Basic Firewall Policy Settings

About this task

Use the basic settings to define the common firewall policy settings.

Procedure

  1. Select Basic tab.
  2. Configure or modify Firewall Status settings.
    The Firewall Status is selected by default. Toggle to turn off firewall status.
  3. Configure the following settings for new or existing firewall status:
    Setting Description
    Enable Proxy ARP Select Enable Proxy ARP to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is selected by default
    DHCP Broadcast to Unicast Select DHCP Broadcast to Unicast for the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is not selected by default
    L2 Stateful Packet Inspection Select L2 Stateful Packet Inspection for stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is not activated by default
    TCP MSS Clamping Select TCP MSS Clamping for TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level
    IPMAC Conflict Enable When multiple devices on the network have the same IP or MAC address this can create routing issues for traffic being passed through the firewall. To avoid these issues, select IPMAC Conflict Enable for IP and MAC conflict detection. This feature is selected by default
    IPMAC Conflict Action Use the drop-down list box to set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop
    IPMAC Conflict Logging Select IPMAC Conflict Logging for logging for IP and MAC address conflict detection. The default selection is Warnings
    IP TCP Adjust MSS Select IP TCP Adjust MSS and adjust the value for the maximum segment size (MSS) for TCP segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value is 0
    IPMAC Routing Conflict Enable Select IPMAC Routing Conflict Enable for IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address
    IPMAC Routing Conflict Action Use the drop-down list box to set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop
    IPMAC Routing Conflict Logging Select IPMAC Routing Conflict Logging for conflict detection
    DNS Snoop Entry Timeout Set a timeout in seconds for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateways and uses this information to detect if the client is sending routed packets to a wrong MAC address. The range is 30 through 86.400 seconds, and the default value is 1,800 seconds
    Virtual Defragmentation Select Virtual Defragmentation for IPv4 and IPv6 virtual defragmentation to help prevent fragment based attacks, such as tiny fragments or large number of fragments
    Virtual Defragmentation Timeout Set a virtual defragmentation timeout from 1 to 60 seconds applicable to both IPv4 and IPv6 packets. The default value is 1
    Max Defragmentations/Datagram Set a value for the maximum number of defragments between 2 and 8,129 allowed in a datagram before it is dropped. The default value is 140
    Max Fragments/Host Set a value for the maximum number of fragments, between 1 and 16,384 allowed per host before it is dropped. The default value is 8
    Min Length Required Select Min Length Required to set a minimum length between 8 bytes and 1,500 bytes to enforce a minimum packet size before being subject to fragment based attack prevention
  4. Configure the following settings for new or existing firewall enhanced logging:
    Setting Description
    Log Dropped ICMP Packets Use the drop-down list box to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or <none>. The default setting is <none>
    Log Dropped Malformed Packets Use the drop-down list box to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or <none>. The default setting is <none>
    Enable Verbose Logging Toggle to activate verbose logging mode for the firewall
    Enable Stateful DHCP Checks Toggle to activate stateful DHCP checks for the firewall
  5. Configure the following settings for new or existing firewall application layer gateway:
    Setting Description
    FTP ALG Select FTP ALG to allow FTP traffic through the firewall using its default ports. This feature is selected by default
    TFTP ALG Select TFTP ALGto allow TFTP traffic through the firewall using its default ports. This feature is selected by default
    PPTP ALG Select PPTP ALGto allow PPTP traffic through the firewall using its default ports. The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This feature is selected by default
    SIP ALG Select SIP ALG to allow SIP traffic through the firewall using its default ports. This feature is not selected by default
    SCCP ALG Select SCCP ALGto allow SCCP traffic through the firewall using its default ports. This feature is not selected by default
    Facetime ALG Select Facetime ALG to allow Facetime traffic through the firewall using its default ports. This feature is not selected by default
    DNS ALG Select DNS ALG to allow DNS traffic through the firewall using its default ports. This feature is selected by default
  6. Define flow timeout intervals for the following flow types impacting the firewall:
    Setting Description
    TCP Close Wait Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds
    TCP Established Define a flow timeout value in seconds (1 to 32,400). The default setting is 5,400 seconds
    TCP Reset Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds
    TCP Setup Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds
    Stateless TCP Flow Define a flow timeout value in seconds (1 to 32,400). The default setting is 90 seconds
    Stateless FIN/RESET Flow Define a flow timeout value in seconds (1 to 32,400). The default setting is 10 seconds.
    ICMP Define a flow timeout value in seconds (1 to 32,400). The default setting is 30 seconds
    UDP Define a flow timeout value in seconds (15 to 32,400). The default setting is 30 seconds
    Any Other Flow Define a flow timeout value in seconds (1 to 32,400). The default setting is 30 seconds
  7. Configure the TCP Protocol Checks to set the following parameters:
    The TCP Protocol Check are selected by default
    Setting Description
    Check TCP states where a SYN packet tears down the flow This option allows a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and creates a new flow
    Check unnecessary resends of TCP packets This option allows the checking of unnecessary resends of TCP packets
    Check sequence number in ICMP Unreachable error packets This option allows sequence number checks in ICMP unreachable error packets when an established TCP flow is stopped
    Check acknowledgment number in RST packets This option allows the checking of the acknowledgment number in RST packets which stops a TCP flow in the SYN state
    Check sequence number in RST packets This option checks the sequence number in RST packets which stops an established TCP flow
  8. Select Save to update the firewall basic settings.