Chapter 25 Security Policy
UAG Series User’s Guide
291
service control (remote management). The UAG checks the security policies before the service
control rules for traffic destined for the UAG.
A
From Any To Device
direction rule applies to traffic from an interface which is not in a zone.
Global Security Policies
Security policies with
from any
and/or
to any
as the packet direction are called global security
policies. The global security policies are the only security policies that apply to an interface that is
not included in a zone. The
from any
rules apply to traffic coming from the interface and the
to
any
rules apply to traffic going to the interface.
Security Policy Rule Criteria
The UAG checks the schedule, user name (user’s login name on the UAG), source IP address,
destination IP address and IP protocol type of network traffic against the policy control rules (in the
order you list them). When the traffic matches a rule, the UAG takes the action specified in the rule.
User Specific Security Policies
You can specify users or user groups in security policies. For example, to allow a specific user from
any computer to access a zone by logging in to the UAG, you can set up a policy based on the user
name only. If you also apply a schedule to the security policy, the user can only access the network
at the scheduled time. A user-aware security policy is activated whenever the user logs in to the
UAG and will be disabled after the user logs out of the UAG.
Session Limits
Accessing the UAG or network resources through the UAG requires a NAT session and
corresponding security policy session. Peer to peer applications, such as file sharing applications,
may use a large number of NAT sessions. A single client could use all of the available NAT sessions
and prevent others from connecting to or through the UAG. The UAG lets you limit the number of
concurrent NAT/security policy sessions a client can use.
Finding Out More
for an example of creating security policies as part of configuring
user-aware access control.
25.2 Security Policy Control Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the UAG’s LAN IP
address, return traffic may not go through the UAG. This is called an asymmetrical or “triangle”
route. This causes the UAG to reset the connection, as the connection has not been acknowledged.
You can have the UAG permit the use of asymmetrical route topology on the network (not reset the
connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the UAG. A better solution is to use virtual interfaces to put the UAG