ZyXEL UAG4100 User Guide - Page 290
What You Need to Know
View all ZyXEL UAG4100 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 290 highlights
Chapter 25 Security Policy 25.1.2 What You Need to Know Stateful Inspection The UAG uses stateful inspection in its security policies. The UAG restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces. Group the UAG's interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces. Default Security Policy Behavior Security policies are grouped based on the direction of travel of packets to which they apply. Here is the default security policy behavior for traffic going through the UAG in various directions. Note: Intra-zone traffic (such as LAN to LAN traffic or WAN to WAN traffic) can also be blocked by the zone configuration. See Section 34.2.1 on page 397 for details. Table 129 Default Security Policy Behavior FROM ZONE TO ZONE From any to Device From LAN1 to any (other than the UAG) From LAN2 to any (other than the UAG) From LAN1 to Device From LAN2 to Device From WAN to Device From any to any BEHAVIOR DHCP traffic from any interface to the UAG is allowed. Traffic from the LAN1 to any of the networks connected to the UAG is allowed. Traffic from the LAN2 to any of the networks connected to the UAG is allowed. Traffic from the LAN1 to the UAG itself is allowed. Traffic from the LAN2 to the UAG itself is allowed. The default services listed in To-Device Rules on page 290 are allowed from the WAN to the UAG itself. All other WAN to UAG traffic is dropped. Traffic that does not match any security policy is dropped. This includes traffic from the WAN to any of the networks behind the UAG. This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic). To-Device Rules Rules with Device as the To Zone apply to traffic going to the UAG itself. By default: • The security policy allows only LAN, or WAN computers to access or manage the UAG. • The UAG allows DHCP traffic from any interface to the UAG. • The UAG drops most packets from the WAN zone to the UAG itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT. When you configure a security policy for packets destined for the UAG itself, make sure it does not conflict with your service control rule. See Chapter 46 on page 486 for more information about UAG Series User's Guide 290