TMS zl Management and Configuration Guide ST.1.1.100226

4-22

Firewall

Firewall Access Policies

This section covers the TMS zl Module firewall access policies, which control

all traffic routed in and out of TMS VLANs:

■ For detailed information about access policies, see “Access Policy Con-

cepts” on page 4-22.

■ To learn how to create access policies, see “Create Firewall Access

Policies” on page 4-29.

■ To learn how to manage access policies, including best practices for to

modifying and deleting them, see “Guidelines for Managing Access Poli-

cies” on page 4-33.

■ For example access policies, see “Policy Examples” on page 4-40.

Access Policy Concepts

A network’s first line of defense is its firewall, and the firewall’s access policies

determine its effectiveness. The access policies tell the firewall which types

of traffic are allowed to cross TMS VLAN boundaries.

For ease of configuration and management, the TMS zl Module divides TMS

VLANs into zones, which are logical areas of trust. (For more information on

zones, see “Zones” on page 1-12.)

Access Policy Groups

Firewall access policies are grouped by the following criteria:

■ Source and destination zones

■ Unicast or multicast traffic

■ User group (for unicast access policies only)

When the TMS zl Module receives traffic (that is not part of a current session),

it matches the traffic to the group of policies that apply to it, beginning with

the policy with the lowest index number. If the traffic does not match any of

the policies, the module applies the implicit deny policy and drops the traffic.

Caution The implicit deny policy is always present; you should not configure an explicit

deny any access policy because it might interfere with the proper functioning

of any ALGs that are enabled.