Firewall Policy Advanced Settings

About this task

IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. Use the Advanced Settings tab to define common IPv4 settings and settings unique to an IPv6 firewall.

To define a firewall policy advanced settings:

Procedure

  1. Select the Advanced Settings tab.
    The Common tab is displayed by default.
    Click to expand in new window
    Wireless Firewall - Add/Edit - Advanced Settings - Common Tab
    GUID-BA1937BF-3661-422E-AD44-3CDE1071A3ED-low.png
  2. Use the Firewall Status radio buttons to either enable or disable the firewall policy.
    The firewall is enabled by default.

    If you disable the firewall, the following message is displayed:

    Click to expand in new window
    GUID-26E9600B-1232-4C64-9D37-B8D59105855E-low.png
  3. Refer to the General field to enable or disable the following firewall configuration parameters:
    Enable Proxy ARP Select this check box to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is enabled by default.
    DHCP Broadcast to Unicast Select this check box to enable the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is disabled by default.
    L2 Stateful Packet Inspection Select the check box to enable stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is disabled by default.
    IPMAC Conflict Enable When multiple devices on the network have the same IP or MAC address this can create routing issues for traffic being passed through the firewall. To avoid these issues, enable Conflict Detection to enable IP and MAC conflict detection. This feature is disabled by default.
    IPMAC Conflict Logging Select this option to enable logging for IP and MAC address conflict detection. This feature is disabled by default.
    IPMAC Conflict Action Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
    IPMAC Routing Conflict Enable Select this option to enable IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.
    IPMAC Routing Conflict Logging Select enable logging for IPMAC Routing Conflict detection. This feature is disabled by default.
    IPMAC Routing Conflict Action Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
    DNS Snoop Entry Timeout Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateway(s) and uses this information to detect if the client is sending routed packets to a wrong MAC address.
    IP TCP Adjust MSS Select this option and adjust the value for the maximum segment size (MSS) for TCP segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value is 472 bytes.
    TCP MSS Clamping Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level.
    Max Fragments/Datagram Set a value for the maximum number of fragments (between 2 and 8,129) allowed in a datagram before it is dropped. The default value is 140 fragments.
    Max Defragmentations/Host Set a value for the maximum number of defragmentations, between 1 and 16,384 allowed per host before it is dropped. The default value is 8.
    Min Length Required Select this option and set a minimum length, between 8 bytes and 1,500 bytes, to enforce a minimum packet size before being subject to fragment based attack prevention.
    Virtual Defragmentation Select this option to enable IPv4 and IPv6 virtual defragmentation to help prevent fragment based attacks, such as tiny fragments or large number of fragments.
    Virtual Defragmentation Timeout Set a virtual defragmentation timeout from 1- 60 seconds applicable to both IPv4 and IPv6 packets.
  4. Refer to the Firewall Enhanced Logging field to set the following parameters:
    Log Dropped ICMP Packets Use the drop-down menu to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All or None. The default setting is None.
    Log Dropped Malformed Packets Use the drop-down menu to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All or None. The default setting is None.
    Enable Verbose Logging Check this box to enable verbose logging mode for the firewall.
  5. The firewall policy allows traffic filtering at the application layer using the Application Layer Gateway feature.
    The Application Layer Gateway provides filters for the following common protocols:
    FTP ALG Select this option to allow FTP traffic through the firewall using its default ports. This feature is enabled by default.
    TFTP ALG Select this option to allow TFTP traffic through the firewall using its default ports. This feature is enabled by default.
    PPTP ALG Select this option to allow PPTP traffic through the firewall using its default ports. The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This feature is enabled by default.
    SIP ALG Select this option to allow SIP traffic through the firewall using its default ports. This feature is enabled by default.
    SCCP ALG Select this option to allow SCCP traffic through the firewall using its default ports. This feature is enabled by default.
    Facetime ALG Select this option to allow Facetime traffic through the firewall using its default ports. This feature is enabled by default.
    DNS ALG Select this option to allow DNS traffic through the firewall using its default ports. This feature is enabled by default.
  6. Select the Enable Stateful DHCP Checks check box to enable the stateful checks of DHCP packet traffic through the firewall.
    The default setting is enabled. When enabled, all DHCP traffic flows are inspected.
  7. Define Flow Timeout intervals for the following flow types impacting the firewall:
    TCP Close Wait Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
    TCP Established Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 90 minutes.
    TCP Reset Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
    TCP Setup Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
    Stateless TCP Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 90 seconds.
    Stateless FIN/RESET Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 10 seconds.
    ICMP Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds.
    UDP Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds.
    Any Other Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 30 seconds.
  8. Refer to the TCP Protocol Checks field to set the following parameters:
    Check TCP states where a SYN packet tears down the flow Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow. The default setting is enabled.
    Check unnecessary resends of TCP packets Select the check box to enable the checking of unnecessary resends of TCP packets. The default setting is enabled.
    Check Sequence Number in ICMP Unreachable error packets Select the check box to enable sequence number checks in ICMP unreachable error packets when an established TCP flow is aborted. The default setting is enabled.
    Check Acknowledgment Number in RST packets Select the check box to enable the checking of the acknowledgment number in RST packets which aborts a TCP flow in the SYN state. The default setting is enabled.
    Check Sequence Number in RST packets Select the check box to check the sequence number in RST packets which abort an established TCP flow. The default setting is enabled.
  9. Select OK to update the firewall policy‘s advanced common settings.
    Select Reset to revert to the last saved configuration.