Before you begin
Discuss all changes to your filter policy and defensive filters
with your security administrator. Do not permit all routed traffic
without first verifying that your network security policy specifies
that all routed traffic is to be permitted.
Procedure
If you enabled IP security and you want to allow QDIO
Accelerator to forward routed traffic, perform the following steps:
- Consult your network security policy to determine how TCP/IP
processes routed traffic. You cannot use QDIO Accelerator
for routed traffic when any of the following conditions are true:
- Some routed traffic must be denied in your IP filter policy.
- Some routed traffic must be protected by IPsec in your IP filter
policy.
- Some routed traffic must be logged using TRMD.
If any of these conditions are true, QDIO Accelerator forwards
only sysplex distributor traffic.
- If TCP/IP issues message EZD2020A and
your network security policy specifies that all routed traffic is
permitted, configure your TCP/IP profile to permit all routed traffic
without logging:
- Ensure that the first IPv4 IPSECRULE statement with
the Routing value Routed or Either permits
all IPv4 addresses, all protocols, and all security classes.
Tip: If your rule has the ROUTING value Either,
the rule applies to both local and routed traffic. If your security
policy does not allow you to permit all local traffic, split this
rule into two rules, one with the Routing value Routed and
one with the Routing value Local.
- Ensure that the first IPv4 IPSECRULE statement does
not specify LOG to enable filter logging.
- If TCP/IP issues message EZD2021A and
your network security policy specifies that all routed traffic is
permitted, configure your policy filter rules to permit all routed
traffic without logging.
- If you are using the IBM® Configuration
Assistant for z/OS® Communications
Server to configure your IPSec policy, use the following settings:
- Ensure that the first connectivity rule that applies to routed
IPv4 traffic specifies a topology of filtering only, applies to all
IPv4 addresses, and uses a requirement map that maps all IP protocols
and all security classes to a Permit security level.
Tip: Your connectivity rule might apply to both local and routed
traffic. If your security policy does not allow you to permit all
local traffic, split this rule into two rules, one that applies to
filtering for routed traffic and one that applies to filtering for
local traffic.
- Ensure that the first connectivity rule specifies that filter
matches are not logged.
- If you are manually configuring your IPSec policy, use
the following settings:
- Ensure that the associated IpService statement for the first IpFilterRule
statement has the Routing value Routed or Either,
permits all IPv4 addresses, all protocols, and all security classes,
and has the Direction value Bidirectional.
Tip: If your rule has the Routing value Either,
the rule applies to both local and routed traffic. If your security
policy does not allow you to permit all local traffic, split this
filter rule into two filter rules, one with the Routing value Routed and
one with the Routing value Local.
- Ensure that the associated IpGenericFilterAction statement for
the first IpFilterRule statement specifies the IpFilterLogging setting No to
disable filter logging.
- If TCP/IP issues message EZD2022A, and
your network security policy specifies that all routed traffic is
permitted, ensure that your defensive filters permit routed traffic:
- Issue the ipsec -F display command
to display the defensive filters.
- If any filters are listed that apply to routed traffic,
you have the following options:
- Because defensive filters are temporary filters designed to address
temporary conditions, you can wait for these filters to expire. After
the filters expire, QDIO Accelerator can resume forwarding routed
traffic.
- If you and your security administrator determine that these defensive
filters are no longer needed, your security administrator can issue
the ipsec -F delete command to delete these filters
so that QDIO Accelerator can resume forwarding routed traffic.
For more information about the ipsec command, see z/OS Communications Server: IP System Administrator's
Commands.