ZyXEL ISG50-PSTN User Guide - Page 355
Global Firewall Rules, Firewall Rule Criteria, User Specific Firewall Rules, Firewall and VPN
View all ZyXEL ISG50-PSTN manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 355 highlights
Chapter 23 Firewall You can configure a To-ISG50 firewall rule (with From Any To Device direction) for traffic from an interface which is not in a zone. Global Firewall Rules Firewall rules with from any and/or to any as the packet direction are called global firewall rules. The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone. The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface. Firewall Rule Criteria The ISG50 checks the schedule, user name (user's login name on the ISG50), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ISG50 takes the action specified in the rule. User Specific Firewall Rules You can specify users or user groups in firewall rules. For example, to allow a specific user from any computer to access a zone by logging in to the ISG50, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the ISG50 and will be disabled after the user logs out of the ISG50. Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure a new LAN1 to LAN1 firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-Device rules for VPN traffic destined for the ISG50. Session Limits Accessing the ISG50 or network resources through the ISG50 requires a NAT session and corresponding firewall session. Peer to peer applications, such as file sharing applications, may use a large number of NAT sessions. A single client could use all of the available NAT sessions and prevent others from connecting to or through the ISG50. The ISG50 lets you limit the number of concurrent NAT/firewall sessions a client can use. Finding Out More • See Section 6.6.13 on page 101 for related information on the Firewall screens. • See Section 7.8 on page 123 for an example of creating firewall rules as part of configuring user- aware access control (Section 7.5 on page 116). • See Section 7.9.3 on page 128 for an example of creating a firewall rule to allow H.323 traffic from the WAN to the LAN. • See Section 7.10.3 on page 131 for an example of creating a firewall rule to allow web traffic from the WAN to a server on the DMZ. ISG50 User's Guide 355