Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
9919929939949959969979989991000
D-36
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Troubleshooting the Firewall
When you are configuring and troubleshooting the firewall, you should review
how the firewall operates. With these guidelines in mind, you can then apply
the strategy outlined in this section to isolate your problem and fix it.
Reviewing How the Firewall Operates
Keep in mind the following general principles for the TMS zl Module’s firewall:
All traffic is denied by default.
Access policies with a higher priority are processed first.
A regular access policy is processed before a user-based access policy.
Some traffic must be transmitted to the Self zone.
Only traffic transmitted between VLANs is routed and, therefore, filtered.
Additional protections are applied to the external zone.
All Traffic Is Denied by Default. By default, the TMS zl Module firewall
has an implicit deny all access policy. Unless you create an access policy to
explicitly allow particular traffic, the TMS zl Module will block it. The TMS zl
Module compares a packet to every access policy in the packet’s correspond-
ing policy set. A policy set consists of:
Source zone and destination zone
Traffic type (unicast or multicast)
User group of the packet’s source IP address (or, if the packet has no
group, the None user group)
Because of the implicit deny all access policy, you must configure access
policies to permit the traffic that you want to allow through the firewall.
Access Policies with a Higher Priority Are Processed First. The TMS
zl Module first determines which policy set corresponds to the packet and
then begins to compare the packet to the access policies in that particular
policy set, beginning with the policy that has the highest position (lowest
numerical value).
For example, the firewall will match a packet against Unicast Internal-to-
External access policy 1 before it matches it to Unicast Internal-to-External
access policy 2. The module takes the action that is specified in the first policy
that the packet matches. It then stops processing policies for that packet.
If the packet does not match any of the access policies in the policy set, the
TMS zl Module drops the packet.