Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
919293949596979899100
1-67
Overview
Feature Interaction
2. If the packet is an IPsec packet, the TMS zl Module looks up the SA by
its SPI:
If the SA exists, the module uses the SAs parameters to decrypt the
packet. It forwards the decrypted and decapsulated packet to the
firewall. See step 3.
If the SA does not exist or if the packet fails VPN checks, the module
drops the packet.
3. The module’s firewall checks the packet for attacks. If the packet received
on a VPN tunnel, the packet is also sent back to the VPN for VPN checks.
If the module detects an attack, it drops the packet.
If the module does not detect an attack, the firewall continues to
process the packet. See step 4.
4. The module determines whether the packet matches a pre-NAT port
trigger or ALG. If the packet does, the module handles the packet as
specified in the trigger or ALG.
5. The TMS zl Module checks the source and destination IP addresses and
ports in the packet header and determines whether a session already
exists for the packet:
If a session exists, the module allows the packet:
If IPS is enabled for the packets session, the module passes the
packet to the IDS/IPS. See step 8.
If IPS is disabled for the packet’s session, the firewall continues
to process the packet for NAT. See step 9.
If a session does not exist, the module applies a firewall access policy
to the packet. See step 6.
6. The TMS zl Module determines the group of access policies that apply to
the packet:
The module determines the user group according to the source IP
address. If the address is not associated with a user group, the module
applies the access policies that have no group setting.
Multicast policies apply to traffic that is destined to IP addresses
224.0.0.0 to 239.255.255.255. All other traffic is controlled by unicast
policies.
The module determines the packets source zone according to the
VLAN on which it received the packet.
The module determines the packets destination zone according to
the forwarding VLAN in the route to the packet’s destination.