Security Policy Exceptions
This section describes security policy exceptions.
By default, security policies control only unicast packets but not broadcast or multicast packets. Broadcast and multicast packets are directly forwarded. However, there are some exceptions:
After the firewall l2-multicast packet-filter enable command is run on FW to enable the Layer-2 multicast packet filtering function, FW execute security policies for all Layer-2 multicast packets except for Layer-2 ND multicast packets, including the multicast packets that traverse or are sent by the FW.
The protocols listed in the following table are network interconnection protocols. For security purposes, the factory settings include the firewall packet-filter basic-protocol enable command, which enables the controlling function of security policies for unicast packets of these protocols. To enable the device to quickly access the network, run the undo firewall packet-filter basic-protocol enable command to stop unicast packets of these protocols from being controlled by security policies and default security policies.
Table 1 Controlling status of network interconnection protocols by security policies and default security policiesProtocol
|
Packets Traversing the FW
|
Packets Destined for the FW/Packets Forwarded by the FW
|
Description
|
|---|
BFD
|
- Unicast packets: controlled
- Multicast packets: not controlled
|
- Unicast packets: controlled
- Multicast packets: not controlled
|
Whether a packet is a unicast or multicast one can be identified based on the destination IP address.
|
BGP
|
controlled
|
controlled
|
BGP packets can only be unicast ones.
|
DHCPv4
|
- Unicast packets (UDP port number: 67 and 68): controlled
- Broadcast packets (UDP port number: 67 and 68): not controlled
|
- Unicast packets (UDP port number: 67 and 68): not controlled
- Broadcast packets (UDP port number: 67 and 68): not controlled
|
Whether a packet is a unicast or multicast one can be identified based on the destination IP address.
|
DHCPv6
|
- Unicast packets (UDP port number: 546 and 547): controlled
- Broadcast packets (UDP port number: 546 and 547): not controlled
|
- Unicast packets (UDP port number: 546 and 547): controlled
- Broadcast packets (UDP port number: 546 and 547): not controlled
|
Whether a packet is a unicast or multicast one can be identified based on the destination IP address.
|
LDP
|
|
|
-
|
OSPF
|
- Unicast packets: controlled
|
- Unicast packets (protocol number: 89): controlled
- Multicast packets (protocol number: 89): not controlled
|
OSPF packets traverse the firewall only when virtual links are configured. The OSPF packets can be transmitted only in unicast mode.
Whether a packet is a unicast or multicast one can be identified based on the destination IP address.
|
Other typical situations where protocols are under control:
- After ASPF is configured for a multi-channel protocol, the FW does not filter packets in the data channel.
- After the service-manage enable command is run on the FW to enable interface access control, HTTP, HTTPS, ping, SNMP, SSH, and Telnet packets to the FW itself are controlled by the service-manage configuration, not by security policy rules.
- If the authentication action of the authentication policy is portal authentication and the user initiates an HTTP/HTTPS request towards the web server, the first SYN packet is not controlled by the security policy.