Using Firewall Rules

The ZoneAlarm router checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic.

User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy.

For example, if your company computers are located on the LAN network, and guests are allowed to use the WLAN network, then as a result of the default security policy rules, employees on the LAN will be able to connect to guest computers, while guests will not be able to access any sensitive information on the company computers. You can override the default security policy rules, by creating firewall rules that allow specific WLAN computers (such a employee's laptop) to connect to the LAN network and company resources.

The ZoneAlarm router processes user-defined rules in the order they appear in the Rules table, so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, by placing the exceptions higher up in the Rules table.

For example, if you want to block all outgoing FTP traffic, except traffic from a specific IP address, you can create a rule blocking all outgoing FTP traffic and move the rule down in the Rules table. Then create a rule allowing FTP traffic from the desired IP address and move this rule to a higher location in the Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.

Linked Diagram Template

The ZoneAlarm router will process rule 1 first, allowing outgoing FTP traffic from the specified IP address, and only then it will process rule 2, blocking all outgoing FTP traffic.

The following rule types exist:

In This Section

Firewall Rule Types

Adding and Editing Firewall Rules

Enabling/Disabling Firewall Rules

Reordering Firewall Rules

Enabling/Disabling Firewall Rule Logging

Viewing and Deleting Firewall Rules

Firewall Rule Types

Rule	Description
Allow and Forward	This rule type enables you to do the following: Permit incoming traffic from the Internet to a specific service and destination IP address in your internal network and then forward all such connections to a specific computer in your network. Such rules are called NAT forwarding rules. For example, if the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2, and the network contains two private Web servers, A and B, you can forward all traffic with the destination 62.98.112.1 to server A, while forwarding all traffic with the destination 62.98.112.2 to server B. Note: Creating an Allow and Forward rule for incoming traffic to the default destination This Gateway (which represents the ZoneAlarm IP address), is equivalent to defining a server in the Servers page. Permit outgoing traffic from your internal network to a specific service and destination IP address on the Internet and then divert all such connections to a specific IP address. Such rules are called transparent proxy rules. For example, you can redirect all traffic destined for a specific Web server on the Internet to a different IP address. Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT). Note: You must use this type of rule to allow incoming connections if your network uses Hide NAT.
Allow	This rule type enables you to do the following: Permit outgoing access from your internal network to a specific service on the Internet. Permit incoming access from the Internet to a specific service in your internal network. Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT. Use an "Allow and Forward" rule instead. However, you can use Allow rules for static NAT IP addresses.
Block	This rule type enables you to do the following: Block outgoing access from your internal network to a specific service on the Internet. Block incoming access from the Internet to a specific service in your internal network. Block connections between hosts on different internal networks.

Rule

Description

Allow and Forward

This rule type enables you to do the following:

Permit incoming traffic from the Internet to a specific service and destination IP address in your internal network and then forward all such connections to a specific computer in your network. Such rules are called NAT forwarding rules.
For example, if the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2, and the network contains two private Web servers, A and B, you can forward all traffic with the destination 62.98.112.1 to server A, while forwarding all traffic with the destination 62.98.112.2 to server B.
Note: Creating an Allow and Forward rule for incoming traffic to the default destination This Gateway (which represents the ZoneAlarm IP address), is equivalent to defining a server in the Servers page.
Permit outgoing traffic from your internal network to a specific service and destination IP address on the Internet and then divert all such connections to a specific IP address. Such rules are called transparent proxy rules.
For example, you can redirect all traffic destined for a specific Web server on the Internet to a different IP address.
Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT).

Note: You must use this type of rule to allow incoming connections if your network uses Hide NAT.

Allow

This rule type enables you to do the following:

Permit outgoing access from your internal network to a specific service on the Internet.
Permit incoming access from the Internet to a specific service in your internal network.

Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT. Use an "Allow and Forward" rule instead. However, you can use Allow rules for static NAT IP addresses.

Block

This rule type enables you to do the following:

Block outgoing access from your internal network to a specific service on the Internet.
Block incoming access from the Internet to a specific service in your internal network.
Block connections between hosts on different internal networks.