Security Policy
Overview
A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied:
• to a specific direction of travel of packets (from / to)
• to a specific source and destination address objects
• to a specific type of traffic (services)
• to a specific user or group of users
• at a specific schedule
The policy can be configured:
• to allow or deny traffic that matches the criteria above
• send a log or alert for traffic that matches the criteria above
• to apply the actions configured in the profiles (application patrol, content filter, IDP, anti-malware, email security) to traffic that matches the criteria above
The security policies can also limit the number of user sessions.
What You Can Do in this Chapter
• Use the Policy Control screens (The Security Policy Screen) to enable or disable policies, asymmetrical routes, and manage and configure policies.
• Use the DoS Prevention screens (DoS Prevention Overview) to detect traffic with protocol anomalies and take appropriate action.
• Use the IP Spoofing Prevention screen (IP Spoofing Prevention) to bind IP addresses to MAC addresses.
• Use the Session Control screen (Session Control) to limit the number of concurrent NAT/Security Policy sessions a client can use.
What You Need to Know
Stateful Inspection
The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the Zyxel Device’s interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces.
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply. Here is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in various directions.
From Zone to Zone | Behavior |
|---|---|
From any to Device | DHCP traffic from any interface to the Zyxel Device is allowed. |
From LAN1 to any (other than the Zyxel Device) | Traffic from the LAN1 to any of the networks connected to the Zyxel Device is allowed. |
From LAN2 to any (other than the Zyxel Device) | Traffic from the LAN2 to any of the networks connected to the Zyxel Device is allowed. |
From LAN1 to Device | Traffic from the LAN1 to the Zyxel Device itself is allowed. |
From LAN2 to Device | Traffic from the LAN2 to the Zyxel Device itself is allowed. |
From WAN to Device | The default services listed in To-Device Policies are allowed from the WAN to the Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped. |
From any to any | Traffic that does not match any Security policy is dropped. This includes traffic from the WAN to any of the networks behind the Zyxel Device. This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic). |
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default:
• The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device.
• The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device.
• The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it does not conflict with your service control rule. The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security Policies. The global Security Policies are the only Security Policies that apply to an interface that is not included in a zone. The from any policies apply to traffic coming from the interface and the to any policies apply to traffic going to the interface.
Security Policy Rule Criteria
The Zyxel Device checks the schedule, user name (user’s login name on the Zyxel Device), source IP address and object, destination IP address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy.
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from any computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user name only. If you also apply a schedule to the Security Policy, the user can only access the network at the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel Device and will be disabled after the user logs out of the Zyxel Device.
The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged.
You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information.
By putting LAN 1 and the alternate gateway in different subnets, all returning network traffic must pass through the Zyxel Device to the LAN. The following steps describe such a scenario.
1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN.
2 The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the Zyxel Device.
4 The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1.
Configuring the Security Policy Control
Use this screen to enable or disable the security policies and asymmetrical routes, set a maximum number of sessions per host, and display the configured Security Policies. Specify from which zone packets come and to which zone packets travel to display only the policies specific to the selected direction. Note the following.
• Besides configuring the security policies, you also need to configure NAT rules to allow computers on the WAN to access LAN devices.
• The Zyxel Device applies NAT (Destination NAT) settings before applying the security policies. So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding security policy to allow the traffic, you need to set the LAN IP address as the destination.
• The ordering of your policies is very important as policies are applied in sequence.
The following table describes the labels in this screen.
Label | Description |
|---|---|
General Settings | Enable or disable the policy control feature on the Zyxel Device. |
Allow Asymmetrical Route | If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged. Select this check box to have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection).  Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms if you want to remove it before doing so. |
Active | To turn on an entry, select it and click Activate. |
Inactive | To turn off an entry, select it and click Inactivate. |
Move to | To change a policy’s position in the numbered list, select the policy and click Move to display a field to type a number for where you want to put that policy and press [ENTER] to move the policy to the number that you typed. The ordering of your policies is important as they are applied in order of their numbering. |
Copy to | You can create a new policy by copying an existing one to a new position, and then editing it. Select an existing policy and click Copy to display a field to type a number for where you want to put that policy, then press [ENTER] to copy the policy to the number that you typed. After copying it, edit it to change it from the one copied. |
Search | Type an item in the search box, then click this to display all sessions in the table below according to the item you typed. |
Clear All | Click this to remove all items found in the search. |
Filter | Click the Filter icon  , click + to expand Policy Match, pick a filter, then click Find to display specific sessions according to the filter selected. You may select multiple filters, but just one of each type, configured one at a time. |
The following read-only fields summarize the policies you have created that apply to traffic traveling in the selected packet direction. | |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Priority | This is the position of your Security Policy in the global policy list (including all through-Zyxel Device and to-Zyxel Device policies). The ordering of your policies is important as policies are applied in sequence. Default displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy. |
Name | This is the name of the Security policy. |
From / To | This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Security policies are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN. From any displays all the security policies for traffic going to the selected To Zone. To any displays all the security policies for traffic coming from the selected From Zone. From any to any displays all of the security policies. To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zyxel Device. |
Source | This displays the IPv4 source address object, including geographic address and FQDN (group) objects, to which this Security Policy applies. |
Destination | This displays the IPv4 destination address object, including geographic address and FQDN (group) objects, to which this Security Policy applies. |
Service | This displays the service object to which this security policy applies. |
User | This is the user name or user group name to which this security policy applies. |
Schedule | This field tells you the schedule object that the policy uses. none means the policy is active at all times if enabled. |
Action | This field displays whether the security policy silently discards packets without notification (deny), permits the passage of packets (allow) or drops packets with notification (reject) |
Log | Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above. |
Profile | This field shows you which security service profiles (application patrol, content filter and SSL inspection) apply to the policy control rule. Click the icon to edit the profile directly. |
The Policy Control Add/Edit Screen
The following table describes the labels in this screen.
Label | Description |
|---|---|
Enable | Select this check box to activate the policy control. |
Name | Type a name with 1 to 30 single-byte characters to identify the policy, including a-zA-Z0-9. Special characters and spaces are not allowed. |
Description | Enter a descriptive name of 1 to 30 single-byte characters for the policy, including spaces and 0-9a-zA-Z!”#$%()*+,-/:;=?@_ &.<>[\]^‘{|} are not allowed. |
From To | For through-Zyxel Device policies, select the direction of travel of packets to which the policy applies. any means all interfaces. ZyWALL means packets destined for the Zyxel Device itself. |
Source | Select an IPv4 address or address group object, including geographic address and FQDN (group) objects, to apply the policy to traffic coming from it. Select any to apply the policy to all traffic coming from IPv4 addresses. If you select an FQDN address with a wildcard in this field, the rule might not be applied because an FQDN with a wildcard cannot cache IP addresses using DNS queries on the Zyxel Device. |
Destination | Select an IPv4 address or address group, including geographic address and FQDN (group) objects, to apply the policy to traffic going to it. Select any to apply the policy to all traffic going to IPv4 addresses. |
Service | Select a service or service group from the drop-down list box. |
User | This field is not available when you are configuring a to-Zyxel Device policy. Select a user name or user group to which to apply the policy. The Security Policy is activated only when the specified user logs into the system and the policy will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. If you specified a source IP address (group) instead of any in the field below, the user’s IP address should be within the IP address range. |
Schedule | Select a schedule that defines when the policy applies. Otherwise, select none and the policy is always effective. |
Action | Use the drop-down list box to select what the Security Policy is to do with packets that match this policy. Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select reject to discard the packets and send a TCP reset packet or an ICMP destination-unreachable message to the sender. Select allow to permit the passage of the packets. |
Log matched traffic | Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) when the policy is matched to the criteria listed above. |
Profile | Use this section to apply anti- x profiles (created in the Security Services screens) to traffic that matches the criteria above. You must have created a profile first; otherwise none displays. Use Log to generate a log (log), log and alert (log alert) or not (no) for all traffic that matches criteria in the profile. |
Application Patrol | Select an Application Patrol profile from the list box; none displays if no profiles have been created in the Security Service > App Patrol screen. |
Content Filter | Select a Content Filter profile from the list box; none displays if no profiles have been created in the Security Service > Content Filter screen. |
SSL Inspection | Select an SSL Inspection profile from the list box; none displays if no profiles have been created in the Security Service > SSL Inspection screen. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Example: Allow a Server to Ping the Zyxel Device Without Creating Logs
A server on the LAN pings the Zyxel Device every 15 seconds to check if the Zyxel Device is connected to the Internet. The Zyxel Device creates a log every time the server pings it. You want to allow the server to ping the Zyxel Device without creating so many logs.
This example uses the parameters given below.
name | address type | ip address |
|---|---|---|
Server | Host | 2.2.2.2 |
name | from | to | source | destination | service | action | log |
|---|---|---|---|---|---|---|---|
LAN_to_Device | LAN | ZyWALL | Server | Any | Ping | Allow | No |
1 Go to Object > Address > Address and click Add.
2 Configure the settings using the parameters given in Address Object Configuration Example. Click Apply to save your changes.
3 Go to Security Policy > Policy Control and click Add.
4 Configure the settings using the parameters given in Security Policy Configuration Example. Set Log to no so when the server pings the Zyxel Device, the Zyxel Device will not create logs. Click Apply to save your changes.
DoS Prevention Overview
DoS attacks can flood your Internet connection with invalid packets and connection request, using so much bandwidth and so many resources that Internet access becomes unavailable. The goal of DoS attacks is not to steal information, but to disable a device or network on the Internet.
DoS prevention protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section introduces DoS prevention profiles and applying a DoS prevention profile to a traffic direction.
Traffic Anomalies
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-3 and layer-4. Traffic anomaly policies may be updated when you upload new firmware.
First, create a DoS prevention profile in the In the Security Policy > DoS Prevention > Profile screen. Then, apply the profile to traffic originating from a specific zone in the Security Policy > DoS Prevention >DoS Prevention Policy screen.The DoS Prevention Policy Screen
The following table describes the labels in this screen.
label | description |
|---|---|
General Settings | |
Enable Anomaly Detection and Prevention | Select this to enable traffic anomaly and protocol anomaly detection and prevention. |
Add | Select an entry and click Add to append a new row beneath the one selected. ADP policies are applied in order (Priority) shown in this screen |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Active | To turn on an entry, select it and click Activate. |
Inactive | To turn off an entry, select it and click Inactivate. |
Move | To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Priority | This is the rank in the list of anomaly profile policies. The list is applied in order of priority. |
Name | This is the name of the anomaly profile policy. |
From | This is the direction of travel of packets to which an anomaly profile is bound. Traffic direction is defined by the zone the traffic is coming from. Use the From field to specify the zone from which the traffic is coming. Select ZyWALL to specify traffic coming from the Zyxel Device itself. From LAN means packets traveling from a computer on one LAN subnet to a computer on another subnet via the Zyxel Device’s LAN1 zone interfaces. The Zyxel Device does not check packets traveling from a LAN computer to another LAN computer on the same subnet. From WAN means packets that come in from the WAN zone and the Zyxel Device routes back out through the WAN zone. Depending on your network topology and traffic load, applying every packet direction to an anomaly profile may affect the Zyxel Device’s performance. |
Anomaly Profile | An anomaly profile is a set of anomaly policies with configured activation, log and action settings. This field shows which anomaly profile is bound to which traffic direction. Select an ADP profile to apply to the entry’s traffic direction. Configure the ADP profiles in the ADP profile screens. |
The DoS Prevention Profile Screen
When creating DoS prevention profiles. you may find that certain policies are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the Zyxel Device. As each network is different, false positives and false negatives are common on initial DoS prevention deployment.
To counter this, you could create a ‘monitor profile’ that creates logs, but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘in-line profile’ whereby you configure appropriate actions to be taken when a packet matches a policy.
DoS prevention profiles consist of traffic anomaly profiles. To create a new profile, click Add. Type a new profile name, enable or disable individual policies and then edit the default log options and actions.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Profile Management | Create ADP profiles here and then apply them in the Security Policy > DoS Prevention > DoS Prevention Policy screen. |
Add | Click Add to create a new profile. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Reference | Select an entry and click Reference to check which settings use the entry. |
Name | This is the name of the profile you created. |
Description | This is the description of the profile you created. |
The Dos Prevention Profile Add/Edit Screen
DoS prevention looks for abnormal behavior such as scan or flooding attempts.
label | description |
|---|---|
Name | A name is automatically generated that you can edit. The name must be the same in the DoS Prevention screens for the same DoS prevention profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names: • MyProfile • mYProfile • Mymy12_3-4 These are invalid profile names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 |
Description | In addition to the name, type additional information to help you identify this DoS prevention profile. |
Scan/Flood Detection | Scan detection, such as port scanning, tries to find attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports. Flood detection tries to find attacks that saturate a network with useless data, use up all available bandwidth, and so aim to make communications on the network impossible. |
Sensitivity (Scan detection only) | Select a sensitivity level so as to reduce false positives in your network. If you choose low sensitivity, then scan thresholds and sample times are set low, so you will have fewer logs and false positives; however some traffic anomaly attacks may not be detected. If you choose high sensitivity, then scan thresholds and sample times are set high, so most traffic anomaly attacks will be detected; however you will have more logs and false positives. |
Block Period | Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address. |
Edit (Flood Detection only) | Select an entry and click this to be able to modify it. |
Active | To turn on an entry, select it and click Activate. |
Inactive | To turn off an entry, select it and click Inactivate. |
Log | To edit an item’s log option, select it and use the Log icon. Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly policy. |
Action | To edit what action the Zyxel Device takes when a packet matches a policy, select the policy and use the Action icon. None: The Zyxel Device takes no action when a packet matches the policy. Block: The Zyxel Device silently drops packets that matches the policy. Neither sender nor receiver are notified. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This is the name of the anomaly policy. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly policy name. |
Log | These are the log options. To edit this, select an item and use the Log icon. |
Action | This is the action the Zyxel Device should take when a packet matches a policy. To edit this, select an item and use the Action icon. |
Threshold (pkt/sec) | (Flood detection only.) Select a suitable threshold level (the number of packets per second that match the flood detection criteria) for your network. If you choose a low threshold, most traffic anomaly attacks will be detected, but you may have more logs and false positives. If you choose a high threshold, some traffic anomaly attacks may not be detected, but you will have fewer logs and false positives. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
IP Spoofing Prevention
Trusted IP/MAC Pair
IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The Zyxel Device uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address. The Zyxel Device then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the Zyxel Device.
The IP Spoofing Prevention Screen
Click Security Policy > IP Spoofing Prevention to display the IP Spoofing Prevention screen. Use this screen to configure an interface’s IP to MAC address binding settings.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Source IP Spoofing Prevention | |
Enable | Click to slide the switch to the right to enable IP spoofing prevention. |
Log | Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) if a device connected to this interface attempts to use an IP address that is bound to another device’s MAC address. |
Enable Interface | Select the interface to enforce links between specific IP addresses and specific MAC addresses on this interface. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. |
Trusted IP/MAC Pair | |
Include DHCP Leasing Entries | Enable this to allow traffic from devices that is listed in the current DHCP table. To manage the list of DHCP-assigned IP addresses, click Include DHCP Leasing Entries to go to the Network > DHCP Table screen. |
Add | Click this to create a new entry. |
Remove | Select an entry and click this to delete it. |
Interface | This field displays the name of the interface within the Zyxel Device. |
IP Address | This is the IP address that the Zyxel Device assigns to a device with the entry’s MAC address. |
MAC Address | This is the MAC address of the device to which the Zyxel Device assigns the entry’s IP address. |
Description | This helps identify the entry. |
Trusted IP | |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Object Name | This is the name of the IP address object to allow traffic. |
Description | This is the description of the profile you created. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
The Trusted IP Add / Edit Screen
In the Security Policy > IP Spoofing Prevention screen, click the Edit or Add icon to create or edit an existing profile.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Trusted IP | |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
Object Name | Select an IP address object to allow traffic from all devices with that IP address. |
Description | This helps identify the entry. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Session Control
Use this screen to limit the number of concurrent NAT/Security Policy sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both.
Label | Description |
|---|---|
General Settings | |
Session Control | Click to slide the switch to the right to enable session control. |
Default Session per Host | Use this field to set a common limit to the number of concurrent NAT/Security Policy sessions each client computer can have. ‘0’ means unlimited. If only a few clients use peer to peer applications, you can raise this number to improve their performance. With heavy peer to peer application use, lower this number to ensure no single client uses too many of the available NAT sessions. Create rules below to apply other limits for specific users or addresses. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move to | To change a rule’s position in the numbered list, select the rule and click Move to to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their priority number. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Priority | This is the priority of a session limit rule. Rules are applied according to priority number. |
User | This is the user name or user group name to which this session limit rule applies. |
Source IP | This is the IP address of the host to which this session limit rule applies. |
Description | This is the information configured to help you identify the rule. |
Limit | This is how many concurrent sessions this user or address is allowed to have. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to return the screen to its last-saved settings. |
Session Control Add/Edit
Use this screen to configure rules that define a session limit for specific users or addresses.
Label | Description |
|---|---|
Enable | Click to slide the switch to the right to turn on this session limit rule. |
Description | Enter information to help you identify this rule. Use up to 60 printable ASCII characters. Spaces are allowed. |
User | Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. If you specified an IP address (or address group) instead of any in the field below, the user’s IP address should be within the IP address range. |
Address | Select the IPv4/IPv6 source address (range) or address group, including geographic address (group) object, to which this rule applies. Select any to apply the rule to all IPv4 source addresses. |
Session Limit per Host | Use this field to set a limit to the number of concurrent NAT/Security Policy sessions this rule’s users or addresses can have. For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Security Policy Session Control screen. |
Apply | Click Apply to save your customized settings and exit this screen. |
Cancel | Click Cancel to exit this screen without saving. |