Filter
Top Products
Chapter 23 Firewall
ISG50 User’s Guide
355
You can configure a To-ISG50 firewall rule (with From Any To Device direction) for traffic from an
interface which is not in a zone.
Global Firewall Rules
Firewall rules with from any and/or to any as the packet direction are called global firewall rules.
The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is
not included in a zone. The from any rules apply to traffic coming from the interface and the to
any rules apply to traffic going to the interface.
Firewall Rule Criteria
The ISG50 checks the schedule, user name (user’s login name on the ISG50), source IP address,
destination IP address and IP protocol type of network traffic against the firewall rules (in the order
you list them). When the traffic matches a rule, the ISG50 takes the action specified in the rule.
User Specific Firewall Rules
You can specify users or user groups in firewall rules. For example, to allow a specific user from any
computer to access a zone by logging in to the ISG50, you can set up a rule based on the user
name only. If you also apply a schedule to the firewall rule, the user can only access the network at
the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the ISG50
and will be disabled after the user logs out of the ISG50.
Firewall and VPN Traffic
After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN
traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure
a new LAN1 to LAN1 firewall rule or use intra-zone traffic blocking to allow or block VPN traffic
transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN
tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between
the VPN zone and other zones or From VPN To-Device rules for VPN traffic destined for the
ISG50.
Session Limits
Accessing the ISG50 or network resources through the ISG50 requires a NAT session and
corresponding firewall session. Peer to peer applications, such as file sharing applications, may use
a large number of NAT sessions. A single client could use all of the available NAT sessions and
prevent others from connecting to or through the ISG50. The ISG50 lets you limit the number of
concurrent NAT/firewall sessions a client can use.
Finding Out More
•See Section 6.6.13 on page 101 for related information on the Firewall screens.
•See Section 7.8 on page 123 for an example of creating firewall rules as part of configuring user-
aware access control (Section 7.5 on page 116).
•See Section 7.9.3 on page 128 for an example of creating a firewall rule to allow H.323 traffic
from the WAN to the LAN.
•See Section 7.10.3 on page 131 for an example of creating a firewall rule to allow web traffic
from the WAN to a server on the DMZ.