Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Applying firewall policies to VLAN crossings
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:21 PM
2011-11-15
02:21 PM
Applying firewall policies to VLAN crossings
Hello,
Is it possible to filter packets using a security policy based on intervlan communication? For instance, I want to implement a policy that vlan 1 can establish outgoing connections to vlan2 and vlan2 only allows responses that originated from vlan 1.
Is this even possible? Do I have to create rules based on source and destination IP address?
I do not see in the documentation how to do either of those tasks.
Please assist.
Thank you,
Tyler
Is it possible to filter packets using a security policy based on intervlan communication? For instance, I want to implement a policy that vlan 1 can establish outgoing connections to vlan2 and vlan2 only allows responses that originated from vlan 1.
Is this even possible? Do I have to create rules based on source and destination IP address?
I do not see in the documentation how to do either of those tasks.
Please assist.
Thank you,
Tyler
Message 1 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:30 PM
2011-11-15
02:30 PM
Re: Applying firewall policies to VLAN crossings
don't think it will on VLAN supported proafe router. inter Vlan will allow to communicate to other Vlan for LAN access
Message 2 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:33 PM
2011-11-15
02:33 PM
Re: Applying firewall policies to VLAN crossings
Thanks for the quick response! Does that include the SRX5308? I forgot to include that in my original post.
Message 3 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:34 PM
2011-11-15
02:34 PM
Re: Applying firewall policies to VLAN crossings
That is one that has vlan support
Message 4 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:41 PM
2011-11-15
02:41 PM
Re: Applying firewall policies to VLAN crossings
sorry.. this the one
http://support.netgear.com/app/products/model/a_id/13568
SRX5308
FVS318N
these are the one has clan
http://support.netgear.com/app/products/model/a_id/13568
SRX5308
FVS318N
these are the one has clan
Message 5 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:49 PM
2011-11-15
02:49 PM
Re: Applying firewall policies to VLAN crossings
jmizoguchi wrote: sorry.. this the one
http://support.netgear.com/app/products/model/a_id/13568
SRX5308
FVS318N
these are the one has clan
Does that mean I can apply a firewall policy to traffic crossing from one vlan to another?
For instance,
vlan 1: 192.168.0.0/24
vlan 2: 192.168.1.0/24
vlan 1 -> vlan 2: permit connect
vlan 2 -> vlan 1: permit response; block connect
I've looked through the docs, I don't see how to achieve this. I only see how to set a policy for lan <-> wan; lan <-> dmz; wan <-> dmz
Thanks!
Tyler
Message 6 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
02:55 PM
2011-11-15
02:55 PM
Re: Applying firewall policies to VLAN crossings
Inter VLAN Routing
Enable Inter VLAN Routing: When enabled, traffic is forwarded between this VLAN's and other VLANs configured with a different subnet. This option should be enabled on all VLANs where inter-VLAN communication is required.
here is definition
Message 7 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:01 PM
2011-11-15
03:01 PM
Re: Applying firewall policies to VLAN crossings
jmizoguchi wrote: here is definition
I have inter-vlan routing working, the vlans can communicate to each other; that is not the issue. The issue is there is too much communication. I want to restrict vlan 2 from communicating to vlan 1 with policies so only some traffic may pass and other traffic may not.
Is this possible?
Message 8 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:02 PM
2011-11-15
03:02 PM
Re: Applying firewall policies to VLAN crossings
don't think it does...
Message 9 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:04 PM
2011-11-15
03:04 PM
Re: Applying firewall policies to VLAN crossings
you need to reply switch to work with exist VLAN on ID but layer switches will have more in-depth settings
Message 10 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:12 PM
2011-11-15
03:12 PM
Re: Applying firewall policies to VLAN crossings
jmizoguchi wrote: you need to reply switch to work with exist VLAN on ID but layer switches will have more in-depth settings
We have layer-3 switches with VLAN capability, they are also NetGear units. However since they are layer 3 they do not provide IP level filtering. This is why we bought a firewall/router device.
I'm amazed the firewall/router can't do this. It's extremely unfortunate and nearly deceptive.
Message 11 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:14 PM
2011-11-15
03:14 PM
Re: Applying firewall policies to VLAN crossings
Which firwmare are you using?
Do you have a VLAN Rules section under Network Security(or Firewall-not sure how it's labeled on the 5308)(it's where the rest of Rules are setup)?
Message 12 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:15 PM
2011-11-15
03:15 PM
Re: Applying firewall policies to VLAN crossings
I use layer switch behind my prosecure UTM which has same core firmware as prosafe does same thing.
Message 13 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:19 PM
2011-11-15
03:19 PM
Re: Applying firewall policies to VLAN crossings
neve post while on phone
here is something for you...
here is something for you...
VLAN Rules
Firewall rules for traffic between the source VLAN and the destination VLAN can be defined on this screen.
NOTE: VLAN firewall rules takes precedence over "Enable Inter VLAN Routing" option available in Add/Edit VLAN Settings page. That is, while configuring VLAN if inter VLAN routing is disabled and user adds explicitly a rule to allow some services in between two VLANs, Those services will be allowed.
VLAN Services
This table lists the existing rules for traffic. A rule is defined by the following fields:
! (Status): A rule can be disabled if not in use and enabled as needed. A rule is disabled if the status light is gray and it is enabled if the status light is green. Disabling a rule does not delete the configuration, but merely deactivates the rule.
Service Name: This is a unique name assigned to the service. The name usually indicates the type of traffic the rule covers such FTP, SSH, Telnet, ping, and so on. Services not already on the list can be added on the Services screen (select Network Security > Services).
Filter: Defines an action to be taken on the enabled rule. It can be:
Block Always: Block the selected service at all times.
Allow Always: Allow the selected service to pass through at all times.
Source VLAN Users: Specifies whether one or more source VLAN IP addresses are affected by this rule. The rule affects packets for the selected service coming from the source IP address or range of IP addresses in this field.
Any: All IP addresses on the source VLAN are included in the rule.
Single Address: When selected this option, a single address displays in this field that gets affected by the rule.
Address Range: When selected this option, a range of addresses from START address to END address displays in this field that are affected by the rule.
Destination VLAN Users: Specifies whether one or more destination VLAN IP addresses are affected by this rule. The rule affects packets for the selected service sent to the destination IP address or range of IP addresses in this field.
Any: All IP addresses on the Destination VLAN will be affected by the rule.
Single Address: A single VLAN IP address will be affected by the rule.
Address Range: A range of IP addresses on the Destination VLAN will be affected by the rule.
Log: Specifies whether the packets for this rule should be logged or not. To log details for all packets that match this rule, select Always. Select Never to disable logging.
For example, if a VLAN rule is selected as Block Always, then for every packet that tries to make connection for that service, a message with the packet's source address and destination address (and other information) will be recorded in the log. Enabling logging may generate a significant volume of log messages and is recommended for debugging purposes only.
The actions that can be taken on rules are:
Edit: Modifies the configuration of the selected rule.
Select All: Selects all the rules in the table.
Delete: Delete the selected rule or rules.
Enable: Enables the selected rule or rules listed in the table.
Disable: Disables the selected rule or rules listed in the table.
Add: Adds a new rule.
Message 14 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:37 PM
2011-11-15
03:37 PM
Re: Applying firewall policies to VLAN crossings
adit wrote: Which firwmare are you using?
Do you have a VLAN Rules section under Network Security(or Firewall-not sure how it's labeled on the 5308)(it's where the rest of Rules are setup)?
Thanks for your pointer. I didn't see anything like that, here's a screen shot of what I've got under the 'Security' top level menu: http://i.imgur.com/bQDAa.png
Here is the firmware version info:
Firmware Version (Primary): 3.0.7-45
Firmware Version (Secondary): 3.0.7-24
is the firmware just out of date?
Message 15 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:38 PM
2011-11-15
03:38 PM
Re: Applying firewall policies to VLAN crossings
jmizoguchi wrote: neve post while on phone
here is something for you...
That looks like exactly what I want.... I just don't see how I get access to that configuration section.
Message 16 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:42 PM
2011-11-15
03:42 PM
Re: Applying firewall policies to VLAN crossings
Contact Tech Support and tell them your issue and you need beta firmware 3.0.7-61. You can reference this post.
They should be able to get you a copy of that firmware.
I think it will have the VLAN Rules capability.
Message 17 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
03:43 PM
2011-11-15
03:43 PM
Re: Applying firewall policies to VLAN crossings
Prosecute UTM has that rules
That help file from the UTM
That help file from the UTM
Message 18 of 19
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-15
04:07 PM
2011-11-15
04:07 PM
Re: Applying firewall policies to VLAN crossings
adit wrote: Contact Tech Support and tell them your issue and you need beta firmware 3.0.7-61. You can reference this post.
They should be able to get you a copy of that firmware.
I think it will have the VLAN Rules capability.
Thank you again for the pointer! I'll check with support tomorrow.
Cheers,
Tyler
Message 19 of 19