Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 366 / 944 Scroll up to view Page 361 - 365

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

366

4

The ZyWALL then sends it to the computer on the LAN1 in

Subnet 1

.

Figure 222

Using Virtual Interfaces to Avoid Asymmetrical Routes

22.2.1

Configuring the Firewall Screen

Click

Configuration > Firewall

to open the

Firewall

screen. Use this screen to

enable or disable the firewall and asymmetrical routes, set a maximum number of

sessions per host, and display the configured firewall rules. Specify from which

zone packets come and to which zone packets travel to display only the rules

specific to the selected direction. Note the following.

•

If you enable intra-zone traffic blocking (see the chapter about zones), the

firewall automatically creates (implicit) rules to deny packet passage between

the interfaces in the specified zone.

•

Besides configuring the firewall, you also need to configure NAT rules to allow

computers on the WAN to access LAN devices. See

Chapter 17 on page 321

for

more information.

•

The ZyWALL applies NAT (Destination NAT) settings before applying the firewall

rules. So for example, if you configure a NAT entry that sends WAN traffic to a

LAN IP address, when you configure a corresponding firewall rule to allow the

traffic, you

need to set the LAN IP address as the destination. See

Section 7.9

on page 139

for an example.

LAN1

Page 367 / 944

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

367

•

The ordering of your rules is very important as rules are applied in sequence.

Figure 223

Configuration > Firewall

The following table describes the labels in this screen.

Table 107

Configuration > Firewall

LABEL

DESCRIPTION

General

Settings

Enable

Firewall

Select this check box to activate the firewall. The ZyWALL performs

access control when the firewall is activated.

Allow

Asymmetrical

Route

If an alternate gateway on the LAN has an IP address in the same subnet

as the ZyWALL’s LAN IP address, return traffic may not go through the

ZyWALL. This is called an asymmetrical or “triangle” route. This causes

the ZyWALL to reset the connection, as the connection has not been

acknowledged.

Select this check box to have the ZyWALL permit the use of asymmetrical

route topology on the network (not reset the connection).

Note: Allowing asymmetrical routes may let traffic from the WAN go

directly to the LAN without passing through the ZyWALL. A

better solution is to use virtual interfaces to put the ZyWALL

and the backup gateway on separate subnets.

Firewall Rule Summary

Page 368 / 944

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

368

From Zone /

To Zone

This is the direction of travel of packets. Select from which zone the

packets come and to which zone they go.

Firewall rules are grouped based on the direction of travel of packets to

which they apply. For example, from

LAN1

to

LAN1

means packets

traveling from a computer or subnet on the LAN to either another

computer or subnet on the LAN1.

From

any

displays all the firewall rules for traffic going to the selected

To

Zone

.

To

any

displays all the firewall rules for traffic coming from the selected

From Zone

.

From

any

to

any

displays all of the firewall rules.

To

ZyWALL

rules are for traffic that is destined for the ZyWALL and

control which computers can manage the ZyWALL.

Add

Click this to create a new entry. Select an entry and click

Add

to create a

new entry after the selected entry.

Edit

Double-click an entry or select it and click

Edit

to open a screen where

you can modify the entry’s settings.

Remove

To remove an entry, select it and click

Remove

. The ZyWALL confirms

you want to remove it before doing so.

Activate

To turn on an entry, select it and click

Activate

.

Inactivate

To turn off an entry, select it and click

Inactivate

.

Move

To change a rule’s position in the numbered list, select the rule and click

Move

to display a field to type a number for where you want to put that

rule and press [ENTER] to move the rule to the number that you typed.

The ordering of your rules is important as they are applied in order of

their numbering.

The following read-only fields summarize the rules you have created that apply to traffic

traveling in the selected packet direction.

Status

This icon is lit when the entry is active and dimmed when the entry is

inactive.

Priority

This is the position of your firewall rule in the global rule list (including all

through-ZyWALL and to-ZyWALL rules). The ordering of your rules is

important as rules are applied in sequence. Default displays for the

default firewall behavior that the ZyWALL performs on traffic that does

not match any other firewall rule.

From

To

This is the direction of travel of packets to which the firewall rule applies.

Schedule

This field tells you the schedule object that the rule uses.

none

means

the rule is active at all times if enabled.

User

This is the user name or user group name to which this firewall rule

applies.

Source

This displays the source address object to which this firewall rule applies.

Destination

This displays the destination address object to which this firewall rule

applies.

Table 107

Configuration > Firewall (continued)

LABEL

DESCRIPTION

Page 369 / 944

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

369

22.2.2

The Firewall Add/Edit Screen

In the

Firewall

screen, click the

Edit

or

Add

icon to display the

Firewall Rule

Edit

screen.

Figure 224

Configuration > Firewall > Add

The following table describes the labels in this screen.

Service

This displays the service object to which this firewall rule applies.

Access

This field displays whether the firewall silently discards packets (

deny

),

discards packets and sends a TCP reset packet to the sender (

reject

) or

permits the passage of packets (

allow

).

Log

This field shows you whether a log (and alert) is created when packets

match this rule or not.

Apply

Click

Apply

to save your changes back to the ZyWALL.

Reset

Click

Reset

to return the screen to its last-saved settings.

Table 107

Configuration > Firewall (continued)

LABEL

DESCRIPTION

Table 108

Configuration > Firewall > Add

LABEL

DESCRIPTION

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

Enable

Select this check box to activate the firewall rule.

From

To

For through-ZyWALL rules, select the direction of travel of packets to

which the rule applies.

any

means all interfaces or VPN tunnels.

ZyWALL

means packets destined for the ZyWALL itself.

Page 370 / 944

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

370

22.3

The Session Limit Screen

Click

Configuration > Firewall > Session Limit

to display the

Firewall

Session Limit

screen. Use this screen to limit the number of concurrent NAT/

firewall sessions a client can use. You can apply a default limit for all users and

Description

Enter a descriptive name of up to 60 printable ASCII characters for the

firewall rule. Spaces are allowed.

Schedule

Select a schedule that defines when the rule applies. Otherwise, select

none

and the rule is always effective.

User

This field is not available when you are configuring a to-ZyWALL rule.

Select a user name or user group to which to apply the rule. The firewall

rule is activated only when the specified user logs into the system and

the rule will be disabled when the user logs out.

Otherwise, select

any

and there is no need for user logging.

Note: If you specified a source IP address (group) instead of

any

in

the field below, the user’s IP address should be within the IP

address range.

Source

Select a source address or address group for whom this rule applies.

Select

any

if the policy is effective for every source.

Destination

Select a destination address or address group for whom this rule

applies. Select

any

if the policy is effective for every destination.

Service

Select a service or service group from the drop-down list box.

Access

Use the drop-down list box to select what the firewall is to do with

packets that match this rule.

Select

deny

to silently discard the packets without sending a TCP reset

packet or an ICMP destination-unreachable message to the sender.

Select

reject

to deny the packets and send a TCP reset packet to the

sender. Any UDP packets are dropped without sending a response

packet.

Select

allow

to permit the passage of the packets.

Log

Select whether to have the ZyWALL generate a log (

log

), log and alert

(

log alert

) or not (

no

) when the rule is matched. See

Chapter 46 on

page 723

for more on logs.

OK

Click

OK

to save your customized settings and exit this screen.

Cancel

Click

Cancel

to exit this screen without saving.

Table 108

Configuration > Firewall > Add (continued)

LABEL

DESCRIPTION

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share