WiNG 5.9.2 Wireless Controller and Service Platform

Select the Advanced Settings tab from the Firewall Policy configuration page.

The Advanced Settings screen displays Common and IPv6 Settings tabs with the Common displayed by default. Use these screens to define common IPv4 settings and settings unique to an IPv6 firewall.

IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.

Refer to the Firewall Status radio buttons to define the firewall as either enabled or disabled.

The firewall is enabled by default.

If you are disabling the firewall, a confirmation prompt displays stating NAT, wireless hotspot, proxy ARP, deny-staticwireless- client and deny-wireless-client sending not permitted traffic excessively will be disabled.

Refer to the General field to enable or disable the following firewall configuration parameters:

Enable Proxy ARP	Select this check box to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is enabled by default.
DHCP Broadcast to Unicast	Select this check box to enable the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is disabled by default.
L2 Stateful Packet Inspection	Select the check box to enable stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is disabled by default.
IPMAC Conflict Enable	When multiple devices on the network have the same IP or MAC address this can create routing issues for traffic being passed through the firewall. To avoid these issues, enable Conflict Detection to enable IP and MAC conflict detection. This feature is disabled by default.
IPMAC Conflict Logging	Select this option to enable logging for IP and MAC address conflict detection. This feature is disabled by default.
IPMAC Conflict Action	Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
IPMAC Routing Conflict Enable	Select this option to enable IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.
IPMAC Routing Conflict Logging	Select enable logging for IPMAC Routing Conflict detection. This feature is disabled by default.
IPMAC Routing Conflict Action	Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
DNS Snoop Entry Timeout	Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateway(s) and uses this information to detect if the client is sending routed packets to a wrong MAC address.
IP TCP Adjust MSS	Select this option and adjust the value for the maximum segment size (MSS) for TCP segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value is 472 bytes.
TCP MSS Clamping	Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level.
Max Fragments/Datagram	Set a value for the maximum number of fragments (between 2 and 8,129) allowed in a datagram before it is dropped. The default value is 140 fragments.
Max Defragmentations/Host	Set a value for the maximum number of defragmentations, between 1 and 16,384 allowed per host before it is dropped. The default value is 8.
Min Length Required	Select this option and set a minimum length, between 8 bytes and 1,500 bytes, to enforce a minimum packet size before being subject to fragment based attack prevention.
Virtual Defragmentation	Select this option to enable IPv4 and IPv6 virtual defragmentation to help prevent fragment based attacks, such as tiny fragments or large number of fragments.
Virtual Defragmentation Timeout	Set a virtual defragmentation timeout from 1- 60 seconds applicable to both IPv4 and IPv6 packets.

Refer to the Firewall Enhanced Logging field to set the following parameters:

Log Dropped ICMP Packets	Use the drop-down menu to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All or None. The default setting is None.
Log Dropped Malformed Packets	Use the drop-down menu to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All or None. The default setting is None.
Enable Verbose Logging	Check this box to enable verbose logging mode for the firewall.

The firewall policy allows traffic filtering at the application layer using the Application Layer Gateway feature.

The Application Layer Gateway provides filters for the following common protocols:

FTP ALG	Select this option to allow FTP traffic through the firewall using its default ports. This feature is enabled by default.
TFTP ALG	Select this option to allow TFTP traffic through the firewall using its default ports. This feature is enabled by default.
PPTP ALG	Select this option to allow PPTP traffic through the firewall using its default ports. The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This feature is enabled by default.
SIP ALG	Select this option to allow SIP traffic through the firewall using its default ports. This feature is enabled by default.
SCCP ALG	Select this option to allow SCCP traffic through the firewall using its default ports. This feature is enabled by default.
Facetime ALG	Select this option to allow Facetime traffic through the firewall using its default ports. This feature is enabled by default.
DNS ALG	Select this option to allow DNS traffic through the firewall using its default ports. This feature is enabled by default.

Select the Enable Stateful DHCP Checks check box to enable the stateful checks of DHCP packet traffic through the firewall.

The default setting is enabled. When enabled, all DHCP traffic flows are inspected.

Define Flow Timeout intervals for the following flow types impacting the firewall:

TCP Close Wait	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
TCP Established	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 90 minutes.
TCP Reset	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
TCP Setup	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
Stateless TCP Flow	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 90 seconds.
Stateless FIN/RESET Flow	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
ICMP	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds.
UDP	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds.
Any Other Flow	Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds.

Refer to the TCP Protocol Checks field to set the following parameters:

Check TCP states where a SYN packet tears down the flow	Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow. The default setting is enabled.
Check unnecessary resends of TCP packets	Select the check box to enable the checking of unnecessary resends of TCP packets. The default setting is enabled.
Check Sequence Number in ICMP Unreachable error packets	Select the check box to enable sequence number checks in ICMP unreachable error packets when an established TCP flow is aborted. The default setting is enabled.
Check Acknowledgment Number in RST packets	Select the check box to enable the checking of the acknowledgment number in RST packets which aborts a TCP flow in the SYN state. The default setting is enabled.
Check Sequence Number in RST packets	Select the check box to check the sequence number in RST packets which abort an established TCP flow. The default setting is enabled.

Select OK to update the firewall policy‘s advanced common settings.

Select Reset to revert to the last saved configuration.

Select the IPv6 Settings tab.

Refer to the IPv6 Firewall Enable option to provide firewall support to IPv6 packet streams.

This setting is enabled by default. Disabling IPv6 firewall support also disables proxy neighbor discovery.

IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed uniquely of eight groups of four hexadecimal digits separated by colons.

Select IPv6 Rewrite Flow Label to provide flow label rewrites for each IPv6 packet.

A flow is a sequence of packets from a particular source to a particular (unicast or multicast) destination. The flow label helps keep packet streams from looking like one massive flow. Flow label rewrites are disabled by default and must be manually enabled.

Flow label re-writes enable the re-classification of packets belonging to a specific flow. The flow label does nothing to eliminate the need for packet filtering. This setting is disabled by default.

Select Enable Proxy ND to generate neighbor discovery responses on behalf of another controller, service platform or Access Point managed device.

When enabled, any IPv6 packet received on an interface is parsed to see whether it is known to be a neighbor solicitation. This setting is enabled by default.

Use the Event table to enable individual IPv6 unique events.

IPv6 events can be individually enabled or collectively enabled/disabled using the Enable All Events and Disable All Events buttons. The Description area displays a brief description of the selected event.

Event	The Event column lists the name of each IPv6 specific event subject to logging.
Enable	Checking Enable sets the firewall policy to filter the associated IPv6 event based on the selection in the Action column.
Action	If a filter is enabled, chose an action from the drop-down menu to determine how the firewall treats the associated IPv6 event. Log and Drop - An entry for the associated IPv6 event is added to the log and then the packets are dropped. Log Only - An entry for the associated IPv6 event is added to the log. No further action is taken. Drop Only - The packet is dropped. No further action is taken.
Log Level	To enable logging to the system log, check the box in the Log Level column. Then select a standard Syslog level from the Log Level drop-down menu.

Select OK to update the firewall policy's advanced IPv6 settings.

Select Reset to revert to the last saved configuration.

Firewall Policy Advanced Settings