| Enable Proxy ARP | Select Enable
Proxy ARP to allow the Firewall Policy to
use Proxy ARP responses for this policy on behalf of another
device. Proxy ARP allows the firewall to handle ARP routing
requests for devices behind the firewall. This feature is
selected by default. |
| DHCP Broadcast to Unicast | Select DHCP
Broadcast to Unicast for the conversion of
broadcast DHCP offers to unicast. Converting DHCP broadcast
traffic to unicast traffic can help reduce network traffic
loads. This feature is not selected by default. |
| L2 Stateful Packet Inspection | Select L2
Stateful Packet Inspection for stateful
packet inspection for RF Domain manager routed interfaces
within the Layer 2 firewall. This feature is not activated
by default. |
| TCP MSS Clamping | Select TCP MSS
Clamping for TCP MSS Clamping. TCP MSS
Clamping allows for the configuration of the maximum segment
size of packets at a global level. |
| IPMAC Conflict Enable | When multiple devices on the network have the same IP or
MAC address this can create routing issues for traffic being
passed through the firewall. To avoid these issues, select
IPMAC
Conflict Enable for IP and MAC conflict
detection. This feature is selected by default. |
| IPMAC Conflict Action | Use the drop-down list to select the action taken when an
attack is detected. Options include Log
Only, Drop Only, or
Log and Drop. The default setting is
Log and Drop. |
| IPMAC Conflict Logging | Select IPMAC
Conflict Logging for logging for IP and MAC
address conflict detection. The default selection is
Warnings. |
| IP TCP Adjust MSS | Select IP TCP
Adjust MSS and adjust the value for the
maximum segment size (MSS) for TCP segments on the router.
Set a value in the range 472 – 1,460 bytes to adjust the MSS
segment size. The default value is 0. |
| IPMAC Routing Conflict Enable | Select IPMAC
Routing Conflict Enable for IPMAC Routing
Conflict detection. This is also known as a Hole-196 attack
in the network. This feature helps to detect if the client
is sending routed packets to the correct
router-mac-address. |
| IPMAC Routing Conflict Action | Use the drop-down list box to set the action taken when
an attack is detected. Options include Log
Only, Drop Only, or
Log and Drop. The default setting is
Log and Drop. |
| IPMAC Routing Conflict Logging | Select IPMAC
Routing Conflict Logging for conflict
detection. |
| DNS Snoop Entry Timeout | Set a timeout in seconds for DNS Snoop Entry. DNS Snoop
Entry stores information such as Client to IP Address and
Client to Default Gateways and uses this information to
detect if the client is sending routed packets to a wrong
MAC address. The range is 30 – 86,400 seconds, and the
default value is 1,800 seconds. |
| Virtual Defragmentation | Select Virtual
Defragmentation for IPv4 and IPv6 virtual
defragmentation to help prevent fragment based attacks, such
as tiny fragments or large number of fragments. |
| Virtual Defragmentation Timeout | Set a virtual defragmentation timeout in the range 1 – 60
seconds applicable to both IPv4 and IPv6 packets. The
default value is 1. |
| Max Defragmentations/Datagram | Set a value in the range 2 – 8,129 to stipulate the
maximum number of defragentations allowed in a datagram
before it is dropped. The default value is 140. |
| Max Fragments/Host | Set a value in the range 1 – 16,384 to stipulate the
maximum number of fragments allowed per host before it is
dropped. The default value is 8. |
| Min Length Required | Select Min
Length Required to set a minimum length in
the range 8 – 1,500 bytes to enforce a minimum packet size
before being subject to fragment based attack
prevention. |
adjacent to the policy you want to modify.
Proceed to the next step, and modify the basic settings in accordance
with the steps in this procedure.