DefensePro User Guide
Security Configuration
202
Document ID: RDWR-DP-V0602_UG1201
Managing the ACL Policy
The Access Control List (ACL) module is a stateful firewall that enables you to configure a flexible
and focused stateful access-control policy. You can modify and view the active ACL policy. You can
also view ACL report summaries and the ACL log analysis.
ACL in DefensePro does not work on the physical management ports (MNG 1 and MNG 2).
When enabled and activated, the relevant ACL configuration takes precedence over the Session
Table Aging parameter. For more information, see
Configuring Session Table Settings, page 88
To operate correctly, ACL needs to determine the direction of session packets.
ACL determines packet direction as follows:
•
TCP direction—According to the first SYN packet that creates a session.
•
UDP direction—According to the first packet in the flow.
•
ICMP direction—According to the ICMP message type (that is, reply or request type).
•
Non-TCP, Non-UDP and Non-ICMP session direction—According to the first L3 (IP) packet in the
flow.
•
Non-IP direction—According to the first packet in the flow.
When ACL is enabled and activated, the device learns about the existing sessions for a specified
amount of time (by default, 10 minutes). During this learning period, the device accepts all sessions
regardless of any unknown direction. However, for the certain cases, ACL treats the session
according to the configured policies.
ACL treats the session according to the configured policies in the following cases:
•
A new TCP session starts with a SYN packet.
•
A new ICMP session starts with a request packet.
Configuring the ACL feature involves the following steps:
1.
Configuring Global ACL Policy Settings, page 202
2.
Configuring ACL Policy Rules, page 205
Note:
Enabling an ACL policy requires a device reboot.
Configuring Global ACL Policy Settings
Before you configure an ACL policy, ensure that the ACL feature is enabled.
Caution:
In a high-availability (HA) setup, when you enable ACL on the primary device, you
must reboot the device immediately. If you do not reboot, the secondary device may
synchronize its configuration and reboot automatically, causing traffic sent to the
secondary device to be blocked in the event of a switchover.
Note:
Enabling ACL requires a device reboot.
Summary of Contents for DefensePro 6.02
Page 1: ...DefensePro User Guide Software Version 6 02 Document ID RDWR DP V0602_UG1201 January 2012 ...
Page 2: ...DefensePro User Guide 2 Document ID RDWR DP V0602_UG1201 ...
Page 20: ...DefensePro User Guide 20 Document ID RDWR DP V0602_UG1201 ...
Page 28: ...DefensePro User Guide Table of Contents 28 Document ID RDWR DP V0602_UG1201 ...
Page 116: ...DefensePro User Guide Device Network Configuration 116 Document ID RDWR DP V0602_UG1201 ...
Page 302: ...DefensePro User Guide Real Time Security Reporting 302 Document ID RDWR DP V0602_UG1201 ...
Page 308: ...DefensePro User Guide Administering DefensePro 308 Document ID RDWR DP V0602_UG1201 ...
Page 324: ...DefensePro User Guide Troubleshooting 324 Document ID RDWR DP V0602_UG1201 ...