Chapter 13 Security Policy
USG FLEX H Series User’s Guide
192
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security Policies.
The global Security Policies are the only Security Policies that apply to an interface that is not included in
a zone. The from any policies apply to traffic coming from the interface and the to any policies apply to
traffic going to the interface.
Security Policy Rule Criteria
The Zyxel Device checks the schedule, user name (user’s login name on the Zyxel Device), source IP
address and object, destination IP address and object, IP protocol type of network traffic (service) and
Security Service profile criteria against the Security Policies (in the order you list them). When the traffic
matches a policy, the Zyxel Device takes the action specified in the policy.
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from any
computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user
name only. If you also apply a schedule to the Security Policy, the user can only access the network at
the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel
Device and will be disabled after the user logs out of the Zyxel Device.
13.3 The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP
address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle”
route. This causes the Zyxel Device to reset the connection, as the connection has not been
acknowledged.
You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset
the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel
Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your
network into logical sections over the same interface. See the chapter about interfaces for more
information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network
traffic must pass through the Zyxel Device to the LAN. The following steps and figure describe such a
scenario.
1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2 The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2.
To Next Page
Loading...
