Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
919293949596979899100
1-68
Overview
Feature Interaction
7. The module matches the packet against access policies in the group until
it finds a match.
The module matches the packet first against the policy that has the highest
position (lowest numerical value).
If the packet matches the access policy (including matches the pol-
icy’s schedule if any), the module applies the rule’s action:
If the action is deny, the module drops the packet.
If the action is permit, the module checks the rate limiting and
other settings.
If the settings do not permit another connection, the module
drops the packet.
If the settings permit another connection, the module checks the
connection limits for the packet’s zones. If these have been
reached, the module drops the packet—unless a connection res-
ervation has been made for it.
If a connection is available for the packet, the module checks
whether IPS is enabled for the policy.
If IPS is enabled, the module forwards the packet to the IDS/IPS.
See step step 8.
If IPS is not enabled, the module determines whether to apply
NAT. See step 9.
If the packet does not match the access policy, the module matches
it to the active policy with the next highest position. The module
continues to match the packet to policies until it finds a match and
applies the policy (see the bullet above). If the packet does not match
any active policies in the group, the module drops the packet.
8. The TMS zl Module IDS/IPS checks the packet with enabled signatures
and protocol-anomaly checks:
If the module detects a threat, it takes the action specified for the
severity level associated with that threat:
If the action is to terminate the session, the module closes the
session to which the packet belongs. If the endpoint sends more
packets in this session, the module will automatically drop them.
The module also creates a log entry.
If the action is to block the packet, the module drops the packet.
(It allows other packets in the session.) The module also creates
a log entry.
If the action is to allow the packet, the module logs the threat and
passes the packet back to the firewall for NAT. See step 9.
If the module does not detect a threat, it passes the packet back to
the firewall for NAT. See step 9.