of network traffic against the firewall rules (in the order you list them). When the
traffic matches a rule, the UAG takes the action specified in the rule.
For example, if you want to allow a specific user from any computer to access one zone by logging
in to the UAG, you can set up a rule based on the user name only. If you also apply a schedule to
the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall
rule is activated whenever the user logs in to the UAG and will be disabled after the user logs out of
the UAG.
UAG CLI Reference Guide
C
HAPTER
1 8

Firewall

121