Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
1-43
Overview
Firewall
Within these policies, the module starts with the policy that has the highest
position (lowest numerical value). For example, it will match a packet against
Internal-to-External access policy 1 before it matches it to Internal -to-Exter-
nal access policy 2. The module takes the action that is specified in the first
policy that the packet matches. It then stops processing policies.
If the packet never matches a policy, the module drops it. In other words, the
TMS zl Module denies all traffic that is not explicitly permitted. Any traffic
that you want to permit requires an explicit access policy. (However, certain
traffic such as routing protocols are allowed by default.)
Caution Because the module has an implicit policy that denies all traffic, you should
not configure an explicit policy to do so. Such a policy can prevent ALGs from
opening dynamic ports and interfere with the functioning of certain applica-
tions.
Stateful Firewall
The TMS zl Module firewall is stateful. In other words, it tracks session
information and recognizes packets that are part of the same session or traffic
flow. This allows module to provide better attack checks. In addition, you do
not have to create reverse access policies for return traffic. You simply create
the policies that allow the sessions to be initiated.
Connection Reservations
When you set a connection reservation, you ensure that a particular IP address
or range of addresses has connectivity regardless of how much traffic is
passing through the TMS zl Module. Connection reservations can be for
outbound connections to a zone, in which case they reserve connections for
specific source addresses to destinations in that zone. Or connection reserva-
tions can be for inbound connections from a zone, in which case they reserve
connections for any source address in that zone to particular destinations and
applications.
Suggested uses for connection reservations include the following:
Ensuring that network administrators have connectivity during a DoS
attack
Guaranteeing that users can always access certain applications
Reserving connections for users who must be able to connect to a network
resource at all times