Table of Contents
Advertisement
Enhancing security
Passing only necessary packets
through a dynamic filter (policy filter)
A combination of conditions and actions expressed in a manner similar to the way humans think is
called a policy. An example of the policy could be "discarding TELNET traffic that goes from LAN2
to LAN1". A policy filter enables you to easily achieve stateful inspection filtering.
4
Internet
• Specify a receiving or transmission interface, a source or destination IP address, and a service to
allow traffic to pass through or to be discarded on a connection basis, not a packet basis.
• The filter is applied as necessary while the communication status is being monitored. You can set
a filter considering the state of a session. For example, "All the data from the Internet to the LAN
is usually discarded, and return packets can pass through only when an ftp connection is initiated
from the LAN".
• Up to three sets of policy lists (policy sets) can be created. You can first create one policy set for
use in normal operation and another for emergency situations that can allow only minimum required
connections. These policy sets are useful in cases when you want to change policies quickly enough
to suit your situation.
Tip
• You can also create a group of interfaces, addresses, and services to which you want to apply the same
policy (page 85). For example, you can create a "WAN" group and add "LAN2, PP1, and TUNNEL1"
interfaces to that group. Specifying this "WAN" group as an interface on creation of a policy filter can save
time and effort to create the policy filter for each of LAN2, PP1, and TUNNEL1 interfaces.
• Basically, a service conceptually refers to an application, which includes TELNET, SMTP, POP, FTP, and
WWW. In addition, you can specify a protocol and port to define a given service (user definition service).
This service is available in policy filters that you create (page 87).
• Another applicable access management example can be: You apply a policy filter to a group of IP addresses
for registered terminals (page 91). You can then allow only part of the registered terminals to access
specific networks (such as an internal network with a higher security level).
80 FWX120 Operation Manual
Preliminary policy set
Minimum policy set
Condition: TELNET communi-
Condition: TELNET communi-
cation from LAN2 to LAN1
Condition: TELNET communi-
cation from LAN2 to LAN1
Condition: TELNET communi-
Action: discard
cation from LAN2 to LAN1
Action: discard
cation from LAN2 to LAN1
Action: discard
Action: discard
Provider
Policy set for emergency
Condition: TELNET communi-
Condition: TELNET communi-
cation from LAN2 to LAN1
Condition: TELNET communi-
cation from LAN2 to LAN1
Action: discard
Policy set for normal operation
Condition: TELNET communi-
Condition: TELNET communi-
cation from LAN2 to LAN1
Action: discard
Condition: TELNET communi-
cation from LAN2 to LAN1
cation from LAN2 to LAN1
Action: discard
Condition: TELNET communi-
cation from LAN2 to LAN1
Action: discard
Condition: TELNET communi-
Action: discard
Condition: TELNET communi-
cation from LAN2 to LAN1
Condition: TELNET communi-
Action: discard
cation from LAN2 to LAN1
cation from LAN2 to LAN1
Condition: TELNET communi-
Action: discard
cation from LAN2 to LAN1
Action: discard
Condition: TELNET communi-
Action: discard
cation from LAN2 to LAN1
Action: discard
cation from LAN2 to LAN1
Action: discard
Action: discard
LAN
UP LINK
1
2
3
4
Advertisement
Table of Contents
