ZyXEL UAG715 User Guide - Page 240
Default Firewall Behavior, To-Device Rules
View all ZyXEL UAG715 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 240 highlights
Chapter 21 Firewall Default Firewall Behavior Firewall rules are grouped based on the direction of travel of packets to which they apply. Here is the default firewall behavior for traffic going through the UAG in various directions. Note: Intra-zone traffic (such as LAN to LAN traffic or WAN to WAN traffic) can also be blocked by the zone configuration. See Section 12.3 on page 179 for details. Table 92 Default Firewall Behavior FROM ZONE TO ZONE From any to Device From LAN1 to any (other than the UAG) From LAN2 to any (other than the UAG) From DMZ to WAN From IPSec VPN to any (other than the UAG) From SSL VPN to any (other than the UAG) From LAN1 to Device From LAN2 to Device From DMZ to Device From WAN to Device From IPSec VPN to Device From SSL VPN to Device From any to any BEHAVIOR DHCP traffic from any interface to the UAG is allowed. Traffic from the LAN1 to any of the networks connected to the UAG is allowed. Traffic from the LAN2 to any of the networks connected to the UAG is allowed. Traffic from the DMZ to the WAN is allowed. Traffic from the IPSec VPN zone to any of the networks connected to the UAG is allowed. Traffic from the SSL VPN zone to any of the networks connected to the UAG is allowed. Traffic from the LAN1 to the UAG itself is allowed. Traffic from the LAN2 to the UAG itself is allowed. DNS and NetBIOS traffic from the DMZ to the UAG itself is allowed. The default services listed in To-Device Rules on page 240 are allowed from the WAN to the UAG itself. All other WAN to UAG traffic is dropped. Traffic from the IPSec VPN zone to the UAG itself is allowed. Traffic from the SSL VPN zone to the UAG itself is allowed. Traffic that does not match any firewall rule is dropped. This includes traffic from the DMZ or WAN to any of the networks behind the UAG and traffic other than DNS and NetBIOS from the DMZ to the UAG. This also includes traffic to or from interfaces or VPN tunnels that are not assigned to a zone (extra-zone traffic). To-Device Rules Rules with Device as the To Zone apply to traffic going to the UAG itself. By default: • The firewall allows only LAN, or WAN computers to access or manage the UAG. • The UAG allows DHCP traffic from any interface to the UAG. • The UAG drops most packets from the DMZ zone to the UAG itself and generates a log except for DNS and NetBIOS traffic. • The UAG drops most packets from the WAN zone to the UAG itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT. When you configure a firewall rule for packets destined for the UAG itself, make sure it does not conflict with your service control rule. See Chapter 39 on page 427 for more information about service control (remote management). The UAG checks the firewall rules before the service control rules for traffic destined for the UAG. A From Any To Device direction rule applies to traffic from an interface which is not in a zone. 240 UAG715 User's Guide