TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

271

272

273

274

275

276

277

278

279

280

4-32

Firewall

Firewall Access Policies

Within these policies, the module starts with the policy that has the highest

position (lowest numerical value). For example, it will compare a packet

against Internal-to-External access policy 1 before it compares it to Internal-

to-External access policy 2. The module takes the action that is specified in

the first policy that the packet matches. It then stops processing policies.

Warning When the TMS zl Module evaluates a firewall access policy that contains a

domain name that cannot be resolved, it terminates evaluation and denies the

session. As a result of this safeguard, a DNS failure can deny traffic that would

otherwise be allowed by subsequent policies. A best practice is to place

policies that use domain names at the end of the policy list to mitigate the

impact of DNS failures.

If the packet never matches a policy, the module drops it. In other words, the

TMS zl Module denies all traffic for which it does not have a policy. You must

configure policies to permit any traffic. (However, certain traffic such as

routing protocols are allowed by default.)

When you are configuring access policies, there are certain instances in which

established traffic will be reevaluated and possibly disconnected. Those

instances are listed below:

■ Modifying an existing policy

■ Adding an overlapping, higher-position policy

■ Deleting a policy

Modifying an Existing Access Policy

If you modify an existing policy that allows an endpoint to send or receive

traffic, that traffic will be reevaluated after the policy is modified. The process

goes as follows:

1. All traffic that was initially permitted by the policy will be reevaluated

against the modified policy.

If the traffic is permitted by the modified policy, the session will continue

seamlessly.

If the traffic is no longer permitted by the modified policy, the session will

be reset. See step 2.

2. Either the application (or the user) will attempt to reestablish a connec-

tion, depending on the application. When the firewall receives this new

traffic, it checks it against all its policies. If the traffic matches a policy

other than the modified policy, the firewall will execute the action of that

policy.