ZyXEL Communications ZyWALL USG 300 User Manual page 317

• The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for
VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels,
and generates a log.
• The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself, except for
DNS and NetBIOS traffic, and generates a log.
When you configure a firewall rule for packets destined for the ZyWALL itself, make sure it
does not conflict with your service control rule. See
information about service control (remote management). The ZyWALL checks the firewall
rules before the service control rules for traffic destined for the ZyWALL.
You can configure a To-ZyWALL firewall rule (with From Any To ZyWALL direction) for
traffic from an interface which is not in a zone.
Global Firewall Rules
Firewall rules with from any and/or to any as the packet direction are called global firewall
rules. The global firewall rules are the only firewall rules that apply to an interface or VPN
tunnel that is not included in a zone. The from any rules apply to traffic coming from the
interface and the to any rules apply to traffic going to the interface.
Firewall Rule Criteria
The ZyWALL checks the schedule, user name (user's login name on the ZyWALL), source IP
address, destination IP address and IP protocol type of network traffic against the firewall
rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the
action specified in the rule.
User Specific Firewall Rules
You can specify users or user groups in firewall rules. For example, to allow a specific user
from any computer to access a zone by logging in to the ZyWALL, you can set up a rule based
on the user name only. If you also apply a schedule to the firewall rule, the user can only
access the network at the scheduled time. A user-aware firewall rule is activated whenever the
user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL.
Firewall and Application Patrol
To use a service, make sure both the firewall and application patrol allow the service's packets
to go through the ZyWALL. The ZyWALL checks the firewall rules before the application
patrol rules for traffic going through the ZyWALL.
Firewall and VPN Traffic
After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to
VPN traffic. If you add a VPN tunnel to an existing zone (the LAN zone for example), you can
configure a new LAN to LAN firewall rule or use intra-zone traffic blocking to allow or block
VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you
add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for
VPN traffic between the VPN zone and other zones or From VPN To-ZyWALL rules for
VPN traffic destined for the ZyWALL.
ZyWALL USG 300 User's Guide
Chapter 20 Firewall
Chapter 45 on page 651 for more
317