TMS zl Management and Configuration Guide ST.1.2.100916
4-23
Firewall
Firewall Access Policies
When the TMS zl Module receives traffic (that is not part of a current session),
it matches the traffic to the group of policies that apply to it, beginning with
the policy with the lowest index number. If the traffic does not match any of
the policies, the module applies the implicit deny policy and drops the traffic.
Caution The implicit deny policy is always present; you should not configure an explicit
deny any access policy because it might interfere with the proper functioning
of any ALGs that are enabled.
Access Policy Parameters
More specifically, policies include the following parameters, which determine
which traffic is selected:
■ Source and Destination Zones
Firewall access policies are grouped by the source and destination zones.
A policy may designate any of the 10 zones as the source or destination
zone or both.
■ Traffic Ty pe
Firewall access policies can be applied to two basic types of traffic:
• Unicast—A packet has one sender and one receiver. Transmissions
in LANs and across the Internet are predominantly unicast.
• Multicast—A packet has one or more senders and a set of receivers.
Multicast transmissions have a destination address in the 224.0.0.0 –
239.255.255.255 range.
■ Source and/or Destination Address (optional)
Access policies may apply to specific source and/or destination addresses
inside a zone.
■ Service (optional)
Access policies might be applied to specific application-level services
such as HTTP, FTP, or SNMP.
■ Schedule (optional)
Access policies can be applied at a specific time and/or on selected days.
■ User Group (optional)
You can create user groups, then configure policies that apply only to the
users in that group. Access policies assigned to user groups are applied
first, then the general access policies are applied. Access policies that are
not explicitly assigned to user groups (general access policies) apply to
all traffic.