1
Planning and Overview
10
EFW and Your Network
Addressing Constraints
EFW supports the deployment of embedded firewalls on computers that either are
configured for DHCP or have an address that is mapped by network address translation
(NAT) from the viewpoint of the Policy Server.
All Policy Servers in a domain must be able to use the same IP address to contact a
particular NIC. Therefore, the embedded firewall cannot support a scenario in which
a NAT machine separates a primary or backup Policy Server from a NIC but does not
separate some other primary or backup Policy Server from the same NIC.
If you are manually registering NICs, use the DNS name to register a NIC whose IP address
may change due to DHCP or NAT machine reconfiguration. Also, use the MAC address
or IP address to register two NICs on the same machine that have the same associated
DNS name.
The No Spoofing policy setting does not support a DHCP address change without a
reboot. This event causes the secured computer to be unable to send traffic to the
network until it reboots. The request to get a new IP address is blocked by the NIC, and
the computer will have relinquished its old address.
Your Policy Server address may also be mapped using NAT. All NICs in a domain must
be able to use the same IP address to contact any given Policy Server in their domain.
Therefore, the embedded firewall cannot support a scenario where all of the following
are true:
■
A NAT machine separates some of the NICs from a primary or backup Policy Server.
■
This NAT machine maps the Policy Server address to a different IP address.
■
Other NICs using this server as a primary or backup have no NAT machine separating
them from this Policy Server.
Routing Constraints
EFW NICs initially screen incoming traffic for commands from the Policy Server by examining
the source IP address. Therefore, traffic from a Policy Server to NICs in the domain must be
routed through the Ethernet card on the Policy Server, which has the address that its NICs
are expecting. This address is selected (implicitly or explicitly) when you select the name for
this server on first start-up. The IP address an EFW NIC is expecting can be found in the
embdfw.ini file on its host computer.
Turning off Policy Enforcement
If you detect serious network connectivity problems, you can temporarily turn off EFW policy
enforcement using the Management Console to quickly determine whether EFW policy
enforcement is a factor in the connectivity problem. To turn off EFW policy enforcement,
in the Tools menu select
System State
->
Turn Off Policy Enforcement
. The background of
the Management Console tree-view frame turns green when policy enforcement is turned
off to prevent an administrator from accidentally leaving the system in this state. When
policy enforcement is turned off, filtering ceases for all NICs in that domain. To regain policy
enforcement, from the Tools menu select
System State
->
Normal
.
CAUTION:
For connectivity issues related to a limited number of secured
computers, you may want to move the affected NICs to a new device set with a
policy that allows all traffic. This move has less impact on security than turning off
policy enforcement for the entire system.
