Use the basic settings to define the common firewall policy settings.
| Setting | Description |
|---|---|
| Enable Proxy ARP | Select Enable Proxy ARP to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is selected by default |
| DHCP Broadcast to Unicast | Select DHCP Broadcast to Unicast for the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is not selected by default |
| L2 Stateful Packet Inspection | Select L2 Stateful Packet Inspection for stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is not activated by default |
| TCP MSS Clamping | Select TCP MSS Clamping for TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level |
| IPMAC Conflict Enable | When multiple devices on the network have the same IP or MAC address this can create routing issues for traffic being passed through the firewall. To avoid these issues, select IPMAC Conflict Enable for IP and MAC conflict detection. This feature is selected by default |
| IPMAC Conflict Action | Use the drop-down list box to set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop |
| IPMAC Conflict Logging | Select IPMAC Conflict Logging for logging for IP and MAC address conflict detection. The default selection is Warnings |
| IP TCP Adjust MSS | Select IP TCP Adjust MSS and adjust the value for the maximum segment size (MSS) for TCP segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value is 0 |
| IPMAC Routing Conflict Enable | Select IPMAC Routing Conflict Enable for IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address |
| IPMAC Routing Conflict Action | Use the drop-down list box to set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop |
| IPMAC Routing Conflict Logging | Select IPMAC Routing Conflict Logging for conflict detection |
| DNS Snoop Entry Timeout | Set a timeout in seconds for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateways and uses this information to detect if the client is sending routed packets to a wrong MAC address. The range is 30 through 86.400 seconds, and the default value is 1,800 seconds |
| Virtual Defragmentation | Select Virtual Defragmentation for IPv4 and IPv6 virtual defragmentation to help prevent fragment based attacks, such as tiny fragments or large number of fragments |
| Virtual Defragmentation Timeout | Set a virtual defragmentation timeout from 1 to 60 seconds applicable to both IPv4 and IPv6 packets. The default value is 1 |
| Max Defragmentations/Datagram | Set a value for the maximum number of defragments between 2 and 8,129 allowed in a datagram before it is dropped. The default value is 140 |
| Max Fragments/Host | Set a value for the maximum number of fragments, between 1 and 16,384 allowed per host before it is dropped. The default value is 8 |
| Min Length Required | Select Min Length Required to set a minimum length between 8 bytes and 1,500 bytes to enforce a minimum packet size before being subject to fragment based attack prevention |
| Setting | Description |
|---|---|
| Log Dropped ICMP Packets | Use the drop-down list box to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or <none>. The default setting is <none> |
| Log Dropped Malformed Packets | Use the drop-down list box to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or <none>. The default setting is <none> |
| Enable Verbose Logging | Toggle to activate verbose logging mode for the firewall |
| Enable Stateful DHCP Checks | Toggle to activate stateful DHCP checks for the firewall |
| Setting | Description |
|---|---|
| FTP ALG | Select FTP ALG to allow FTP traffic through the firewall using its default ports. This feature is selected by default |
| TFTP ALG | Select TFTP ALGto allow TFTP traffic through the firewall using its default ports. This feature is selected by default |
| PPTP ALG | Select PPTP ALGto allow PPTP traffic through the firewall using its default ports. The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This feature is selected by default |
| SIP ALG | Select SIP ALG to allow SIP traffic through the firewall using its default ports. This feature is not selected by default |
| SCCP ALG | Select SCCP ALGto allow SCCP traffic through the firewall using its default ports. This feature is not selected by default |
| Facetime ALG | Select Facetime ALG to allow Facetime traffic through the firewall using its default ports. This feature is not selected by default |
| DNS ALG | Select DNS ALG to allow DNS traffic through the firewall using its default ports. This feature is selected by default |
| Setting | Description |
|---|---|
| TCP Close Wait | Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds |
| TCP Established | Define a flow timeout value in seconds (1 to 32,400). The default setting is 5,400 seconds |
| TCP Reset | Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds |
| TCP Setup | Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds |
| Stateless TCP Flow | Define a flow timeout value in seconds (1 to 32,400). The default setting is 90 seconds |
| Stateless FIN/RESET Flow | Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds. |
| ICMP | Define a flow timeout value in seconds (1 to 32,400). The default setting is 30 seconds |
| UDP | Define a flow timeout value in seconds (15 to 32,400). The default setting is 30 seconds |
| Any Other Flow | Define a flow timeout value in seconds (1 to 32,400). The default setting is 30 seconds |
| Setting | Description |
|---|---|
| Check TCP states where a SYN packet tears down the flow | This option allows a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and creates a new flow |
| Check unnecessary resends of TCP packets | This option allows the checking of unnecessary resends of TCP packets |
| Check sequence number in ICMP Unreachable error packets | This option allows sequence number checks in ICMP unreachable error packets when an established TCP flow is stopped |
| Check acknowledgment number in RST packets | This option allows the checking of the acknowledgment number in RST packets which stops a TCP flow in the SYN state |
| Check sequence number in RST packets | This option checks the sequence number in RST packets which stops an established TCP flow |