TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

1-76

Overview

Feature Interaction

If the settings permit another connection, the module checks the

connection limits for the packet’s zones. If these have been

reached, the module drops the packet—unless a connection res-

ervation has been made for it.

If a connection is available for the packet, the module checks

whether IPS is enabled for the policy.

If IPS is enabled, the module forwards the packet to the IDS/IPS.

See step step 8.

If IPS is not enabled, the module determines whether to apply

NAT. See step 9.

• If the packet does not match the access policy, the module matches

it to the policy with the next highest position. The module continues

to match the packet to policies until it finds a match and applies the

policy (see the bullet above). If the packet does not match any policies

in the group, the module drops the packet.

8. The TMS zl Module IDS/IPS checks the packet using enabled signatures

and protocol-anomaly checks:

• If the module detects a threat, it takes the action specified for the

severity level associated with that threat:

– If the action is to terminate the session, the module closes the

session to which the packet belongs. If the endpoint sends more

packets in this session, the module will automatically drop them.

The module also creates a log entry.

– If the action is to block the packet, the module drops the packet.

(It allows other packets in the session.) The module also creates

a log entry.

– If the action is to allow the packet, the module logs the threat and

passes the packet back to the firewall for NAT. See step 9.

• If the module does not detect a threat, it passes the packet back to

the firewall for NAT. See step 9.

9. The TMS zl module determines whether to apply NAT:

The module matches the packet against NAT policies for its source zone

and destination zone. It processes the policies in order, beginning with the

policy with the highest position (lowest numerical value), until it finds a

match.

• If the packet matches a NAT policy, the module follows this process

to apply NAT:

i. The module translates the source or destination IP address and

port of the packet according to the NAT policy.