Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
919293949596979899100
1-69
Overview
Feature Interaction
9. The TMS zl module determines whether to apply NAT:
The module matches the packet against NAT policies for its source zone
and destination zone. It processes the policies in order, beginning with the
policy with the highest position (lowest numerical value), until it finds a
match.
If the packet matches a NAT policy, the module follows this process
to apply NAT:
i. The module translates the source or destination IP address and
port of the packet according to the NAT policy. If a source NAT
policy specifies multiple IP addresses for the NAT address, the
module must assign the packet an IP address from that pool of
addresses. If no addresses are available, the module drops the
packet.
ii. The module then applies post-NAT checks. See step 12.
If the packet does not match a policy, the module does not apply NAT.
It creates a connection for the traffic, which specifies the source and
destination IP addresses and ports. The session fills one of the max-
imum number of connections that are allowed on the TMS zl Module.
The module then determines whether the packet is part of a VPN
tunnel. See step 12.
10. If IPS is enabled in the access policy that allowed the packet, the TMS zl
Module applies post-NAT checks. (If IPS is not enabled, the module
proceeds with step 11.)
If the module detects a threat, it takes the action specified for the
severity level associated with that threat:
If the action is to terminate the session, the module closes the
session to which the packet belongs. If the endpoint sends more
packets in this session, the module will automatically drop them.
The module also creates a log entry.
If the action is to block the packet, the module drops the packet.
(It allows other packets in the session.) The module also creates
a log entry.
If the action is to allow the packet, the module logs the threat and
passes the packet back to the firewall for other post-NAT checks.
See step 11.
If the module does not detect a threat, it passes the packet back to
the firewall for NAT. See step 11.
11. The module determines whether a NAT-capable ALGs apply to the packet.
If one does, the module handles the packet appropriately, modifying
information as necessary to match the new NAT values. Then the
module creates a session for the traffic (if one does not exist). The