Page 56 / 203 Scroll up to view Page 51 - 55
56
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To configure session limits:
1.
Select Security > Firewall > Session Limit to display the Session Limit screen.
2.
Click
Yes
to enable Session Limits.
3.
From the drop-down list, select whether you will limit sessions by percentage or by
absolute number. The percentage is computed based on the total connection capacity of
the device. When setting a limit based on absolute number, note that some protocols
(for example, FTP and RSTP) create two sessions per connection.
4.
Click
Apply
.
To monitor session limiting, return to this screen periodically and check the display of
Total
Number of Packets Dropped due to Session Limit
, which indicates that session limits
have been reached.
Managing the Application Level Gateway for SIP Sessions
The Application Level Gateway (ALG) facilitates multimedia sessions such as voice over IP
(VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides
support for multiple SIP clients. ALG support for SIP is disabled by default.
To enable ALG for SIP:
1.
Select Security > Firewall > Advanced.
2.
Select the
Enable SIP ALG
checkbox.
3.
Click
Apply
to save your settings.
Page 57 / 203
Chapter 4:
Firewall Protection and Content Filtering
|
57
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Creating Services, QoS Profiles, and Bandwidth
Profiles
When you create inbound and outbound firewall rules, you use firewall objects such as
services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules:
Services
. A service narrows down the firewall rule to an application and a port number.
For information about adding services, see
“Adding Customized Services”
on page 57.
QoS profiles
. A quality of service (QoS) profile defines the relative priority of an IP
packet for traffic that matches the firewall rule. For information about creating QoS
profiles, see
“Setting Quality of Service (QoS) Priorities”
on page 58.
Bandwidth Profiles
. A bandwidth profile allocates and limits traffic bandwidth for the
LAN users to which a firewall rule is applied. For information about creating bandwidth
profiles, see
“Creating Bandwidth Profiles”
on page 59.
Note:
A schedule narrows down the period during which a firewall rule is
applied. For information about specifying schedules, see
“Setting a
Schedule to Block or Allow Specific Traffic”
on page 61.
Adding Customized Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and
game hosts serve data about other players’ moves. When a computer on the Internet sends
a request for service to a server computer, the requested service is identified by a service or
port number. This number appears as the destination port number in the transmitted IP
packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web
server) request.
The service numbers for many common protocols are defined by the Internet Engineering
Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for
other applications are typically chosen from the range 1024 to 65535 by the authors of the
application.
Although the VPN firewall already holds a list of many service port numbers, you are not
limited to these choices. Use the Services screen to add additional services and applications
to the list for use in defining firewall rules. The Services screen shows a list of services that
you have defined, as shown in .
To define a new service, you must first determine which port number or range of numbers is
used by the application. This information can usually be determined by contacting the
publisher of the application or from user groups or newsgroups. When you have the port
number information, you can enter it on the Services screen. You can configure up to 125
custom services.
Page 58 / 203
58
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To add a custom service:
1.
Select Security > Services from the menu. The Services screen is displayed.
2.
In the
Add Custom Services
section, enter a descriptive name for the service (this
name is for your convenience).
3.
Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP.
4.
For TCP or UDP services, enter the first port of the range that the service uses. For
ICMP services, enter the ICMP Type number.
5.
For TCP or UDP services, enter the last port of the range that the service uses. If the
service only uses a single port number, enter the same number in both fields.
6.
Click
Add
. The new custom service will be added to the
Custom Services Table
.
Modifying a Service
To edit the parameters of an existing service:
1.
In the Custom Services Table, click the
Edit
button adjacent to the service you want to
edit. The Edit Service screen is displayed.
2.
Modify the parameters you wish to change.
3.
Click
Apply
to confirm your changes. The modified service is displayed in the Custom
Services Table.
Setting Quality of Service (QoS) Priorities
The QoS setting determines the priority of a service, which in turn determines the quality of
that service for the traffic passing through the VPN firewall. You can change the QoS Priority:
On the Services screen in the
Custom Services Table
for customized services (see
Figure 1 on page 58
).
Page 59 / 203
Chapter 4:
Firewall Protection and Content Filtering
|
59
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Select Security > Firewall > LAN WAN Rules, and then click
Add
for Outbound Services.
On the Add LAN WAN Outbound Services screen.
The QoS priority definition for a service determines the queue that is used for the traffic
passing through the VPN firewall. A priority is assigned to IP packets using this service.
Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards,
RFC 1349. A ToS priority for traffic passing through the VPN firewall is one of the following:
Normal-Service
.
No special priority given to the traffic. The IP packets for services with
this priority are marked with a ToS value of 0.
Minimize-Cost
.
Used when data must be transferred over a link that has a low
transmission cost. IP packets for this service priority are marked with a ToS value of 1.
Maximize-Reliability
.
Used when data needs to travel to the destination over a reliable
link with little or no retransmission. The IP packets for this service priority are marked with
a ToS value of 2.
Maximize-Throughput
.
Used when the volume of data transferred during an interval is
important even if the latency over the link is high. The IP packets for services with this
priority are marked with a ToS value of 4.
Minimize-Delay
.
Used when the time required for the packet to reach the destination
must be short (low link latency). The IP packets for this service priority are marked with a
ToS value of 8.
Creating Bandwidth Profiles
To prevent one user or group from using excessive inbound or outbound bandwidth, you can
define a bandwidth profile to set a minimum and maximum bandwidth for an individual or
group. You can apply a defined profile in a firewall rule to limit specific protocols or all traffic
(see
“Using Rules to Block or Allow Specific Kinds of Traffic”
on page 43).
Page 60 / 203
60
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To create a bandwidth profile:
1.
Select Security > Bandwidth Profile from the menu.
The
List of Bandwidth Profiles
table displays existing profiles.
2.
To create a new bandwidth profile, click
Add
to open the Add Bandwidth Profile screen.
3.
Enter the following information:
a.
Enter a
Profile Name
. This name will be available in the firewall rules definition
screens.
b.
From the
Direction
drop-down list, select whether the profile will apply to outbound,
inbound, or both outbound and inbound traffic.
c.
Depending on the direction that you selected, enter the minimum and maximum
bandwidths to be allowed:
Enter the
Outbound Minimum Bandwidth
and
Outbound Maximum
Bandwidth
in Kbps.
Enter the
Inbound Minimum Bandwidth
and
Inbound Maximum Bandwidth
in
Kbps.
The minimum bandwidth can range from 0 Kbps to the maximum bandwidth that you
specify. The maximum bandwidth can range from 100 Kbps to 100,000 Kbps.
d.
In the
Type
field, select whether the profile will apply to a group or individual.
e.
From the
WAN
drop-down list, specify the WAN interface (if in Load Balancing
Mode) for the profile.
4.
Click
Apply
. The new profile will be added to the
List of Bandwidth Profiles
table.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top