Firewall

See the Firewall section for related information on these screens.

The ZyWALL's firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.

A zone is a group of interfaces or VPN tunnels. Group the ZyWALL's interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone.

Your customized rules take precedence and override the ZyWALL's default settings. The ZyWALL checks the schedule, user name (user's login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.

For example, if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL.

Firewall Rules

Firewall rules are grouped based on the direction of travel of packets to which they apply.

Note: The LAN, WAN, and DMZ zones are default zones. There is also a WLAN zone, (although it is not included on all models). Refer to the chapter about zones for more information.

Note: If you create a new zone, there is no default firewall rule for it and any packets sent to or from the new zone are allowed.

Rule Directions

The following table shows you the default firewall rules that inspect packets going through the ZyWALL.

Note: The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL.

If you want to use a service, make sure both the firewall and application patrol allow the service's packets to go through the ZyWALL.

You can use the firewall to block a service with a static port number. To block a service using a flexible/dynamic port number by inspecting the service's packets, you need to use application patrol. See the chapter about application patrol for more information.

The following table explains the default firewall rules for traffic going through the ZyWALL. See To-ZyWALL Rules for details on the firewall rules for traffic going to the ZyWALL itself. Not all ZyWALL models include the WLAN zone by default.

Default Firewall Rules

From Zone to Zone
stateful packet inspection
From LAN to LAN
Traffic between interfaces in the LAN is allowed.
From LAN to WAN
Traffic from the LAN to the WAN is allowed.
From LAN to DMZ
Traffic from the LAN to the DMZ is allowed.
From LAN to WLAN
Traffic from the LAN to the WLAN is allowed.
From WAN to LAN
Traffic from the WAN to the LAN is dropped.
From WAN to WAN
Traffic between interfaces in the WAN is dropped.
From WAN to DMZ
Traffic from the WAN to the DMZ is allowed.
From WAN to ZyWALL
Traffic from the WAN to the ZyWALL itself is dropped except for the traffic types described in To-ZyWALL Rules.
From WAN to WLAN
Traffic from the WAN to the WLAN is allowed.
From DMZ to LAN
Traffic from the DMZ to the LAN is dropped.
From DMZ to WAN
Traffic from the DMZ to the WAN is dropped.
From DMZ to DMZ
Traffic between interfaces in the DMZ is dropped.
From WLAN to LAN
Traffic from the WLAN to the LAN is rejected unless it is from an authenticated wireless LAN user.
From WLAN to DMZ
Traffic from the WLAN to the DMZ is rejected unless it is from an authenticated wireless LAN user.
From WLAN to WAN
Traffic from the WLAN to the WAN is rejected unless it is DNS UDP traffic or from an authenticated wireless LAN user or a guest .

Note: If you enable intra-zone traffic blocking (see the chapter about zones), the firewall automatically creates (implicit) rules to deny packet passage between the interfaces in the specified zone.

Note: You also need to configure virtual servers (NAT port forwarding) to allow computers on the WAN to access devices on the LAN.

Global Firewall Rules

If an interface or VPN tunnel is not included in a zone, only the global firewall rules (with from any to any direction) apply to traffic going to and from that interface.

To-ZyWALL Rules

Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. By default, the ZyWALL drops most packets from the WAN or DMZ zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.

When you configure a to-ZyWALL rule for packets destined for the ZyWALL itself, make sure it does not conflict with your service control rule.

Note: The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL.

Note: You can configure a to-ZyWALL firewall rule (with From Any To ZyWALL direction) for traffic from an interface which is not in a zone.

Firewall and VPN Traffic

After you create a VPN tunnel and apply it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic destined for the ZyWALL.

Alerts

You can choose to generate an alert or log when a rule is matched and have the ZyWALL send an immediate e-mail message to you. Otherwise, see the logs created (for the categories you specified) in the View Log screen. Refer to the chapter on logs for details.

Asymmetrical Routes

If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.

You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).

Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.

Virtual Interfaces and Asymmetrical Routes

You can use virtual interfaces instead of allowing asymmetrical routes. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information.

Configuring the Firewall

This screen varies depending on the firewall rule type and the way you choose to display the firewall rules.

Note: The ordering of your rules is very important as rules are applied in sequence.

Specify from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction.

Firewall 

Label
Description
Global Setting
 
Enable Firewall
Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated.
Allow Asymmetrical Route
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.
Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).

Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.

Maximum session per host
Use this field to set the highest number of sessions that the ZyWALL will permit a computer with the same IP address to have at one time.
When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet.
Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/firewall sessions each client computer can establish through the ZyWALL.
If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is using too many of the available NAT sessions.
From Zone
To Zone
This is the direction of travel of packets. Select from which zone the packets come and to which zone the packets go.
Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN.
From any displays all the firewall rules for traffic going to a particular zone.
To any displays all the firewall rules for traffic coming from a particular zone.
From any to any displays all of the firewall rules.
To ZyWALL rules are for traffic that is destined for the ZyWALL and control which computers can manage the ZyWALL.
The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction.
#
This is the index number of your firewall rule. It is not associated with a specific rule.
Priority
This is the position of your firewall rule in the global rule list (including all through-ZyWALL and to-ZyWALL rules). The ordering of your rules is important as rules are applied in sequence.
Schedule
This field tells you the schedule object that the rule uses.
User
This is the user name or user group name to which this firewall rule applies.
Source
This displays the source address object to which this firewall rule applies.
Destination
This displays the destination address object to which this firewall rule applies.
Service
This displays the service object to which this firewall rule applies.
Access
This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow).
Log
This field shows you whether a log (and alert) is created when packets match this rule or not.
Add icon
Click the Add icon in the heading row to add a new first entry.
The Active icon displays whether the rule is enabled or not. Click it to activate or deactivate the rule.
Click the Edit icon to go to the screen where you can edit the rule on the ZyWALL.
Click the Add icon in an entry to add a rule below the current entry.
Click the Remove icon to delete an existing rule from the ZyWALL. A window displays asking you to confirm that you want to delete the rule. Note that subsequent firewall rules move up by one when you take this action.
In a numbered list, click the Move to N icon to display a field to type an index number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. For example, if you type 6, the rule you are moving becomes number 6 and the previous rule 6 (if there is one) gets pushed up (or down) one.
The ordering of your rules is important as they are applied in order of their numbering.
Apply
Click Apply to save your changes back to the ZyWALL.
Reset
Click Reset to begin configuring this screen afresh.

Edit a Firewall Rule

In the Firewall screen, click the Edit or Add icon to display the Firewall Rule Edit screen. Refer to the following table for information on the labels.

Firewall > Edit 

Label
Description
Enable
Select this check box to activate the firewall rule.
From
To
For through-ZyWALL rules, select the direction of travel of packets to which the rule applies.
any means all interfaces or VPN tunnels.
ZyWALL means packets destined for the ZyWALL itself.
Description
Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed.
Schedule
Select a schedule that defines when the rule applies or select Create Object to configure a new one (see Schedules for details). Otherwise, select none and the rule is always effective.
User
This field is not available when you are configuring a to-ZyWALL rule.
Select a user name or user group to which to apply the rule. Select Create Object to configure a new user account (see User Add/Edit for details). The firewall rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out.
Otherwise, select any and there is no need for user logging.

Note: If you specified a source IP address (group) instead of any in the field below, the user's IP address should be within the IP address range.

Source
Select a source address or address group for whom this rule applies. Select Create Object to configure a new one. Select any if the policy is effective for every source.
Destination
Select a destination address or address group for whom this rule applies. Select Create Object to configure a new one. Select any if the policy is effective for every destination.
Service
Select a service or service group from the drop-down list box. Select Create Object to add a new service. See Services for more information.
Access
Use the drop-down list box to select what the firewall is to do with packets that match this rule.
Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Select reject to deny the packets and send a TCP reset packet to the sender. Any UDP packets are dropped without sending a response packet.
Select allow to permit the passage of the packets.
Log
Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or not (no) when the rule is matched.
OK
Click OK to save your customized settings and exit this screen.
Cancel
Click Cancel to exit this screen without saving.