Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1161116211631164116511661167116811691170
10-40
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
For example, the firewall will match a packet against Unicast Internal-to-
External access policy 1 before it matches it to Unicast Internal-to-External
access policy 2. The module takes the action that is specified in the first policy
that the packet matches. It then stops processing policies for that packet.
If the packet does not match any of the access policies in the policy set, the
TMS zl Module drops the packet.
A Regular Access Policy Has a Higher Priority Than a User-Based
Access Policy. A normal access policy (which applies to any user group) has
a higher priority than a user-based access policy. This means that the TMS zl
Module will process the normal access policy first.
Some Traffic Must Be Transmitted to the Self Zone. Every traffic type
that requires the TMS zl Module to listen on its own interface also requires an
access policy to and from the module’s interface in Self. The commonly used
traffic types that require such access policies are:
Destination NAT
IKE-negotiated VPNs
GRE tunnels
DHCP
For example, suppose your local VPN gateway is the module’s IP address for
VLAN 999 (10.99.99.99), which is in the External zone. For an IKE-negotiated
VPN, you would need to create an access policy that permits Internet Key
Exchange (IKE) traffic from External to Self, and you would specify
10.99.99.99 as the destination address. You would also need to create an access
policy that permits traffic in the reverse direction.
Firewall Handles Only Traffic Transmitted Between VLANs. The TMS
zl Module will filter traffic and apply access policies only to traffic that is
routed. That is, the TMS zl Module must route traffic between two VLANs. If
traffic is being transmitted between two devices in the same VLAN, the traffic
is switched, not routed, and the TMS zl Module will not handle it.
Additional Protections Are Applied to the External Zone. With the
exception of the external zone, there are no differences between zones. The
external zone, however, includes some additional attack protections such as
checking for the sequence prediction attack.