Firewall
BAT54-Rail/F..
Release
7.54
06/08
8.3
The BAT Firewall
269
U Observe further rules
There are requirements to a Firewall, which cannot be covered by a single
rule. If the Firewall is used to limit the Internet traffic of different departments
(in own IP subnetworks), individual rules cannot e.g. illustrate the common
upper limit at the same time. If to everyone of e.g. three departments should
be granted a bandwidth of maximal 512 kbps, but the entire data rate of the
three departments should not exceed a limit of 1024 kbps, then a multi-level
checking of the data packets must be installed:
D In a first step it will be checked, if the actual data rate of the individual de-
partment does not exceed the limit of 512 kbps.
D In a second step it will be checked, if the data rate of all departments to-
gether does not exceed the overall limit of 1024 kbps.
Normally the list of the Firewall rules is applied sequentially to a received data
packet. If a rule applies, the appropriate action will be carried out. The check-
ing by the Firewall is terminated then, and no further rules will be applied to
the packet.
In order to reach a two-stage or multi-level checking of a data packet, the
“Observe further rules option“ will be activated for the rules. If a Firewall rule
with activated observation of further rules applies to a data packet, the appro-
priate action will be carried out at first, but then the checking in the Firewall
will continue. If one of the further rules applies also to this data packet, the
action being defined in this rule will also be carried out. If also for this follow-
ing rule the observe further rules option is activated, the checking will be con-
tinued until
D either a rule applies to the packet, for which observe further rules is not
activated.
D or the list of the Firewall rules has been completely worked through with-
out applying a further rule to the packet.
To realize this aforementioned scenario it is necessary to install for each sub-
network a Firewall rule that rejects from a data rate of 512 kbps up additional
packets of the protocols FTP and HTTP. For these rules the observe further
rules option will be activated. Defined in an additional rule for all stations of
the LAN, all packets will be rejected which exceed the 1024 kbps limit.
U VPN rules
A VPN rule can receive its information about source and destination network
from Firewall rules.
By activating the option “This rule is used to create VPN rules” for a Firewall
rule, you determine that a VPN rule will be derived from this Firewall rule.
Apart from this basic information, a Firewall rule answers the question when
and/or on what it should apply to and which actions should be executed:
To Next Page
Loading...
