TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

1-77

Overview

Feature Interaction

If a source NAT policy specifies multiple IP addresses for the NAT

address, the module must assign the packet an IP address from

that pool of addresses. If no addresses are available, the module

drops the packet.

ii. The module then applies post-NAT checks. See step 10.

• If the packet does not match a policy, the module does not apply NAT.

It creates a connection for the traffic, which specifies the source and

destination IP addresses and ports. The session fills one of the max-

imum number of connections that are allowed on the TMS zl Module.

The module then determines whether the packet is part of a VPN

tunnel. See step 12.

10. If IPS is enabled in the access policy that allowed the packet, the TMS zl

Module applies post-NAT checks. (If IPS is not enabled, the module

proceeds with step 11.)

• If the module detects a threat, it takes the action specified for the

severity level associated with that threat:

– If the action is to terminate the session, the module closes the

session to which the packet belongs. If the endpoint sends more

packets in this session, the module will automatically drop them.

The module also creates a log entry.

– If the action is to block the packet, the module drops the packet.

(It allows other packets in the session.) The module also creates

a log entry.

– If the action is to allow the packet, the module logs the threat and

passes the packet back to the firewall for other post-NAT checks.

See step 11.

• If the module does not detect a threat, it passes the packet back to

the firewall for other post-NAT checks. See step 11.

11. The module determines whether a NAT-capable ALGs apply to the packet.

• If one does, the module handles the packet appropriately, modifying

information as necessary to match the new NAT values. Then the

module creates a session for the traffic (if one does not exist). The

session specifies the source and destination addresses and ports both

before and after NAT has been applied. This session fills one of the

maximum number of connections that are allowed on the TMS zl

Module. The module then proceeds to step 12.

• If a NAT-capable ALG does not apply to the packet, the module simply

creates the session and proceeds to step 12.

12. The TMS zl Module determines whether the packet is part of a GRE or

L2TP tunnel.