Security Policy Control Screen - ZyXEL Communications UAG5100 User Manual
Unified access gateway
Hide thumbs
Also See for UAG5100:
- User manual (505 pages) ,
- Firmware release notes (29 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Chapter 25 Security Policy
service control (remote management). The UAG checks the security policies before the service
control rules for traffic destined for the UAG.
A From Any To Device direction rule applies to traffic from an interface which is not in a zone.
Global Security Policies
Security policies with from any and/or to any as the packet direction are called global security
policies. The global security policies are the only security policies that apply to an interface that is
not included in a zone. The from any rules apply to traffic coming from the interface and the to
any rules apply to traffic going to the interface.
Security Policy Rule Criteria
The UAG checks the schedule, user name (user's login name on the UAG), source IP address,
destination IP address and IP protocol type of network traffic against the policy control rules (in the
order you list them). When the traffic matches a rule, the UAG takes the action specified in the rule.
User Specific Security Policies
You can specify users or user groups in security policies. For example, to allow a specific user from
any computer to access a zone by logging in to the UAG, you can set up a policy based on the user
name only. If you also apply a schedule to the security policy, the user can only access the network
at the scheduled time. A user-aware security policy is activated whenever the user logs in to the
UAG and will be disabled after the user logs out of the UAG.
Session Limits
Accessing the UAG or network resources through the UAG requires a NAT session and
corresponding security policy session. Peer to peer applications, such as file sharing applications,
may use a large number of NAT sessions. A single client could use all of the available NAT sessions
and prevent others from connecting to or through the UAG. The UAG lets you limit the number of
concurrent NAT/security policy sessions a client can use.
Finding Out More
• See
Section 25.4 on page 299
for an example of creating security policies as part of configuring
user-aware access control.
25.2 Security Policy Control Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the UAG's LAN IP
address, return traffic may not go through the UAG. This is called an asymmetrical or "triangle"
route. This causes the UAG to reset the connection, as the connection has not been acknowledged.
You can have the UAG permit the use of asymmetrical route topology on the network (not reset the
connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the UAG. A better solution is to use virtual interfaces to put the UAG
UAG Series User's Guide
291
- Quick Links:
- Web Configurator Access
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
