TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

1-75

Overview

Feature Interaction

• If the module detects an attack, it drops the packet.

• If the module does not detect an attack, the firewall continues to

process the packet. See step 4.

4. The module determines whether the packet matches a pre-NAT port

trigger or ALG. If the packet does, the module handles the packet as

specified in the trigger or ALG.

5. The TMS zl Module checks the source and destination IP addresses and

ports in the packet header and determines whether a session already

exists for the packet:

• If a session exists, the module allows the packet:

– If IPS is enabled for the packet’s session, the module passes the

packet to the IDS/IPS. See step 8.

– If IPS is disabled for the packet’s session, the firewall continues

to process the packet for NAT. See step 9.

• If a session does not exist, the module applies a firewall access policy

to the packet. See step 6.

6. The TMS zl Module determines the group of access policies that apply to

the packet:

• Multicast policies apply to traffic that is destined to IP addresses

224.0.0.0 to 239.255.255.255. All other traffic is controlled by unicast

policies.

• The module determines the user group according to the source IP

address. If the address is not associated with a user group, the module

applies the access policies that have no group setting.

• The module determines the packet’s source zone according to the

VLAN on which it received the packet.

• The module determines the packet’s destination zone according to

the forwarding VLAN in the route to the packet’s destination.

7. The module matches the packet against access policies in the group until

it finds a match.

The module matches the packet first against the policy that has the highest

position (lowest numerical value).

• If the packet matches the access policy (including matches the pol-

icy’s schedule if any), the module applies the rule’s action:

– If the action is deny, the module drops the packet.

– If the action is permit, the module checks the rate limiting and

other settings.

If the settings do not permit another connection, the module

drops the packet.