Configuring The Firewall Screen - ZyXEL Communications ZYWALL USG 2000 Manual

You can have the ZyWALL permit the use of asymmetrical route topology on the
network (not reset the connection). However, allowing asymmetrical routes may
let traffic from the WAN go directly to the LAN without passing through the
ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the
backup gateway on separate subnets. Virtual interfaces allow you to partition your
network into logical sections over the same interface. See the chapter about
interfaces for more information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets,
all returning network traffic must pass through the ZyWALL to the LAN. The
following steps and figure describe such a scenario.
A computer on the LAN initiates a connection by sending a SYN packet to a
1
receiving server on the WAN.
The ZyWALL reroutes the packet to gateway A, which is in Subnet 2.
2
The reply from the WAN goes to the ZyWALL.
3
The ZyWALL then sends it to the computer on the LAN in Subnet 1.
4
Figure 211 Using Virtual Interfaces to Avoid Asymmetrical Routes

20.2.1 Configuring the Firewall Screen

Click Firewall to open the Firewall screen. Use this screen to enable or disable
the firewall and asymmetrical routes, set a maximum number of sessions per
host, and display the configured firewall rules. Specify from which zone packets
come and to which zone packets travel to display only the rules specific to the
selected direction. Note the following.
• If you enable intra-zone traffic blocking (see the chapter about zones), the
firewall automatically creates (implicit) rules to deny packet passage between
the interfaces in the specified zone.
ZyWALL USG 2000 User's Guide
Chapter 20 Firewall
329