Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
371372373374375376377378379380
XSR Users Guide 337
Chapter 13 Firewall Limitations
Configuring Security on the XSR
packets, NAT is performed before firewall inspection. Firewall rules
are written using the actual addresses on the internal (even if they are
private IP addresses) and exterior networks, independent of whether
NAT is enabled on the interface.
Firewall/VPN - VPN tunnels are implemented as virtual interfaces
that sit on physical interfaces. Stateful inspection is applied before
encryption and encapsulation for outgoing packets and after de-
encapsulation and decryption for incoming packets.
Firewall and Un-numbered Interface - The firewall does not interoperate
with interface IP addresses - it is concerned with IP addresses in
packets that traverse an interface. So, if the firewall is enabled on an
un-numbered interface, it performs similarly as on a numbered one.
Firewall/VRRP - The firewall does not interoperate with the Virtual
Router Redundancy Protocol (VRRP). That is, if a switch-over occurs,
the firewall sessions and authentication cache will not automatically
switch over. If the firewall is enabled on a slave router, then all
sessions would have to be re-established. You would have to re-
authenticate users for access to authentication-protected servers.
Load Sharing - If two or more firewall-enabled XSRs are connected,
load sharing is not supported. Each XSR would act as a discrete
firewall and monitor sessions that pass through it.
Secondary IP Address/Firewall - The firewall does not interoperate with
interface IP addresses, so, a secondary interface address has no affect
on firewall operations. Configure network objects for the secondary
address just as you would any primary IP address.
Firewall Authentication over VPN - Firewall authentication is not
supported over VPN tunnels.