Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
341342343344345346347348349350
4-33
Firewall
Firewall Access Policies
Continue adding access policies until you have created all of the policies for
this type of traffic, user group, and source and destination zone.
Caution The TMS zl Module automatically applies an implicit deny to traffic that is not
selected by another access policy. Therefore, you do not have to create a final
access policy to deny all other traffic. In fact, you should not configure such
a policy because it might interfere with the proper functioning of any ALGs
that are enabled.
Guidelines for Managing Access Policies
When you are configuring access policies, there are certain instances in which
established traffic will be reevaluated and possibly disconnected. Those
instances are listed below:
Modifying an existing policy
Adding an overlapping, higher-position policy
Deleting a policy
Modifying an Existing Access Policy
If you modify an existing policy that allows an endpoint to send or receive
traffic, that traffic will be reevaluated after the policy is modified. The process
is as follows:
1. All traffic that was initially permitted by the policy will be reevaluated
against the modified policy.
If the traffic is permitted by the modified policy, the session will continue
seamlessly.
If the traffic is no longer permitted by the modified policy, the session will
be reset. See step 2.
2. Either the application (or the user) will attempt to reestablish a connec-
tion, depending on the application. When the firewall receives this new
traffic, it checks it against all its policies. If the traffic matches a policy
other than the modified policy, the firewall will execute the action of that
policy.
In Figure 4-15, the endpoint in the Internal zone has an established FTP
session with the FTP server in the DMZ. This connection was permitted by
Internal-to-DMZ policy 2.