Chapter 25 Firewall
UAG5100 User’s Guide
247
Firewall Rule Criteria
The UAG checks the schedule, user name (user’s login name on the UAG), source IP address,
destination IP address and IP protocol type of network traffic against the firewall rules (in the order
you list them). When the traffic matches a rule, the UAG takes the action specified in the rule.
User Specific Firewall Rules
You can specify users or user groups in firewall rules. For example, to allow a specific user from any
computer to access a zone by logging in to the UAG, you can set up a rule based on the user name
only. If you also apply a schedule to the firewall rule, the user can only access the network at the
scheduled time. A user-aware firewall rule is activated whenever the user logs in to the UAG and
will be disabled after the user logs out of the UAG.
Firewall and VPN Traffic
After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN
traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure
a new LAN1 to LAN1 firewall rule to allow or block VPN traffic transmitting between the VPN tunnel
and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for
example), you can configure rules for VPN traffic between the VPN zone and other zones or From
VPN To-Device rules for VPN traffic destined for the UAG.
Session Limits
Accessing the UAG or network resources through the UAG requires a NAT session and
corresponding firewall session. Peer to peer applications, such as file sharing applications, may use
a large number of NAT sessions. A single client could use all of the available NAT sessions and
prevent others from connecting to or through the UAG. The UAG lets you limit the number of
concurrent NAT/firewall sessions a client can use.
Finding Out More
for an example of creating firewall rules as part of configuring
user-aware access control.
25.2 The Firewall Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the UAG’s LAN IP
address, return traffic may not go through the UAG. This is called an asymmetrical or “triangle”
route. This causes the UAG to reset the connection, as the connection has not been acknowledged.
You can have the UAG permit the use of asymmetrical route topology on the network (not reset the
connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the UAG. A better solution is to use virtual interfaces to put the UAG
and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network
into logical sections over the same interface. See the chapter about interfaces for more information.