Filter
Top Products
Chapter 23 Firewall
ISG50 User’s Guide
361
• If you enable intra-zone traffic blocking (see the chapter about zones), the firewall automatically
creates (implicit) rules to deny packet passage between the interfaces in the specified zone.
• Besides configuring the firewall, you also need to configure NAT rules to allow computers on the
WAN to access LAN devices. See Chapter 18 on page 323 for more information.
• The ISG50 applies NAT (Destination NAT) settings before applying the firewall rules. So for
example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you
configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as
the destination. See Section 7.9 on page 125 for an example.
• The ordering of your rules is very important as rules are applied in sequence.
Figure 242 Configuration > Firewall
The following table describes the labels in this screen.
Table 117 Configuration > Firewall
LABEL DESCRIPTION
General
Settings
Enable Firewall Select this check box to activate the firewall. The ISG50 performs access control
when the firewall is activated.
Allow
Asymmetrical
Route
If an alternate gateway on the LAN has an IP address in the same subnet as the
ISG50’s LAN IP address, return traffic may not go through the ISG50. This is called
an asymmetrical or “triangle” route. This causes the ISG50 to reset the
connection, as the connection has not been acknowledged.
Select this check box to have the ISG50 permit the use of asymmetrical route
topology on the network (not reset the connection).
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the ISG50. A better solution is to use virtual
interfaces to put the ISG50 and the backup gateway on separate subnets.
Firewall Rule Summary