Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 110, 1100, 310 19.5 Firewall Rule Example Applications, USER, Table, Figure, SOURCE, ACTION, SERVICE, SCHEDULE, DESTINATION

1 562

Download 562 pages, 12.83 Mb

Chapter 19 Firewall

19.5 Firewall Rule Example Applications

Suppose you decide to block LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule.

Figure 172 Blocking All LAN to WAN IRC Traffic Example

Your firewall would have the following rules.

Table 102 Blocking All LAN to WAN IRC Traffic Example

#	USER	SOURCE	DESTINATION	SCHEDULE	SERVICE	ACTION
1	Any	Any	Any	Any	IRC	Deny

2	Any	Any	Any	Any	Any	Allow

•The first row blocks LAN access to the IRC service on the WAN.

•The second row is the firewall’s default policy that allows all LAN1 to WAN traffic.

The ZyWALL applies the firewall rules in order. So for this example, when the ZyWALL receives traffic from the LAN, it checks it against the first rule. If the traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop) and stops checking the firewall rules. Any traffic that does not match the first firewall rule will match the second rule and the ZyWALL forwards it.

Now suppose you need to let the CEO use IRC. You configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer. You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs into the ZyWALL with his/her user name. In order to make sure that the CEO’s computer always uses the same IP address, make sure it either:

•Has a static IP address, or

•You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 173 for information on DHCP).

278
278	ZyWALL 110/310/1100 Series User’s Guide

Contents

ZyWALL 110/310/1100 Series Quick Start Guide User’s Guide Page Chapter Dashboard Page Policy and Static Routes Zones HTTP Redirect Authentication Policy Firewall SSL VPN ZyWALL SecuExtender Device HA User/Group Addresses Services Certificates SSL Application DHCPv6 System Log and Report Diagnostics Page Page Introduction 1.1 Overview LAN (192.168.1.X) https: Non-Web Application Server 1.2 Management Overview 1.3 Web Configurator Update Admin Info Update Admin Info Ignore Installation Setup Wizard Figure 7 Title Bar LABEL DESCRIPTION About Figure 8 About Table 4 About Page Console CLI FOLDER OR LINK TAB FUNCTION Page Page FOLDER OR LINK Page Page Page Page Installation Setup Wizard 2.1 Installation Setup Wizard Screens IP Address Assignment First WAN Interface Zone: IP Subnet Mask Gateway IP Address Base Interface Base IP Address Server IP Connection ID Back Hardware Introduction 3.1 Default Zones, Interfaces, and Ports 3.2 Stopping the ZyWALL 3.3 Rack-mounting 3.4 Wall-mounting 3.5Front Panel LEDs LED COLOR STATUS Page Page Quick Setup Wizards 4.1 Quick Setup Overview 4.2WAN Interface Quick Setup WAN Type Selection Page CHAP PAP MSCHAP MSCHAP-V2 Back Next 4.3 VPN Setup Wizard VPN Settings for Configuration Provisioning Express Advanced Rule Name with Dynamic Peer Remote Access (Server Role) Remote Access (Client Role) Pre-Shared Local Policy (IP/Mask) Remote Policy (IP/Mask) Configuration for Secure Gateway Close Page My Address (interface) Negotiation Mode Main Aggressive AES128 Dead Peer Detection (DPD) Authentication Method Transport Null Perfect Forward Secrecy (PFS) Configuration for Remote Gateway VPN > IPSec VPN > VPN 4.4VPN Settings for Configuration Provisioning Wizard: Wizard Type Page Page Page Configuration for Secure Gateway Page Page Perfect Forward Secrecy (PFS): VPN > IPSec VPN > VPN VPN > IPSec VPN Page Page Dashboard 5.1 Overview 5.2The Dashboard Screen Figure 51 Dashboard Table 14 Dashboard Widget Setting Inactive Down Full Half Firmware update OK Problematic configuration after firmware update - The application of the Fallback to system default configuration - The ZyWALL was unable to apply the Booting in progress Detail Disconnected n/a CPU Usage Memory Usage Session Usage VPN Status DHCP Table Number of Login Users Monitor > Login User Monitor 6.1 Overview 6.2 The Port Statistics Screen Switch to Graphic View Button 6.3 Interface Status Screen Page DHCP Client Stand-By 6.4 The Traffic Statistics Screen Traffic Statistics Service/Port Traffic Type Host IP Address/User Web Site Hits 6.5 The Session Monitor Screen sessions by users sessions by services sessions by source IP sessions by destination IP Destination Address 6.6 The DDNS Status Screen 6.7 IP/MAC Binding Monitor 6.8 The Login Users Screen 6.9 Cellular Status Screen No device Device detected Device error Probe device fail Probe device ok Monitor > System Status > More Information Signal Quality 6.10 USB Storage Screen 6.11 The IPSec Monitor Screen Page 6.12 The SSL Connection Monitor Screen 6.13 The L2TP over IPSec Session Monitor Screen 6.14 Log Screen Source Address Destination Address, Service, Keyword, and Search fields are available Destination Note Page Interfaces 7.1 Interface Overview Interface > Port Roles Ethernet interfaces Tunnel interfaces VLAN interfaces Bridge interfaces REQUIRED PORT / INTERFACE Page Page 7.2 Port Role Screen 7.3 Ethernet Summary Screen Create Virtual Interface LINK LOCAL Ethernet Edit Ethernet Summary Page Page Page Page internal Page Page Page These fields appear when Interface Properties is External or General From ISP infinite interface’s IP Pool Start Address and Pool Size BiDir In-Only Out-Only 1 and Same-as-Area PPPoE/PPTP VLAN Interface Type of internal or external Configuration > Network > Interface > Ethernet > Edit DHCPv6 Server DHCPv6 Client DHCPv6 Setting DHCPv6 Request Options Select one object DHCP Server DHCP Setting Extended Options Defined 7.4 PPP Interfaces Configuration Network > Interface > PPP User Configuration Page Show Advanced Settings Hide Advanced Settings Use Fixed IP Address Page 7.5 Cellular Configuration Screen (3G) NAME TYPE MOBILE PHONE AND DATA STANDARDS DATA GSM-BASED Page Page Profile Custom None: Page Address GPRS / EDGE (GSM) only Download/Upload Allow Disallow Keep Drop 7.6 Tunnel Interfaces Page Page Configuration > Network > Interface > Tunnel > Add Page GRE IPv6-in-IPv4 6to4 Relay Router Page 7.7 VLAN Interfaces Configuration Network > Interface > VLAN IPv6 Configuration Create Virtual Interface VLAN Summary Page Page Page Page Page Add Static DHCP days, hours, and minutes Page 7.8 Bridge Interfaces IP ADDRESS(ES) DESTINATION click Create Virtual Interface Bridge Summary Page Page Page Page Page Page Page 7.9 Virtual Interfaces Page 7.10 Interface Technical Reference Page START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS Page Page Trunk 8.1 Overview Page OUTBOUND LOAD BALANCING INDEX AVAILABLE (A) MEASURED (M) (M/A) 8.2 The Trunk Summary Screen Page Page Page Page Page Page Policy and Static Routes 9.1 Policy and Static Routes Overview WAN 9.2Policy Route Screen IPv4 Configuration Page Page Page Interface 9.3 IP Static Route Screen Page 9.4 Policy Routing Technical Reference CLASS Routing Protocols 10.1 Routing Protocols Overview 10.2 The RIP Screen redistribute Click Configuration > Network > Routing > RIP to open the following screen 10.3 The OSPF Screen Page SOURCE \ TYPE OF AREA NORMAL NSSA STUB OSPF Add/Edit Click Configuration > Network > Routing > OSPF to open the following screen you select User Define Normal NSSA Stub Page Same as Area 10.4 Routing Protocol Technical Reference None Text Same as Area Page Zones 11.1 Zones Overview 11.2The Zone Screen 11.3 Zone Edit Page DDNS 12.1 DDNS Overview 12.2 The DDNS Screen Page Backup Binding Primary Binding Address Interface field Primary Binding Interface Backup Binding Address Page Page NAT 13.1 NAT Overview 13.2 The NAT Screen NAT Add/Edit Virtual Server Many 1:1 NAT Defined field Original IP Port 13.3 NAT Technical Reference DNS xxx.LAN-SMTP.com= ?1.1.1.1 xxx.LAN-SMTP.com SMTP Page HTTP Redirect 14.1 Overview 14.2The HTTP Redirect Screen Network > HTTP Redirect HTTP Redirect Edit Page ALG 15.1 ALG Overview Page Page 15.2 The ALG Screen Page 15.3 ALG Technical Reference Page Page IP/MAC Binding 16.1 IP/MAC Binding Overview 16.2 IP/MAC Binding Summary Page 16.3 IP/MAC Binding Exempt List Page Page Inbound Load Balancing 17.1 Inbound Load Balancing Overview 17.2The Inbound LB Screen Weighted Round Robin Least Connection Least Load - Outbound Least Load - Inbound Add DNS Load Balancing Page Weighted Round Robin Add Load Balancing Member Configuration > Network > Inbound LB > Add or Edit Page Authentication Policy 18.1 Overview Login 18.2Authentication Policy Screen Page unnecessary force Page 18.3 User-awareAccess Control Example 1Click Configuration > Object > User/Group > Group. Click the Add icon User/Leo Member required Force User Authentication Page Configuration > Object > User/Group > User ext-group-user Group Identifier Page Page Firewall 19.1 Overview FROM ZONE TO ZONE BEHAVIOR ZyWALL To Zone From Any To ZyWALL from any to any From VPN To-ZyWALL 19.2 The Firewall Screen Page Page To Zone From Zone (allow) Firewall Rule Edit 19.3 The Session Limit Screen Page Page 19.4 Firewall Rule Configuration Example From WAN To LAN1 Dest_1 Destination Doom 19.5 Firewall Rule Example Applications Page Page IPSec VPN 20.1 Virtual Private Networks (VPN) Overview Figure 175 SSL VPN Non-Web Application Server Figure 176 L2TP VPN VPN Concentrator Page SITE-TO-SITE SITE-TO-SITEWITH REMOTE ACCESS DYNAMIC PEER (SERVER ROLE) 20.2The VPN Connection Screen VPN Connection Add/Edit Gateway Configuration > VPN Connection Page Page and Authentication algorithm ESP Tunnel Transport NULL DH1 DH2 DH5 TCP VPN Connection Add/Edit Manual Key Show Advanced Settings Manual Key an Authentication Algorithm and Authentication Algorithm 20.3 The VPN Gateway Screen VPN Gateway Add/Edit VPN Gateway summary Page Page DNS on the Local ID Type Local ID Type Subject Name Peer ID Type Peer ID Type Aggressive Extended Authentication 20.4 VPN Concentrator this screen, click Configuration > VPN > IPSec VPN > Concentrator VPN Concentrator Add/Edit VPN Concentrator summary 20.5 ZyWALL IPSec VPN Client Configuration Provisioning Connection and Allowed User fields VPN Connection Allowed User Provisioning 20.6 IPSec VPN Background Information Page Page REMOTE IPSEC ROUTER X AY Page Page Page Page 192.168.1.0/24 172.16.1.0/24 Site-to site VPN_GW_EXAMPLE Local Policy LAN1_SUBNET Page SSL VPN 21.1 Overview 21.2The SSL Access Privilege Screen Page Page Selected User/Group Objects Network and Sharing Center Advanced sharing settings SSL VPN Network List 21.3 The SSL Global Setting Screen Page 21.4 SSL VPN Example Continue Page SSL User Screens 22.1 Overview 22.2 Remote SSL User Login Continue Run 22.3The SSL VPN User Screens 22.4 Bookmarking the ZyWALL 22.5Logging Out of the SSL VPN User Screens 22.6SSL User Application Screen 22.7 SSL User File Sharing File Sharing Page File > Save As New Folder Rename Delete Upload Page Page ZyWALL SecuExtender 23.1 The ZyWALL SecuExtender Icon 23.2Status 23.3 View Log 23.4 Suspend and Resume the Connection 23.5 Stop the Connection 23.6 Uninstalling the ZyWALL SecuExtender Page L2TP VPN 24.1 Overview Default_L2TP_VPN_GW My Address Default_L2TP_VPN_GW Default_L2TP_VPN_Connection LAN_SUBNET L2TP_POOL L2TP_POOL 24.2 L2TP VPN Screen Page Bandwidth Management 25.1 Overview Connection Page POLICY CONFIGURED RATE MAX. B. U PRIORITY ACTUAL RATE 25.2The Bandwidth Management Screen App App Patrol Service Service Object Out Create new Page Page Device HA 26.1 Overview 26.2 Device HA General 26.3 The Active-PassiveMode Screen Page Device HA Active-Passive Configuration > Device HA Master Configure Interval 26.4Configuring an Active-PassiveMode Monitored Interface 26.5 Device HA Technical Reference Page Page •Certificates (My Certificates, and Trusted Certificates) Page User/Group 27.1 Overview ext-user 27.2User Summary Screen guest User Add/Edit Group Membership Attribute Manual Settings 27.3 User Group Summary Screen Group Add/Edit 27.4 The User/Group Setting Screen Updating lease time automatically User idle timeout has been reached This field is effective when Limit ... for administration account is Page Page 27.5 User /Group Technical Reference Ext-User Addresses 28.1 Overview 28.2 Address Summary Screen Page Configuration > IPv4 Address Add/Edit IPv4 Address Configuration INTERFACE IP, INTERFACE SUBNET, and INTERFACE GATEWAY Configuration > IPv6 Address Add/Edit IPv6 Address Configuration DHCPv6 28.3 Address Group Summary Screen IPv4 Address Group Configuration IPv6 Address Group Configuration Services 29.1 Overview 29.2 The Service Summary Screen Service Add/Edit Defined ICMP ICMPv6 29.3 The Service Group Summary Screen Service Group Add/Edit Service Group Add/Edit Page Schedules 30.1 Overview 30.2 The Schedule Summary Screen One Time Year Month Day Hour Recurring Year Month Day AAA Server 31.1 Overview Configuration > Object > AAA Server Page 31.2 Active Directory or LDAP Server Summary Page LDAP Use SSL Enable Active Directory Username 31.3 RADIUS Server Summary Page Page Authentication Method 32.1 Overview 32.2 Authentication Method Objects Page Page Certificates 33.1 Overview Page Details Thumbprint Algorithm Thumbprint 33.2The My Certificates Screen REQ My Certificate Import SELF CERT Subject field Page RSA DSA My Certificate Create Return Page Page Page 33.3 The Trusted Certificates Screen Page Page OCSP Server Page 33.4 Certificates Technical Reference ISP Accounts 34.1 Overview 34.2 ISP Account Summary ISP Account Edit ISP Account pppoe pptp Chap nomppe mppe-40 mppe-128 SSL Application 35.1 Overview RDP VNC SSL 1Click Configuration > Object > SSL Application in the navigation panel 35.2 The SSL Application Screen Web Application Web Application VNC Weblink Server Type Web Server Preview SSL Application Configuration screen DHCPv6 36.1 Overview 36.2 The DHCPv6 Request Screen 36.3 The DHCPv6 Lease Screen Lease Add/Edit DNS Server, Address, Address Pool, NTP Server, or SIP Server User Defined Address field below Defined Address field below Page System 37.1 Overview 37.2 Host Name 37.3 USB Storage 37.4 Date and Time Page Synchronize Now Last Sunday March Synchronize Now Time Server Address Please Wait Current Time Current Date 37.5Console Port Speed 37.6 DNS Overview User-Defined tunnel Page Address/PTR Record Domain Zone Forwarder DNS Server(s) from ISP MX Record ALL 37.7 WWW Overview Admin Service Control User Service Control Page Accept Page Page Page Color Color Continue to this website Click here to close this webpage The Connection is Untrusted Technical Details I Understand the Risks Page Trusted CA Install Certificate File name Place all certificates in the following store Finish Page 37.8 SSH Page Configuration > System > SSH Page 37.9Telnet Page 37.10 FTP 37.11 SNMP Page Table 190 SNMP Traps OBJECT LABEL OBJECT ID Configuration > System > SNMP Get Community Set community 37.12 Language Screen 37.13 IPv6 Screen Page Log and Report 38.1 Overview 38.2 Email Daily Report Page 38.3 Log Setting Screens Internal View Log VRPT/Syslog CEF/Syslog Log Category Settings Edit Log Settings Edit Log Settings Summary Active Log and Alert When Full, Daily and When Full, and Weekly and When Full System log E-Mail Edit Log on USB Storage Setting Log Setting Summary Page Page Page Page Page USB Storage enable normal logs enable normal logs and debug logs File Manager 39.1 Overview Privilege 39.2 The Configuration File Screen system-default.conf startup-config-bad.conf lastgood.conf system-default.conf and startup-config.conf files default.conf, startup-config.conf and lastgood.conf files Page 39.3 The Firmware Package Screen Firmware Upload in Process Figure 349 Network 39.4 The Shell Script Screen Copy Copy File Page Diagnostics 40.1 Overview 40.2 The Diagnostic Screen Maintenance > Diagnostics > Files 40.3 The Packet Capture Screen service deactivated Continuously capture and overwrite old ones Duration File Size 40.4 Core Dump Screen 40.5 The System Log Screen Page Packet Flow Explore 41.1 Overview 41.2 The Routing Status Screen Page Page Routing Table Routing Flow section Routing Flow GW Trunk 41.3 The SNAT Status Screen SNAT Table Flow Policy Route SNAT SNAT Flow Loopback SNAT Default SNAT Reboot 42.1 Overview 42.2 The Reboot Screen Shutdown 43.1 Overview 43.2 The Shutdown Screen Troubleshooting Page Page Internal External Page Trusted Certificates admin Page 44.1 Resetting the ZyWALL 44.2Getting More Troubleshooting Help Copyright Disclaimer Notices Certifications (Class A) ZyWALL 310 FCC Warning Taiwanese BSMI (Bureau of Standards, Metrology and Inspection) A Warning: ZyXEL Limited Warranty Note Registration Open Source Licenses ROHS Page user 371 AD 400, 402, 403 port 404 403 DN 402, 403 46 289 FTP 233 209 94 488 510 414, 420 421 DHCP 173 DSCP 191, 194, 355 ESP 289 317 Page Page 491, 493, 495, 496 MTU 137 257 NAT 197 233 NBNS 120, 157, 169, 174 files 511, 514 511, 515, 516 80 235 QoS 188 194, 354 419, 421 257, 273, 354 SSL 317, 321 SIP 234 479 327 432 Page PPP529 WINS 120, 157, 169, 174 WWW457