56

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

To configure session limits:

1.

Select Security > Firewall > Session Limit to display the Session Limit screen.

2.

Click

Yes

to enable Session Limits.

3.

From the drop-down list, select whether you will limit sessions by percentage or by

absolute number. The percentage is computed based on the total connection capacity of

the device. When setting a limit based on absolute number, note that some protocols

(for example, FTP and RSTP) create two sessions per connection.

4.

Click

Apply

.

To monitor session limiting, return to this screen periodically and check the display of

Total

Number of Packets Dropped due to Session Limit

, which indicates that session limits

have been reached.

Managing the Application Level Gateway for SIP Sessions

The Application Level Gateway (ALG) facilitates multimedia sessions such as voice over IP

(VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides

support for multiple SIP clients. ALG support for SIP is disabled by default.

To enable ALG for SIP:

1.

Select Security > Firewall > Advanced.

2.

Select the

Enable SIP ALG

checkbox.

3.

Click

Apply

to save your settings.

Chapter 4:

Firewall Protection and Content Filtering

|

57

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Creating Services, QoS Profiles, and Bandwidth

Profiles

When you create inbound and outbound firewall rules, you use firewall objects such as

services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules:

•

Services

. A service narrows down the firewall rule to an application and a port number.

For information about adding services, see

“Adding Customized Services”

on page 57.

•

QoS profiles

. A quality of service (QoS) profile defines the relative priority of an IP

packet for traffic that matches the firewall rule. For information about creating QoS

profiles, see

“Setting Quality of Service (QoS) Priorities”

on page 58.

•

Bandwidth Profiles

. A bandwidth profile allocates and limits traffic bandwidth for the

LAN users to which a firewall rule is applied. For information about creating bandwidth

profiles, see

“Creating Bandwidth Profiles”

on page 59.

Note:

A schedule narrows down the period during which a firewall rule is

applied. For information about specifying schedules, see

“Setting a

Schedule to Block or Allow Specific Traffic”

on page 61.

Adding Customized Services

Services are functions performed by server computers at the request of client computers. For

example, Web servers serve Web pages, time servers serve time and date information, and

game hosts serve data about other players’ moves. When a computer on the Internet sends

a request for service to a server computer, the requested service is identified by a service or

port number. This number appears as the destination port number in the transmitted IP

packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web

server) request.

The service numbers for many common protocols are defined by the Internet Engineering

Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for

other applications are typically chosen from the range 1024 to 65535 by the authors of the

application.

Although the VPN firewall already holds a list of many service port numbers, you are not

limited to these choices. Use the Services screen to add additional services and applications

to the list for use in defining firewall rules. The Services screen shows a list of services that

you have defined, as shown in .

To define a new service, you must first determine which port number or range of numbers is

used by the application. This information can usually be determined by contacting the

publisher of the application or from user groups or newsgroups. When you have the port

number information, you can enter it on the Services screen. You can configure up to 125

custom services.

58

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

To add a custom service:

1.

Select Security > Services from the menu. The Services screen is displayed.

2.

In the

Add Custom Services

section, enter a descriptive name for the service (this

name is for your convenience).

3.

Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP.

4.

For TCP or UDP services, enter the first port of the range that the service uses. For

ICMP services, enter the ICMP Type number.

5.

For TCP or UDP services, enter the last port of the range that the service uses. If the

service only uses a single port number, enter the same number in both fields.

6.

Click

Add

. The new custom service will be added to the

Custom Services Table

.

Modifying a Service

To edit the parameters of an existing service:

1.

In the Custom Services Table, click the

Edit

button adjacent to the service you want to

edit. The Edit Service screen is displayed.

2.

Modify the parameters you wish to change.

3.

Click

Apply

to confirm your changes. The modified service is displayed in the Custom

Services Table.

Setting Quality of Service (QoS) Priorities

The QoS setting determines the priority of a service, which in turn determines the quality of

that service for the traffic passing through the VPN firewall. You can change the QoS Priority:

•

On the Services screen in the

Custom Services Table

for customized services (see

Figure 1 on page 58

).

Chapter 4:

Firewall Protection and Content Filtering

|

59

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

•

Select Security > Firewall > LAN WAN Rules, and then click

Add

for Outbound Services.

On the Add LAN WAN Outbound Services screen.

The QoS priority definition for a service determines the queue that is used for the traffic

passing through the VPN firewall. A priority is assigned to IP packets using this service.

Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards,

RFC 1349. A ToS priority for traffic passing through the VPN firewall is one of the following:

•

Normal-Service

.

No special priority given to the traffic. The IP packets for services with

this priority are marked with a ToS value of 0.

•

Minimize-Cost

.

Used when data must be transferred over a link that has a low

transmission cost. IP packets for this service priority are marked with a ToS value of 1.

•

Maximize-Reliability

.

Used when data needs to travel to the destination over a reliable

link with little or no retransmission. The IP packets for this service priority are marked with

a ToS value of 2.

•

Maximize-Throughput

.

Used when the volume of data transferred during an interval is

important even if the latency over the link is high. The IP packets for services with this

priority are marked with a ToS value of 4.

•

Minimize-Delay

.

Used when the time required for the packet to reach the destination

must be short (low link latency). The IP packets for this service priority are marked with a

ToS value of 8.

Creating Bandwidth Profiles

To prevent one user or group from using excessive inbound or outbound bandwidth, you can

define a bandwidth profile to set a minimum and maximum bandwidth for an individual or

group. You can apply a defined profile in a firewall rule to limit specific protocols or all traffic

(see

“Using Rules to Block or Allow Specific Kinds of Traffic”

on page 43).

60

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

To create a bandwidth profile:

1.

Select Security > Bandwidth Profile from the menu.

The

List of Bandwidth Profiles

table displays existing profiles.

2.

To create a new bandwidth profile, click

Add

to open the Add Bandwidth Profile screen.

3.

Enter the following information:

a.

Enter a

Profile Name

. This name will be available in the firewall rules definition

screens.

b.

From the

Direction

drop-down list, select whether the profile will apply to outbound,

inbound, or both outbound and inbound traffic.

c.

Depending on the direction that you selected, enter the minimum and maximum

bandwidths to be allowed:

•

Enter the

Outbound Minimum Bandwidth

and

Outbound Maximum

Bandwidth

in Kbps.

•

Enter the

Inbound Minimum Bandwidth

and

Inbound Maximum Bandwidth

in

Kbps.

The minimum bandwidth can range from 0 Kbps to the maximum bandwidth that you

specify. The maximum bandwidth can range from 100 Kbps to 100,000 Kbps.

d.

In the

Type

field, select whether the profile will apply to a group or individual.

e.

From the

WAN

drop-down list, specify the WAN interface (if in Load Balancing

Mode) for the profile.

4.

Click

Apply

. The new profile will be added to the

List of Bandwidth Profiles

table.