TMS zl Management and Configuration Guide ST.1.0.090213

1-42

Overview

Firewall

Rate Limiting

Instead of simply permitting or denying all traffic that matches an access

policy, the TMS zl Module can control the traffic in a more nuanced way. It

can also limit the number of sessions and the amount of bandwidth devoted

to the permitted traffic. For example, you can limit the bandwidth for traffic

that is sent to the Internet by users in a TMS VLAN that guests use.

Rate limiting is supported for unicast policies but not for multicast policies.

Rate-limiting settings are configured as advanced settings in access policies.

They include the following parameters for traffic that matches the policy:

■ Maximum connections—the total number of connections that can be

initiated

■ Connection creation rate—the number of connections that can be

initiated within a certain time period

■ Packet rate—the total number of packets that are allowed within a

certain time period (other packets are dropped)

■ Maximum bandwidth—the amount of bandwidth that can be devoted

(traffic that exceeds the allowed bandwidth is dropped)

For example, you can configure access policies such as these:

■ A policy that controls the total number of connections to your internal

HTTP server

Create an access policy that permits access to the HTTP server. Configure

the maximum connections settings.

■ A policy that restricts the amount of bandwidth that is used by employees

downloading files from Internet FTP servers

Create an access policy that specifies FTP for the service. Configure the

maximum bandwidth setting.

Processing Access Policies

The TMS zl Module matches a packet to every access policy that:

■ Is the correct type (unicast or multicast)

■ Applies to the user group of the packet’s source IP address (or, if the

packet has no group, to the no user group)

■ Specifies the packet’s source and destination zone