ZyXEL ZyWALL ATP700 User Guide - Page 517
Default Directional Security Policy Behavior, To-Device Policies, Global Security Policies, Security
View all ZyXEL ZyWALL ATP700 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 517 highlights
Chapter 24 Security Policy Default Directional Security Policy Behavior Security Policies can be grouped based on the direction of travel of packets to which they apply. Here is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in various directions. Table 197 Directional Security Policy Behavior FROM ZONE TO ZONE BEHAVIOR From any to Device From LAN1 to any (other than the Zyxel Device) DHCP traffic from any interface to the Zyxel Device is allowed. Traffic from the LAN1 to any of the networks connected to the Zyxel Device is allowed. From LAN2 to any (other than the Zyxel Device) Traffic from the LAN2 to any of the networks connected to the Zyxel Device is allowed. From LAN1 to Device From LAN2 to Device Traffic from the LAN1 to the Zyxel Device itself is allowed. Traffic from the LAN2 to the Zyxel Device itself is allowed. From WAN to Device From any to any The default services listed in To-Device Policies are allowed from the WAN to the Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped. Traffic that does not match any Security policy is dropped. This includes traffic from the WAN to any of the networks behind the Zyxel Device. This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic). To-Device Policies Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default: • The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device. • The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device. • The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT. When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it does not conflict with your service control rule. The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device. A From Any To Device direction policy applies to traffic from an interface which is not in a zone. Global Security Policies Security Policies with from any and/or to any as the packet direction are called global Security Policies. The global Security Policies are the only Security Policies that apply to an interface that is not included in a zone. The from any policies apply to traffic coming from the interface and the to any policies apply to traffic going to the interface. Security Policy Rule Criteria The Zyxel Device checks the schedule, user name (user's login name on the Zyxel Device), source IP address and object, destination IP address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy. ZyWALL ATP Series User's Guide 517