Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
331332333334335336337338339340
4-28
Firewall
Firewall Access Policies
For example, suppose you want to block all traffic that originates from the IP
address 10.5.0.13 and is destined for 10.5.0.220. But because the two addresses
belong to the same subnet (VLAN_5, 10.5.0.0/16), the switch automatically
forwards the traffic at Layer 2, and the traffic never passes through the TMS zl
Module. In this case, host 10.5.0.13 is able to contact server 10.5.0.220 with
HTTP and HTTPS despite the existence of the “orphaned” firewall access
policy.
When host 10.10.0.56 tries to contact server 10.5.0.220, however, the traffic
must cross a VLAN (subnet) boundary, which requires the services of a Layer
3 routing device. Because the TMS zl Module is the default router for VLAN_10,
it receives the traffic. The TMS zl Module can therefore block the traffic from
10.10.0.56 with a firewall access policy.
Processing Access Policies
The TMS zl Module matches a packet to every access policy that:
Is the correct type (unicast or multicast)
Applies to the user group of the packet’s source IP address (or, if the
packet has no group, to the None user group)
Includes the packet’s source and destination zones
Within these policies, the module starts with the policy that has the highest
position (lowest numerical value). For example, it will compare a packet
against Internal-to-External access policy 1 before it compares it to Internal-
to-External access policy 2. The module takes the action that is specified in
the first policy that the packet matches. It then stops processing policies.
Caution When the TMS zl Module evaluates a firewall access policy that contains a
domain name that cannot be resolved, it terminates evaluation and denies the
session. As a result of this safeguard, a DNS failure can deny traffic that would
otherwise be allowed by subsequent policies. A best practice is to place
policies that use domain names at the end of the policy list to mitigate the
impact of DNS failures.
If the packet never matches a policy, the module drops it. In other words, the
TMS zl Module denies all traffic for which it does not have a policy. You must
configure policies to permit any traffic. (However, certain traffic such as
routing protocols are allowed by default.)