ZyXEL ISG50-PSTN User Guide - Page 354
Stateful Inspection, Zones, Default Firewall Behavior, To-Device Rules
View all ZyXEL ISG50-PSTN manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 354 highlights
Chapter 23 Firewall 23.1.2 What You Need to Know Stateful Inspection The ISG50 has a stateful inspection firewall. The ISG50 restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces or VPN tunnels. Group the ISG50's interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone. Default Firewall Behavior Firewall rules are grouped based on the direction of travel of packets to which they apply. Here is the default firewall behavior for traffic going through the ISG50 in various directions. Table 113 Default Firewall Behavior FROM ZONE TO ZONE BEHAVIOR From WAN to Device Traffic from the WAN to the ISG50 itself is allowed for certain default services described in To-Device Rules on page 354. All other WAN to ISG50 traffic is dropped. From WAN to any (other than the ISG50) Traffic from the WAN to any of the networks behind the ISG50 is dropped. From DMZ to Device Traffic from the DMZ to the ISG50 itself is allowed for certain default services described in To-Device Rules on page 354. All other DMZ to ISG50 traffic is dropped. From DMZ to any (other than the ISG50) Traffic from the DMZ to any of the networks behind the ISG50 is dropped. From ANY to ANY Traffic that does not match any firewall rule is allowed. So for example, LAN to WAN, LAN to DMZ traffic is allowed. This also includes traffic to or from interfaces or VPN tunnels that are not assigned to a zone (extra-zone traffic). To-Device Rules Rules with Device as the To Zone apply to traffic going to the ISG50 itself. By default: • The firewall allows only LAN or WAN computers to access or manage the ISG50. • The ISG50 drops most packets from the WAN zone to the ISG50 itself, except for ESP/AH/IKE/ NATT/HTTPS services for VPN tunnels, and generates a log. • The ISG50 drops most packets from the DMZ zone to the ISG50 itself, except for DNS and NetBIOS traffic, and generates a log. When you configure a firewall rule for packets destined for the ISG50 itself, make sure it does not conflict with your service control rule. See Chapter 52 on page 665 for more information about service control (remote management). The ISG50 checks the firewall rules before the service control rules for traffic destined for the ISG50. 354 ISG50 User's Guide