Manuals / Compatible Systems / Computer Equipment / Network Router

Compatible Systems 5.4 manual 133, ‘AND’ Filters, ‘OR’ Filters

Models: 5.4

1 313

Download 313 pages 60.17 Kb

Page 139

Chapter 8 - IntraGuard Firewall Configuration	133

If more than one interface is designated as an inside or outside interface on a particular path, those interfaces are considered to be open multiplexed and traffic will flow freely between them. For example, in the default configura- tion, both Ethernet 0 and the Bridge interface are inside interfaces on the Green-Red Path. Traffic between those two interfaces will not be subjected to firewall screening.

‘AND’ Filters

AND filters allow the device to accomplish packet filtering on packets that will be forwarded out the specified interface(s). AND filters are typically used to deny certain packets, so they are checked only for those protocols or ports which have been permitted by a Security Policy protocol setting, an Allow Ports/Protocol setting or an OR filter. Any packet not explicitly allowed by the rule set is dropped. Filters are created using the IP Filter Editor, described in the IP Filtering section of this manual. Up to four filter sets may be listed. The filters will be applied in the order listed.

Use the New button to add a named filter to the list or to select a named filter from a pull-down list.

Use the Delete button to remove a named filter from the list.

Use the Move Up and Move Down buttons to move the filters into the desired application order.

‘OR’ Filters

“OR” Filters allow the device to accomplish packet filtering on packets that will be forwarded out the specified interface(s). OR filters are typically used to permit certain packets, so they are checked only for those protocols or ports which have been denied by a Security Policy protocol setting or an Allow Ports/Protocol setting. Any packet not explicitly allowed by the rule set is dropped. Up to four filter sets may be listed. The filters will be applied in the order listed. Filters are created using the IP Filter Editor, described in the IP Filtering section of this manual.

Use the New button to add a named filter to the list or to select a named filter from a pull-down list.

Use the Delete button to remove a named filter from the list.

Use the Move Up and Move Down buttons to move the filters into the desired application order.

Image 139

Compatible Systems 5.4 manual 133, ‘AND’ Filters, ‘OR’ Filters

Contents

CompatiView 5.4 Reference Guide Page Table of Contents Iii Installation and OverviewVPN Ports and LAN-to-LAN Tunnels Table of ContentsTCP/IP Filtering 183 Ospf CompatiView Quickstart Installation and OverviewSelecting IP or IPX Operation with Windows CompatiView Installation NotesAbout this Manual System Requirements for WindowsCompatiView’s Menus and Main Windows Device View Device View and the Main WindowRight-Clicking in the Device View Open Device New ConfigOpen Config File File MenuSave / Restart Options Download Config to Device Dialog BoxFirewall Path Save To FileSubinterface VPN PortDatabase Menu Database Options Dialog Box OptionsGeneral Tab Save/Restart Tab Confirmations TabAdvanced Tab Control MenuTftp Download Download SoftwareRestart Device Statistics Menu Output WindowCompatiView Output Window PPP Statistics EthernetWAN State Serial StatisticsIPX Route Table Ospf ConfigurationIP Route Table IP RoutingCommand Line Edit Box View menu Moving and Customizing the WindowsCustomize Toolbars CommandsWindow Menu Customize Window View Dialog BoxPage IP Routing/Bridging/Off TCP/IP Routing Ethernet Configuration Dialog BoxTCP/IP Routing Ethernet Dialog Box IP Routing & BridgingNetwork IP Subnet Mask IP AddressNetwork IP Broadcast Address Routing Protocol Output RIP Input RIP RIP Split HorizonOspf IP Routing & Bridging Directed BroadcastTCP/IP Routing WAN Configuration Dialog Box TCP/IP Routing WAN Configuration Dialog BoxNumbered Interface Network IP Broadcast Address Update Method RIP Split Horizon IP Routing & Bridging Options TCP/IP Routing VPN Configuration Dialog BoxIP Routing/IP Bridging/IP Off IP Address Routing Protocol Update Method Ospf Bridge Logical Diagram TCP/IP Routing Bridge Configuration Dialog BoxIP Routing/Off TCP/IP Routing Bridge 0 Configuration Dialog BoxNetwork IP Subnet Mask IP Routing & Bridging Ospf IP Subinterface Dialog Box IP Connection Dialog Box IP Connection Dialog BoxIP On/IP Off IP Address IP Static Routing Dialog Box Mask DestinationGateway Redistribute via MetricEthernet or Bridge TCP/IP Options Dialog Box Ethernet IP Options Bridge IP OptionsIP Proxy ARP UDP Forwarding Agents Dialog Box UDP Forwarding Agents RelaysWAN IP Options Dialog Box WAN IP OptionsServer IP Address UDP Ports/ProtocolsVan Jacobson Header Compression Send IP Address Configure RequestProtocol Precedence RIP V2 PasswordTCP/IP Routing Options IP Multiprotocol Precedence Dialog BoxIP Route Redistribution Ospf Route Aggregation IP Route Redistribution Dialog BoxRIP to Ospf BGP to RIP Default into OspfOspf to RIP BGP to OspfIP Routing & Bridging IPX Routing & Bridging IPX Routing Ethernet Configuration Dialog BoxIPX Routing Ethernet Configuration Dialog Box IPX Ethernet Frame TypesSeed Status per Frame Type IPX Routing/Bridging/OffBlock IPX Type 20 Output Packets RIP Update TimerSAP Update Timer Network Number per Frame TypeIPX Routing WAN Configuration Dialog Box IPX Routing WAN Configuration Dialog BoxNetwork Number Optional Remote Node Network Number IPX Routing & Bridging Use Ethernet Port as End-Node Proxy IPX Routing VPN Configuration Dialog Box IPX Routing VPN Configuration Dialog BoxIPX Routing/Bridging/Off RIP Update Timer IPX Routing Bridge Configuration Dialog Box IPX Frame Types IPX Routing Bridge 0 Configuration Dialog BoxIPX Routing/Off Network Number per Frame Type AppleTalk Routing & Bridging AppleTalk Routing Ethernet Configuration Dialog BoxAppleTalk Phase 1 Configuration AppleTalk Routing Ethernet Configuration Dialog BoxPhase 1 Seed Status Phase 1 Routing/Bridging/OffNBP Lookup Filters Filtering Phase 1 Net #Phase 1 Zone Phase 1 NodePhase 2 Routing/Bridging/Off AppleTalk Phase 2 ConfigurationPhase 2 Seed Status Phase 2 Node Phase 2 Net # RangePhase 2 Zones Phase 2 Default ZoneAppleTalk Routing WAN Configuration Dialog Box AppleTalk Routing WAN Configuration Dialog BoxAppleTalk Routing & Bridging AppleTalk On/Bridging/Off Node ZoneOptional Remote End-Node Network Number Optional Remote End-Node Proxy AppleTalk Routing VPN Configuration Dialog BoxAppleTalk Routing VPN Configuration Dialog Box Optional Remote End-Node Node NumberAppleTalk On/Bridging/Off AppleTalk Zone AppleTalk Routing Bridge Configuration Dialog Box AppleTalk Routing Bridge 0 Configuration Dialog Box Phase 1 Routing/Off AppleTalk Routing & Bridging Phase 1 Net # Phase 2 Routing/Off Phase 2 Zones NBP Filtering NBP Filtering Configuration Dialog BoxNetwork Filters Zone Filters Phase 2 Aarp Probe Time AppleTalk Options Configuration Dialog BoxDECnet On Main DECnet Routing Configuration Dialog BoxMain DECnet Routing Configuration Dialog Box DECnet Routing & BridgingRouting Timer Hello TimerArea DECnet Routing & Bridging Max Addresses DECnet Ethernet Configuration Dialog BoxDECnet Routing/Bridging/Off DECnet Ethernet Configuration Dialog BoxDECnet WAN Configuration Dialog Box DECnet WAN Configuration Dialog BoxDECnet On/Bridging/Off Hello Timer Add VPN Port Dialog Box Add VPN Port Dialog BoxBind To Interface Tunnel Partner VPN Configuration Dialog BoxVPN Ports and LAN-to-LAN Tunnels Partner AddressIKE Key Management Dialog Box IKE Key ManagementKey Manage Transform Shared KeyPerfect Forward Secrecy Encryption IKE Configuration Dialog BoxAuthentication 101Manual Key Management Enable AuthenticationAuthentication Method Authentication SecretEncryption Method Interoperability Settings Dialog BoxEnable Encryption 103Interoperability Settings Dialog Box Local and Peer SettingsMode Local / Protocol Local / AccessPeer / Access 105Peer / Port 107 108 VPN Group Configuration Dialog Box and General Tab VPN Group Configuration Dialog BoxVPN Client Tunnels 109 VPN Group Configuration General Tab Exclude Local LAN VPN Client Tunnels 111 Inactivity TimeoutSLA Enable Client MinimumVersionVPN Group Configuration IKE Configuration Tab VPN Group Configuration IKE Configuration TabSave Secrets VPN Client Tunnels 113VPN Group Configuration Manual Tab VPN Group Configuration Manual TabStart IP Address VPN Group Configuration IP Connection TabVPN Group Configuration IP Connection Tab VPN Client Tunnels 115Assign IP Radius Local IP NetEdit VPN Client Tunnels 117 Allow Connections ToAdd Add IP Address Dialog BoxOutput Filters VPN Group Configuration IP Filters TabVPN Config IP Filters Tab Input FiltersLocal IPX Net VPN Group Configuration IPX Connection TabVPN Config IPX Connection Tab VPN Client Tunnels 119VPN Group Configuration IPX Filters Tab VPN Group Configuration IPX Filters TabAssign IPX Radius Alternate IntraPort Addresses VPN Group Configuration Rollover TabVPN Group Configuration Rollover Tab VPN Client Tunnels 121 Input FiltersSecurID User Name VPN Group Configuration SecurID TabVPN Group Configuration SecurID Tab SecurID RequiredVPN Group Configuration DNS Redirection Tab Local Domain Name VPN Group Configuration Wins Redirection TabVPN Group Configuration Wins Tab Add Local Domain Dialog BoxVPN User Configuration Dialog Box VPN User Configuration Dialog BoxVPN Client Tunnels 125 VPN Group STEP/STAMP Authentication SecretVPN User Dialog Box NameVPN Client Tunnels 127 STEP/STAMP Encryption Secret IKE PolicyIKE Policy Global Dialog Box IPSec Gateway Dialog Box IPSec Gateway Configuration Dialog BoxIPSec Gateway VPN Client Tunnels 129 130 131 IntraGuard Firewall ConfigurationIntraGuard Firewall Configuration Settings FirewallPath Dialog BoxInterfaces Inside/Outside ‘AND’ Filters 133‘OR’ Filters Advanced Options Advanced Settings Firewall Path Dialog BoxResetRedirects SendTCPResetICMPtoTCPsession SendICMPReset135 SynRejectOnlyCurrent Security Policy Security Policies Firewall Path Dialog Box137 Security Policies at a Glance Policy Security Policy Protocol Setting Dialog BoxSecurity Policy Protocol Setting Dialog Box 139140 141 Port/Protocol Allow Ports/Protocols Dialog BoxPort/Protocol Number 143 Firewall Logging Dialog BoxFirewall Logging Dialog Box Rejects IP TimeoutsTCP Timeouts TCP ResetsGeneral Icmp Resets145 RedirectsFIN Timer Firewall Settings Dialog BoxFirewall Settings Dialog Box SYN TimerDynamicTimer TCPTimeoutUDPTimeout HalfShutTimerPage Bridging 149 Global Bridging Configuration Dialog BoxTable Size BridgingBridge On Learning/IEEE Spanning TreeMax Age Spanning Tree Fwd Delay Spanning TreeBridging 151 Aging Time Priority Spanning TreeInterface Configuration Dialog Box Priority Bridging 153 Bridging OnPath Cost Spanning Tree Exclude Non-Routed Protocols WAN On Link Configuration WAN Dialog BoxLink Configuration WAN Dialog Box WAN Link Protocols 155Link Type WAN Link ProtocolsFailover Type Allow Dial Out Backup PortTimers WAN Link Protocols 157Dialing Method Allow DialAlways Keep Link Up Drop Link If Inactive ForDial-Out / Connect Script WAN Link Protocols 159Dial-back Script Script Timeout Retry Delay SettingDialing Retries / Connect Retries Backup Init Timer Failover Timers Configuration Dialog BoxBackup Enable Timer Backup Disable TimerFrame Relay Configuration Dialog Box Frame Relay Configuration Dialog BoxMaintenance Protocol Home Dlci WAN Link Protocols 163 Polling FrequencyDlci Database Dialog Box Dlci Database Configuration Dialog Box Dlci Entry Dialog BoxDlci # WAN Link Protocols 165AppleTalk Address DECnet Address Chap Configuration Dialog BoxChap Configuration Dialog Box IPX AddressWAN Link Protocols 167 Request Chap AuthenticationRespond to Chap Challenges PAP Configuration Dialog Box PAP Configuration Dialog BoxSecret WAN Link Protocols 169 Request PAP AuthenticationRespond to PAP Requests Station Address PasswordSmds Dialog Box Smds Dialog BoxWAN Link Protocols 171 IP Multicast PPP Options Dialog BoxPPP Options Dialog Box Sequenced Predictor Compression PPP Link Quality Configuration Dialog BoxEcho Packets On Frequency in Seconds Echo Packets LCP Options Configuration Dialog BoxLCP Options Configuration Dialog Box WAN Link Protocols 173Address/Control Compression Multilink PPP Dialog BoxProtocol Compression Linked Ports EnableWAN Link Protocols 175 Mppp Bundle NameMPQual WAN Chat Script Editor Dialog BoxWAN Chat Script Editor Dialog Box Chat Script Editor Dialog Box Buttons & Controls WAN Link Protocols 177Chat Script Rules and Syntax 178 WAN Link Protocols 179 Chat Script Examples To connect to an Internet Service Provider using a modemWAN Link Protocols 181 User Authentication Database Dialog BoxDial-back Chat Password/SecretRemote Name InterfacesPacket Filters Button Main TCP/IP Filtering Dialog BoxTCP/IP Filtering 183 Route Filters ButtonLog Rejected Source-Routed Packets TCP/IP Filter Editor WindowTCP/IP Filtering Block IP Source RoutingTCP/IP Route Filter Rules Basic IP Route Filter Rules and Syntax IP Route Filter Rule Modifiers TCP/IP Filtering 187 IP Route Filter Rule OptionsIP Route Filter Rule Notification TCP/IP Packet Filter RulesIP Route Filter Rule Examples Basic IP Packet Filter Rules and Syntax TCP/IP Filtering 189IP Packet Filter Rule Operators and Port Names TCP Ports TCP/IP Filtering 191IP Packet Filter Rule Modifiers Icmp TypesUDP TCP/IP Filtering 193Simple IP Packet Filter Rule Examples IP Packet Filter Rule NotificationIP Packet Filter Rule Set Examples TCP/IP Filtering 195TCP/IP Packet Filtering Bridge Dialog Box Interface TCP/IP Packet Filtering Configuration Dialog BoxIPX Route Filters Main IPX Filtering Configuration Dialog BoxMain IPX Filtering Dialog Box IPX Filtering 197Filter Editor Window Buttons and Controls IPX Filter Editor WindowIPX Filtering IPX Filter Editor WindowIPX Filtering 199 IPX Packet Filter RulesBasic IPX Packet Filter Rules and Syntax IPX Packet Filter Options IPX Packet Filter Rule Notification IPX Filtering 201IPX Packet Filter Rule Examples IPX Route Filter RulesIPX Filtering 203 Basic IPX Route Filter Rules and Syntax IPX Route Filter Rule Modifiers IPX Route Filter Rule OptionsIPX Route Filter Rule Examples IPX SAP Filter RulesIPX Filtering 205 IPX Route Filter Rule NotificationIPX SAP Filter Options Basic IPX SAP Filter Rules and SyntaxIPX Filtering 207 IPX SAP Filter Rule Notification IPX SAP Filter Rule ModifiersIPX SAP Filter Rule Examples IPX Filtering 209 Interface IPX Packet Filtering Configuration Dialog Box210 AppleTalk Filtering 211 Main AppleTalk Filtering Editor WindowMain AppleTalk Filter Editor Window AppleTalk Filtering AppleTalk Packet Filter RulesGeneral Packet Filtering Basic AppleTalk Filter Rules and Syntax AppleTalk Filtering 213Get Zone List Routing Filters Rtmp214 AppleTalk Filtering 215 AppleTalk Get Zone List Filter Rule Set Examples Simple AppleTalk Packet Filter Rule ExamplesAppleTalk Rtmp Filter Rule Set Examples AppleTalk Filtering 217 Interface AppleTalk Filtering Configuration Dialog BoxInput Rtmp Filters Output Packet Filters Output Rtmp FiltersZone List Filters Input Packet FiltersAsync/Sync Physical RS-232 Configuration WAN Dialog BoxPhysical RS-232 Configuration WAN Dialog Box General 219Baud Rate Tx Clock Internal Sync OnlyFlow Control Async Only General 221 Physical T1 WAN Configuration Dialog BoxClock Scheme Start Channel & Number of Channels Fractional T1 EnabledFraming Line EncodingPRM Transmit General 223 Contiguous Channels or Alternate ChannelsChannel Data Rate Invert DataTx Clock Internal Physical V.35 Configuration WAN Dialog BoxGeneral 225 Physical DS3 Configuration WAN Dialog BoxSystem Configuration Dialog Box System Configuration Dialog BoxBandwidth Allocation General 227 Confirm PasswordEnable Password Confirm Enable PasswordAdministrative Name Snmp ConfigurationSnmp System Info Configuration Dialog Box Name of Administrator and How to ContactTraps Enabled Advanced Snmp Configuration Dialog BoxSnmp Enabled Sets EnabledSnmp Community Strings Configuration Dialog Box Snmp Community Strings Configuration Dialog BoxCommunity String Host IP Address Snmp Traps Configuration Dialog BoxGeneral 231 Access Snmp Traps Dialog BoxSecondary DNS Server Search Order Domain Name Server DNS Dialog BoxDomain Name Server Dialog Box Primary DNS ServerAdd TCP/IP DNS Server Time Server Configuration Dialog BoxTime Server Dialog Box General 233Protocol Backup IP AddressOffset from Server Radius Configuration Dialog Box Radius Configuration Dialog BoxGeneral 235 VPN Real IP Address Authentication PortAccounting Accounting PortVPN Group Info VPN AuthenticationPAP Authentication Secret General 237 VPN Tunnel SecretSecondary Server IP Address Use Secret in ChecksumSecondary Server Retries Port SecurID Configuration Dialog BoxEnable SecurID General 239Timeout Backup ServerNAT Configuration Dialog Box New Button Modify Button NAT Configuration Dialog BoxGeneral 241 External Range Internal RangePassThru Range Addresses TCP Fin Timeout General 243 TCP TimeoutUDP Timeout TCP Syn TimeoutNAT Range Dialog Box NAT Range Dialog BoxGeneral 245 NAT Mapping Dialog BoxNAT Mapping Dialog Box NAT Range Dialog Box NAT Mapping Translation Pair Examples Internal IP addressLogging On Logging Configuration Dialog BoxLogging Configuration Dialog Box General 247File Syslogd On Only Send Log to Aux PortSyslogd On IP Address Syslogd On OnlyLdap Server Dialog Box Ldap ConfigurationLdap Server Dialog Box General 249Add Ldap Server Dialog Box Ldap Config NameEnable Ldap Primary Server Primary PasswordBase General 251 Secondary Server Secondary PasswordLdap Authentication Dialog Box Ldap Authentication Dialog BoxEnable Ldap Authentication VPN Shared Secret Attribute General 253 Primary Server Primary PasswordSecondary Server Secondary Password VPN Group Attribute254 Ospf 255 Ospf Dialog BoxOspf Dialog Box Cost Ospf EnabledOspf Area IDOspf Area Add Ospf Area Dialog Box Ospf Area Dialog BoxOspf 259 Ospf Area Name Ospf Authentication TypeEnable Stub Area Stub Default CostNet Range Dialog Box Ospf Virtual LinkAdd Ospf Virtual Link Dialog Box Enable Virtual LinkOspf 261 Ospf Virtual Link Dialog BoxVirtual Retransmission Virtual Transit DelayOspf Packet Authentication Key Transit AreaBGP General Dialog Box Enable BGPBGP 263 BGP General Dialog BoxUse IPR Filters BGP Aggregates Dialog BoxBGP BGP Local PreferenceAdd BGP Aggregate Dialog Box BGP Peer Configs Dialog BoxBGP Peer Configs Dialog Box BGP 265Output Route Map BGP Peer Config NameEnable Ebgp Multihop Input Route MapIP Loopback Dialog Box Add BGP Peer Dialog Box BGP Peers Dialog BoxIP Loopback BGP Peers Dialog BoxBGP 269 BGP Route Maps Editor Dialog BoxBGP Route Map Editor Dialog Box Buttons & Controls BGP Route Maps Dialog BoxAction BGP Route Mapping RulesBGP 271 Enter Data Dialog BoxOptions/Output Modifiers DirectionOptions/Input Modifiers BGP 273 Special CommunitiesBGP Networks Dialog Box BGP NetworksBGP Network Dialog Box BGP 275 Subnet Mask 276 IP Addresses Appendices 277Subnet Masks Chart 1 IP Address ClassesChart 2 Standard IP Subnets AppendicesAppendices 279 Chart 3 Subnetted Class C Host RangesBroadcast Addresses Assigning a Broadcast Address Chart 4 Broadcast Address ExamplesAssigning an IP address Assigning a Subnet MaskAppendices 281 Static Routes & Routing Protocols IPXIPX Routing Basics 282 Appendices 283 Service Advertising ProtocolClient Machine Addressing AppleTalk Routing Basics AppleTalkNon-extended and Extended AppleTalk Networks Appendices 285Seeding a Network Segment Zones ProbingBridging Basics Router AutoconfigurationBridging Appendices 287Spanning Tree Bridging Transparent BridgingAppendices 289 Multiport Bridges/Switches and Bridge GroupsSimple Bridging Example Bridge Groups on a Multiport Router Addressing Frame RelayAppendices 291 Virtual CircuitsNetwork/Protocol Addressing and Virtual Interfaces Local & Global DLCIsLocal Management Interface LMI Encapsulation and FragmentationFrame Relay Example Appendices 293Frame Relay Example Page Index 295 SymbolsIndex Index 297 IPX TCP/IP Index 299See also, TCP/IP Index 301 NAT RIP Index 303UDP Index 305 Dlci Radius Index 307