Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
321322323324325326327328329330
4-28
Firewall
Firewall Access Policies
When host 10.10.0.56 tries to contact server 10.5.0.220, however, the traffic
must cross a VLAN (subnet) boundary, which requires the services of a Layer
3 routing device. Because the TMS zl Module is the default router for VLAN_10,
it receives the traffic. The TMS zl Module can therefore block the traffic from
10.10.0.56 with a firewall access policy.
Processing Access Policies
The TMS zl Module matches a packet to every access policy that:
Is the correct type (unicast or multicast)
Applies to the user group of the packet’s source IP address (or, if the
packet has no group, to the None user group)
Includes the packet’s source and destination zones
Within these policies, the module starts with the policy that has the highest
position (lowest numerical value). For example, it will compare a packet
against Internal-to-External access policy 1 before it compares it to Internal-
to-External access policy 2. The module takes the action that is specified in
the first policy that the packet matches. It then stops processing policies.
Caution When the TMS zl Module evaluates a firewall access policy that contains a
domain name that cannot be resolved, it terminates evaluation and denies the
session. As a result of this safeguard, a DNS failure can deny traffic that would
otherwise be allowed by subsequent policies. A best practice is to place
policies that use domain names at the end of the policy list to mitigate the
impact of DNS failures.
If the packet never matches a policy, the module drops it. In other words, the
TMS zl Module denies all traffic for which it does not have a policy. You must
configure policies to permit any traffic. (However, certain traffic such as
routing protocols are allowed by default.)
Caution The TMS zl Module automatically applies an implicit deny to traffic that is not
selected by another access policy. Therefore, you do not have to create a final
access policy to deny all other traffic. In fact, you should not configure such
a policy because it might interfere with the proper functioning of any ALGs
that are enabled.