What You Need To Know About Application Patrol - ZyXEL Communications ZyWall USG 2000 User Manual
Unified security gateway
Hide thumbs
Also See for ZyWall USG 2000:
- User manual (1114 pages) ,
- Manual (964 pages) ,
- Support notes (227 pages)
Table of Contents
Advertisement
Chapter 29 Application Patrol
29.1.2 What You Need to Know About Application Patrol
If you want to use a service, make sure both the firewall and application patrol
allow the service's packets to go through the ZyWALL.
Note: The ZyWALL checks firewall rules before it checks application patrol rules for
traffic going through the ZyWALL.
Application patrol examines every TCP and UDP connection passing through the
ZyWALL and identifies what application is using the connection. Then, you can
specify, by application, whether or not the ZyWALL continues to route the
connection.
Configurable Application Policies
The ZyWALL has policies for individual applications. For each policy, you can
specify the default action the ZyWALL takes once it identifies one of the service's
connections.
You can also specify custom policies that have the ZyWALL forward, drop, or
reject a service's connections based on criteria that you specify (like the source
zone, destination zone, original destination port of the connection, schedule, user,
source, and destination information). Your custom policies take priority over the
policy's default settings.
Classification of Applications
There are two ways the ZyWALL can identify the application. The first is called
auto. The ZyWALL looks at the IP payload (OSI level-7 inspection) and attempts
to match it with known patterns for specific applications. Usually, this occurs at
the beginning of a connection, when the payload is more consistent across
connections, and the ZyWALL examines several packets to make sure the match is
correct.
Note: The ZyWALL allows the first eight packets to go through the firewall, regardless
of the application patrol policy for the application. The ZyWALL examines these
first eight packets to identify the application.
The second approach is called service ports. The ZyWALL uses only OSI level-4
information, such as ports, to identify what application is using the connection.
This approach is available in case the ZyWALL identifies a lot of "false positives"
for a particular application.
Custom Ports for SIP and the SIP ALG
Configuring application patrol to use custom port numbers for SIP traffic also
configures the SIP ALG (see
444
Chapter 18 on page
293) to use the same port
ZyWALL USG 2000 User's Guide
Advertisement
Table of Contents
Troubleshooting
