The Security Policy Screen - ZyXEL Communications ZyWall 110 User Manual
Security firewalls
Hide thumbs
Also See for ZyWall 110:
- User manual (1090 pages) ,
- Handbook (749 pages) ,
- Handbook & instructions (255 pages)
Table of Contents
Advertisement
Chapter 21 Security Policy
• The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and
generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the ZyWALL/USG itself, make
sure it does not conflict with your service control rule. The ZyWALL/USG checks the security policy
before the service control rules for traffic destined for the ZyWALL/USG.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security
Policies. The global Security Policies are the only Security Policies that apply to an interface that is
not included in a zone. The from any policies apply to traffic coming from the interface and the to
any policies apply to traffic going to the interface.
Security Policy Rule Criteria
The ZyWALL/USG checks the schedule, user name (user's login name on the ZyWALL/USG), source
IP address and object, destination IP address and object, IP protocol type of network traffic
(service) and UTM profile criteria against the Security Policies (in the order you list them). When
the traffic matches a policy, the ZyWALL/USG takes the action specified in the policy.
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from
any computer to access a zone by logging in to the ZyWALL/USG, you can set up a policy based on
the user name only. If you also apply a schedule to the Security Policy, the user can only access the
network at the scheduled time. A user-aware Security Policy is activated whenever the user logs in
to the ZyWALL/USG and will be disabled after the user logs out of the ZyWALL/USG.
Session Limits
Accessing the ZyWALL/USG or network resources through the ZyWALL/USG requires a NAT session
and corresponding Security Policy session. Peer to peer applications, such as file sharing
applications, may use a large number of NAT sessions. A single client could use all of the available
NAT sessions and prevent others from connecting to or through the ZyWALL/USG. The ZyWALL/
USG lets you limit the number of concurrent NAT/Security Policy sessions a client can use.
21.2 The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL/USG's LAN
IP address, return traffic may not go through the ZyWALL/USG. This is called an asymmetrical or
"triangle" route. This causes the ZyWALL/USG to reset the connection, as the connection has not
been acknowledged.
You can have the ZyWALL/USG permit the use of asymmetrical route topology on the network (not
reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go
ZyWALL/USG Series User's Guide
357
- Quick Links:
- Web Configurator
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
