Firewall
See the Firewall section for related information on these screens.
The ZyWALL's firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
A zone is a group of interfaces or VPN tunnels. Group the ZyWALL's interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone.
Your customized rules take precedence and override the ZyWALL's default settings. The ZyWALL checks the schedule, user name (user's login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
For example, if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL.
Firewall Rules
Firewall rules are grouped based on the direction of travel of packets to which they apply.
Note: The LAN, WAN, and DMZ zones are default zones. There is also a WLAN zone, (although it is not included on all models). Refer to the chapter about zones for more information.
Note: If you create a new zone, there is no default firewall rule for it and any packets sent to or from the new zone are allowed.
Rule Directions
The following table shows you the default firewall rules that inspect packets going through the ZyWALL.
Note: The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL.
If you want to use a service, make sure both the firewall and application patrol allow the service's packets to go through the ZyWALL.
You can use the firewall to block a service with a static port number. To block a service using a flexible/dynamic port number by inspecting the service's packets, you need to use application patrol. See the chapter about application patrol for more information.
The following table explains the default firewall rules for traffic going through the ZyWALL. See To-ZyWALL Rules for details on the firewall rules for traffic going to the ZyWALL itself. Not all ZyWALL models include the WLAN zone by default.
Default Firewall Rules
From Zone to Zone stateful packet inspection From LAN to LAN Traffic between interfaces in the LAN is allowed. From LAN to WAN Traffic from the LAN to the WAN is allowed. From LAN to DMZ Traffic from the LAN to the DMZ is allowed. From LAN to WLAN Traffic from the LAN to the WLAN is allowed. From WAN to LAN Traffic from the WAN to the LAN is dropped. From WAN to WAN Traffic between interfaces in the WAN is dropped. From WAN to DMZ Traffic from the WAN to the DMZ is allowed. From WAN to ZyWALL Traffic from the WAN to the ZyWALL itself is dropped except for the traffic types described in To-ZyWALL Rules. From WAN to WLAN Traffic from the WAN to the WLAN is allowed. From DMZ to LAN Traffic from the DMZ to the LAN is dropped. From DMZ to WAN Traffic from the DMZ to the WAN is dropped. From DMZ to DMZ Traffic between interfaces in the DMZ is dropped. From WLAN to LAN Traffic from the WLAN to the LAN is rejected unless it is from an authenticated wireless LAN user. From WLAN to DMZ Traffic from the WLAN to the DMZ is rejected unless it is from an authenticated wireless LAN user. From WLAN to WAN Traffic from the WLAN to the WAN is rejected unless it is DNS UDP traffic or from an authenticated wireless LAN user or a guest .
Note: If you enable intra-zone traffic blocking (see the chapter about zones), the firewall automatically creates (implicit) rules to deny packet passage between the interfaces in the specified zone.
Note: You also need to configure virtual servers (NAT port forwarding) to allow computers on the WAN to access devices on the LAN.
Global Firewall Rules
If an interface or VPN tunnel is not included in a zone, only the global firewall rules (with from any to any direction) apply to traffic going to and from that interface.
To-ZyWALL Rules
Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. By default, the ZyWALL drops most packets from the WAN or DMZ zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.
When you configure a to-ZyWALL rule for packets destined for the ZyWALL itself, make sure it does not conflict with your service control rule.
Note: The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL.
Note: You can configure a to-ZyWALL firewall rule (with From Any To ZyWALL direction) for traffic from an interface which is not in a zone.
Firewall and VPN Traffic
After you create a VPN tunnel and apply it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic destined for the ZyWALL.
Alerts
You can choose to generate an alert or log when a rule is matched and have the ZyWALL send an immediate e-mail message to you. Otherwise, see the logs created (for the categories you specified) in the View Log screen. Refer to the chapter on logs for details.
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL's LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or "triangle" route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.
You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).
Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets.
Virtual Interfaces and Asymmetrical Routes
You can use virtual interfaces instead of allowing asymmetrical routes. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information.
Configuring the Firewall
This screen varies depending on the firewall rule type and the way you choose to display the firewall rules.
Note: The ordering of your rules is very important as rules are applied in sequence.
Specify from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction.
Edit a Firewall Rule
In the Firewall screen, click the Edit or Add icon to display the Firewall Rule Edit screen. Refer to the following table for information on the labels.
Firewall > Edit
Label Description Enable Select this check box to activate the firewall rule. FromTo For through-ZyWALL rules, select the direction of travel of packets to which the rule applies.any means all interfaces or VPN tunnels.ZyWALL means packets destined for the ZyWALL itself. Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies or select Create Object to configure a new one (see Schedules for details). Otherwise, select none and the rule is always effective. User This field is not available when you are configuring a to-ZyWALL rule.Select a user name or user group to which to apply the rule. Select Create Object to configure a new user account (see User Add/Edit for details). The firewall rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out.Otherwise, select any and there is no need for user logging.Note: If you specified a source IP address (group) instead of any in the field below, the user's IP address should be within the IP address range.
Source Select a source address or address group for whom this rule applies. Select Create Object to configure a new one. Select any if the policy is effective for every source. Destination Select a destination address or address group for whom this rule applies. Select Create Object to configure a new one. Select any if the policy is effective for every destination. Service Select a service or service group from the drop-down list box. Select Create Object to add a new service. See Services for more information. Access Use the drop-down list box to select what the firewall is to do with packets that match this rule.Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.Select reject to deny the packets and send a TCP reset packet to the sender. Any UDP packets are dropped without sending a response packet.Select allow to permit the passage of the packets. Log Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or not (no) when the rule is matched. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving.