Security Policy
Overview
A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied:
• to a specific direction of travel of packets (from / to)
• to a specific source and destination address objects
• to a specific type of traffic (services)
• to a specific user or group of users
• at a specific schedule
The policy can be configured:
• to allow or deny traffic that matches the criteria above
• send a log or alert for traffic that matches the criteria above
• to apply the actions configured in the profiles (application patrol, content filter, IDP, anti-malware, email security) to traffic that matches the criteria above
Note: Security policies can be applied to both IPv4 and IPv6 traffic.
The security policies can also limit the number of user sessions.
What You Can Do in this Chapter
• Use the Security Policy Control screens (Security Policy) to enable or disable policies, asymmetrical routes, and manage and configure policies.
• Use the Anomaly Detection and Prevention (ADP) screens (Anomaly Detection and Prevention Overview) to detect traffic with protocol anomalies and take appropriate action.
• Use the Session Control screens (see Session Control) to limit the number of concurrent NAT/security policies traffic sessions a client can use.
What You Need to Know
Stateful Inspection
The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the Zyxel Device’s interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces.
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply. Here is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in various directions.
From Zone to Zone | Behavior |
|---|---|
From any to Device | DHCP traffic from any interface to the Zyxel Device is allowed. |
From LAN1 to any (other than the Zyxel Device) | Traffic from the LAN1 to any of the networks connected to the Zyxel Device is allowed. |
From LAN2 to any (other than the Zyxel Device) | Traffic from the LAN2 to any of the networks connected to the Zyxel Device is allowed. |
From LAN1 to Device | Traffic from the LAN1 to the Zyxel Device itself is allowed. |
From LAN2 to Device | Traffic from the LAN2 to the Zyxel Device itself is allowed. |
From WAN to Device | The default services listed in To-Device Policies are allowed from the WAN to the Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped. |
From any to any | Traffic that does not match any Security policy is dropped. This includes traffic from the WAN to any of the networks behind the Zyxel Device. This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic). |
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default:
• The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device.
• The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device.
• The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it does not conflict with your service control rule. The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security Policies. The global Security Policies are the only Security Policies that apply to an interface that is not included in a zone. The from any policies apply to traffic coming from the interface and the to any policies apply to traffic going to the interface.
Security Policy Rule Criteria
The Zyxel Device checks the schedule, user name (user’s login name on the Zyxel Device), source IP address and object, destination IP address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy.
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from any computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user name only. If you also apply a schedule to the Security Policy, the user can only access the network at the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel Device and will be disabled after the user logs out of the Zyxel Device.
Session Limits
Accessing the Zyxel Device or network resources through the Zyxel Device requires a NAT session and corresponding Security Policy session. Peer to peer applications, such as file sharing applications, may use a large number of NAT sessions. A single client could use all of the available NAT sessions and prevent others from connecting to or through the Zyxel Device. The Zyxel Device lets you limit the number of concurrent NAT/Security Policy sessions a client can use.
Security Policy
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged.
You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information.
By putting LAN 1 and the alternate gateway in different subnets, all returning network traffic must pass through the Zyxel Device to the LAN. The following steps describe such a scenario.
1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN.
2 The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the Zyxel Device.
4 The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1.
Configuring the Security Policy Control
Use this screen to enable or disable the Security Policy and asymmetrical routes, set a maximum number of sessions per host, and display the configured Security Policies. Specify from which zone packets come and to which zone packets travel to display only the policies specific to the selected direction. Note the following.
• Besides configuring the Security Policy, you also need to configure NAT rules to allow computers on the WAN to access LAN devices.
• The Zyxel Device applies NAT (Destination NAT) settings before applying the Security Policies. So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding Security Policy to allow the traffic, you need to set the LAN IP address as the destination.
• The ordering of your policies is very important as policies are applied in sequence.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Show Filter/Hide Filter | Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters. |
General Settings | Enable or disable the Security Policy feature on the Zyxel Device. |
Enable Policy Control | Select this to activate Security Policy on the Zyxel Device to perform access control. |
IPv4 / IPv6 Configuration | Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on direction, application, user, source, destination and/or schedule. |
From / To | Select a zone to view all security policies from a particular zone and/or to a particular zone. any means all zones. |
IPv4 / IPv6 Source | Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source address object used. • An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7. • An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. |
IPv4 / IPv6 Destination | Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination address object used. • An IPv4 IP address is written as four integer blocks separated by periods. This is an example IPv4 address: 172.16.6.7. • An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. |
Service | View all security policies based the service object used. |
User | View all security policies based on user or user group object used. |
Schedule | View all security policies based on the schedule object used. |
IPv4/IPv6 Policy Management | Use the following items to manage IPv4 and IPv6 policies. |
Allow Asymmetrical Route | If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged. Select this check box to have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection).  Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To change a policy’s position in the numbered list, select the policy and click Move to display a field to type a number for where you want to put that policy and press [ENTER] to move the policy to the number that you typed. The ordering of your policies is important as they are applied in order of their numbering. |
Clone | Use Clone to create a new entry by modifying an existing one. • Select an existing entry. • Click Clone, type a number where the new entry should go and then press [ENTER]. • A configuration copy of the selected entry pops up. You must at least change the name as duplicate entry names are not allowed. |
The following read-only fields summarize the policies you have created that apply to traffic traveling in the selected packet direction. | |
Priority | This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. Default displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This is the name of the Security policy. |
From / To | This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Security Policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN. From any displays all the Security Policies for traffic going to the selected To Zone. To any displays all the Security Policies for traffic coming from the selected From Zone. From any to any displays all of the Security Policies. To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device. |
IPv4 / IPv6 Source | This displays the IPv4 / IPv6 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies. |
IPv4 / IPv6 Destination | This displays the IPv4 / IPv6 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies. |
Service | This displays the service object to which this Security Policy applies. |
User | This is the user name or user group name to which this Security Policy applies. |
Schedule | This field tells you the schedule object that the policy uses. none means the policy is active at all times if enabled. |
Action | This field displays whether the Security Policy silently discards packets without notification (deny), permits the passage of packets (allow) or drops packets with notification (reject) |
Log | Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above. |
Profile | This field shows you which Security Service profiles (application patrol, content filter, IDP, anti-malware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Security Policy Control Add/Edit
Label | Description |
|---|---|
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
Enable | Select this check box to activate the Security policy. |
Name | Type a name to identify the policy |
Description | Enter a descriptive name of up to 60 printable ASCII characters for the Policy. Spaces are allowed. |
From To | For through-Zyxel Device policies, select the direction of travel of packets to which the policy applies. any means all interfaces. Device means packets destined for the Zyxel Device itself. |
Source | Select an IPv4 / IPv6 address or address group object, including geographic address and FQDN (group) objects, to apply the policy to traffic coming from it. Select any to apply the policy to all traffic coming from IPv4 / IPv6 addresses. |
Destination | Select an IPv4 / IPv6 address or address group, including geographic address and FQDN (group) objects, to apply the policy to traffic going to it. Select any to apply the policy to all traffic going to IPv4 / IPv6 addresses. |
Service | Select a service or service group from the drop-down list box. |
User | This field is not available when you are configuring a to-Zyxel Device policy. Select a user name or user group to which to apply the policy. The Security Policy is activated only when the specified user logs into the system and the policy will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. If you specified a source IP address (group) instead of any in the field below, the user’s IP address should be within the IP address range. |
Schedule | Select a schedule that defines when the policy applies. Otherwise, select none and the policy is always effective. |
Action | Use the drop-down list box to select what the Security Policy is to do with packets that match this policy. Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select reject to discard the packets and send a TCP reset packet or an ICMP destination-unreachable message to the sender. Select allow to permit the passage of the packets. |
Log matched traffic | Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above. |
Profile | Use this section to apply anti- x profiles (created in the Configuration > Security Service screens) to traffic that matches the criteria above. You must have created a profile first; otherwise none displays. Use Log to generate a log (log), log and alert (log alert) or not (no) for all traffic that matches criteria in the profile. |
Application Patrol | Select an Application Patrol profile from the list box; none displays if no profiles have been created in the Configuration > Security Service > App Patrol screen. |
Content Filter | Select a Content Filter profile from the list box; none displays if no profiles have been created in the Configuration > Security Service > Content Filter screen. |
SSL Inspection | Select an SSL Inspection profile from the list box; none displays if no profiles have been created in the Configuration > Security Service > SSL Inspection screen. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |
Anomaly Detection and Prevention Overview
Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction.
Traffic Anomalies
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware.
Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes:
• TCP Decoder
• UDP Decoder
• ICMP Decoder
Protocol anomaly policies may be updated when you upload new firmware.
Note: First, create an ADP profile in the In the Configuration > Security Policy > ADP > Profile screen.
Then, apply the profile to traffic originating from a specific zone in the Configuration > Security Policy > ADP > General screen.
The Anomaly Detection and Prevention General Screen
Label | description |
|---|---|
General Settings | |
Enable Anomaly Detection and Prevention | Select this to enable traffic anomaly and protocol anomaly detection and prevention. |
Add | Select an entry and click Add to append a new row beneath the one selected. ADP policies are applied in order (Priority) shown in this screen |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. |
# | This is the entry’s index number in the list. |
Priority | This is the rank in the list of anomaly profile policies. The list is applied in order of priority. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
From | This is the direction of travel of packets to which an anomaly profile is bound. Traffic direction is defined by the zone the traffic is coming from. Use the From field to specify the zone from which the traffic is coming. Select ZyWALL to specify traffic coming from the Zyxel Device itself. From LAN means packets traveling from a computer on one LAN subnet to a computer on another subnet via the Zyxel Device’s LAN1 zone interfaces. The Zyxel Device does not check packets traveling from a LAN computer to another LAN computer on the same subnet. From WAN means packets that come in from the WAN zone and the Zyxel Device routes back out through the WAN zone. Depending on your network topology and traffic load, applying every packet direction to an anomaly profile may affect the Zyxel Device’s performance. |
Anomaly Profile | An anomaly profile is a set of anomaly policies with configured activation, log and action settings. This field shows which anomaly profile is bound to which traffic direction. Select an ADP profile to apply to the entry’s traffic direction. Configure the ADP profiles in the ADP profile screens. |
Creating New ADP Profiles
When creating ADP profiles. you may find that certain policies are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the Zyxel Device. As each network is different, false positives and false negatives are common on initial ADP deployment.
To counter this, you could create a ‘monitor profile’ that creates logs, but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘in-line profile’ whereby you configure appropriate actions to be taken when a packet matches a policy.
ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new profile, select a base profile and then click OK to go to the profile details screen. Type a new profile name, enable or disable individual policies and then edit the default log options and actions.
label | description |
|---|---|
Profile Management | Create ADP profiles here and then apply them in the Configuration > Security Policy > ADP > Profile screen. |
Add | Click Add and first choose a none or all Base Profile. • none base profile sets all ADP entries to have Log set to no and Action set to none by default. • all base profile sets all ADP entries to have Log set to log and Action set to block by default. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
References | Select an entry and click References to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. |
Clone | Use Clone to create a new entry by modifying an existing one. • Select an existing entry. • Click Clone. • A configuration copy of the selected entry pops up. You must at least change the name as duplicate entry names are not allowed. |
# | This is the entry’s index number in the list. |
Name | This is the name of the profile you created. |
Description | This is the description of the profile you created. |
Base Profile | This is the name of the base profile used to create this profile. |
Reference | This is the number of object references used to create this profile. |
Traffic Anomaly Profiles
Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts.
labels | description |
|---|---|
Name | A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 |
Description | In addition to the name, type additional information to help you identify this ADP profile. |
Scan/Flood Detection | Scan detection, such as port scanning, tries to find attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports. Flood detection tries to find attacks that saturate a network with useless data, use up all available bandwidth, and so aim to make communications on the network impossible. |
Sensitivity | (Scan detection only.) Select a sensitivity level so as to reduce false positives in your network. If you choose low sensitivity, then scan thresholds and sample times are set low, so you will have fewer logs and false positives; however some traffic anomaly attacks may not be detected. If you choose high sensitivity, then scan thresholds and sample times are set high, so most traffic anomaly attacks will be detected; however you will have more logs and false positives. |
Block Period | Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address. |
Edit (Flood Detection only) | Select an entry and click this to be able to modify it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Log | To edit an item’s log option, select it and use the Log icon. Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly policy. |
Action | To edit what action the Zyxel Device takes when a packet matches a policy, select the policy and use the Action icon. none: The Zyxel Device takes no action when a packet matches the policy. block: The Zyxel Device silently drops packets that matches the policy. Neither sender nor receiver are notified. |
# | This is the entry’s index number in the list. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. |
Log | These are the log options. To edit this, select an item and use the Log icon. |
Action | This is the action the Zyxel Device should take when a packet matches a policy. To edit this, select an item and use the Action icon. |
Threshold (pkt/sec) | (Flood detection only.) Select a suitable threshold level (the number of packets per second that match the flood detection criteria) for your network. If you choose a low threshold, most traffic anomaly attacks will be detected, but you may have more logs and false positives. If you choose a high threshold, some traffic anomaly attacks may not be detected, but you will have fewer logs and false positives. |
OK | Click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page. |
Cancel | Click Cancel to return to the profile summary page without saving any changes. |
Save | Click Save to save the configuration to the Zyxel Device but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. |
Protocol Anomaly Profiles
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes:
• TCP Decoder
• UDP Decoder
• ICMP Decoder
• IP Decoder
Teardrop
When an IP packet is larger than the Maximum Transmission Unit (MTU) configured in the Zyxel Device, it is fragmented using the TCP or ICMP protocol.
A Teardrop attack falsifies the offset which defines the size of the fragment and the original packet. A series of IP fragments with overlapping offset fields can cause some systems to crash, hang, or reboot when fragment reassembling is attempted at the destination.
IP Spoofing
IP Spoofing is used to gain unauthorized access to network devices by modifying packet headers so that it appears that the packets originate from a host within a trusted network.
• In an IP Spoof from the WAN, the source address appears to be in the same subnet as a Zyxel Device LAN interface.
In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that Zyxel Device LAN interface.
label | description |
|---|---|
Name | A name is automatically generated that you can edit. The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 • These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 |
Description | In addition to the name, type additional information to help you identify this ADP profile. |
TCP Decoder/UDP Decoder/ICMP Decoder/IP Decoder | Perform the following actions for each type of encoder. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Log | To edit an item’s log option, select it and use the Log icon. Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly policy. |
Action | To edit what action the Zyxel Device takes when a packet matches a policy, select the policy and use the Action icon. original setting: Select this action to return each rule in a service group to its previously saved configuration. none: Select this action to have the Zyxel Device take no action when a packet matches a policy. drop: Select this action to have the Zyxel Device silently drop a packet that matches a policy. Neither sender nor receiver are notified. reject-sender: Select this action to have the Zyxel Device send a reset to the sender when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet. reject-receiver: Select this action to have the Zyxel Device send a reset to the receiver when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will do nothing. reject-both: Select this action to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet. |
# | This is the entry’s index number in the list. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. |
Log | These are the log options. To edit this, select an item and use the Log icon. |
Action | This is the action the Zyxel Device should take when a packet matches a policy. To edit this, select an item and use the Action icon. |
OK | Click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page. |
Cancel | Click Cancel to return to the profile summary page without saving any changes. |
Save | Click Save to save the configuration to the Zyxel Device but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. |
Session Control
Use this screen to limit the number of concurrent NAT/Security Policy sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both.
Label | Description |
|---|---|
General Settings | |
UDP Session Time Out | Set how many seconds the Zyxel Device will allow a UDP session to remain idle (without UDP traffic) before closing it. |
Session Limit Settings | |
Enable Session limit | Select this check box to control the number of concurrent sessions hosts can have. |
IPv4 / IPv6 Configuration | This table lists the rules for limiting the number of concurrent sessions hosts can have. |
Default Session per Host | This field is configurable only when you enable session limit. Use this field to set a common limit to the number of concurrent NAT/Security Policy sessions each client computer can have. If only a few clients use peer to peer applications, you can raise this number to improve their performance. With heavy peer to peer application use, lower this number to ensure no single client uses too many of the available NAT sessions. Create rules below to apply other limits for specific users or addresses. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. |
# | This field is a sequential value showing the number of the profile. The profile order is not important. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
# | This is the index number of a session limit rule. It is not associated with a specific rule. |
User | This is the user name or user group name to which this session limit rule applies. |
IPv4 / IPv6 Address | This is the IPv4 / IPv6 address object, including geographic address (group) objects to which this session limit rule applies. |
Description | This is the information configured to help you identify the rule. |
Limit | This is how many concurrent sessions this user or address is allowed to have. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Session Control Add/Edit
Use this screen to configure rules that define a session limit for specific users or addresses.
Label | Description |
|---|---|
Create new Object | Use to configure new settings for User or Address objects that you need to use in this screen.Click on the down arrow to see the menu. |
Enable Rule | Select this check box to turn on this session limit rule. |
Description | Enter information to help you identify this rule. Use up to 60 printable ASCII characters. Spaces are allowed. |
User | Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. If you specified an IP address (or address group) instead of any in the field below, the user’s IP address should be within the IP address range. |
Address | Select the IPv4 source address or address group, including geographic address (group) object, to which this rule applies. Select any to apply the rule to all IPv4 source addresses. |
IPv6 Address | Select the IPv6 source address or address group, including geographic address (group) object, to which this rule applies. Select any to apply the rule to all IPv6 source addresses. |
Session Limit per Host | Use this field to set a limit to the number of concurrent NAT/Security Policy sessions this rule’s users or addresses can have. For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Security Policy Session Control screen. |
OK | Click OK to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |