Configure a Basic Firewall Policy

To configure or modify basic Firewall policy settings:

  1. Choose from the following actions:
    • If you are in the process of configuring a new Firewall policy, proceed to the next step.
    • If you want to modify basic policy settings, go to Policy > Wireless Firewall > Firewall Policy, then select adjacent to the policy you want to modify. Proceed to the next step, and modify the basic settings in accordance with the steps in this procedure.

  2. Select Basic tab.
  3. Under the Firewall Status pane, configure or modify parameters as described in Firewall Status Parameters.
    The Firewall Status feature is enabled by default. Select the toggle to deactivate the firewall status feature.
    Table 1. Firewall Status Parameters
    Parameter Description
    Enable Proxy ARP Select Enable Proxy ARP to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is selected by default.
    DHCP Broadcast to Unicast Select DHCP Broadcast to Unicast for the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is not selected by default.
    L2 Stateful Packet Inspection Select L2 Stateful Packet Inspection for stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is not activated by default.
    TCP MSS Clamping Select TCP MSS Clamping for TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level.
    IPMAC Conflict Enable When multiple devices on the network have the same IP or MAC address this can create routing issues for traffic being passed through the firewall. To avoid these issues, select IPMAC Conflict Enable for IP and MAC conflict detection. This feature is selected by default.
    IPMAC Conflict Action Use the drop-down list to select the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop.
    IPMAC Conflict Logging Select IPMAC Conflict Logging for logging for IP and MAC address conflict detection. The default selection is Warnings.
    IP TCP Adjust MSS Select IP TCP Adjust MSS and adjust the value for the maximum segment size (MSS) for TCP segments on the router. Set a value in the range 472 – 1,460 bytes to adjust the MSS segment size. The default value is 0.
    IPMAC Routing Conflict Enable Select IPMAC Routing Conflict Enable for IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.
    IPMAC Routing Conflict Action Use the drop-down list box to set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop.
    IPMAC Routing Conflict Logging Select IPMAC Routing Conflict Logging for conflict detection.
    DNS Snoop Entry Timeout Set a timeout in seconds for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateways and uses this information to detect if the client is sending routed packets to a wrong MAC address. The range is 30 – 86,400 seconds, and the default value is 1,800 seconds.
    Virtual Defragmentation Select Virtual Defragmentation for IPv4 and IPv6 virtual defragmentation to help prevent fragment based attacks, such as tiny fragments or large number of fragments.
    Virtual Defragmentation Timeout Set a virtual defragmentation timeout in the range 1 – 60 seconds applicable to both IPv4 and IPv6 packets. The default value is 1.
    Max Defragmentations/Datagram Set a value in the range 2 – 8,129 to stipulate the maximum number of defragentations allowed in a datagram before it is dropped. The default value is 140.
    Max Fragments/Host Set a value in the range 1 – 16,384 to stipulate the maximum number of fragments allowed per host before it is dropped. The default value is 8.
    Min Length Required Select Min Length Required to set a minimum length in the range 8 – 1,500 bytes to enforce a minimum packet size before being subject to fragment based attack prevention.
  4. Under the Firewall Enhanced Logging pane, configure or modify the parameters as described in Firewall Enhanced Logging Parameters.
    Table 2. Firewall Enhanced Logging Parameters
    Parameter Description
    Log Dropped ICMP Packets Use the drop-down list box to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or <none>. The default setting is <none>.
    Log Dropped Malformed Packets Use the drop-down list box to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or <none>. The default setting is <none>.
    Enable Verbose Logging Toggle to activate verbose logging mode for the firewall.
    Enable Stateful DHCP Checks Toggle to activate stateful DHCP checks for the firewall.
  5. Under the Application Layer Gateway pane, configure or modify the parameters as described in Firewall Application Layer Gateway Parameters .
    Table 3. Firewall Application Layer Gateway Parameters
    Parameter Description
    FTP ALG Select FTP ALG to allow FTP traffic through the firewall using its default ports. This feature is selected by default.
    TFTP ALG Select TFTP ALGto allow TFTP traffic through the firewall using its default ports. This feature is selected by default.
    PPTP ALG Select PPTP ALGto allow PPTP traffic through the firewall using its default ports. The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This feature is selected by default.
    SIP ALG Select SIP ALG to allow SIP traffic through the firewall using its default ports. This feature is not selected by default.
    SCCP ALG Select SCCP ALGto allow SCCP traffic through the firewall using its default ports. This feature is not selected by default.
    Facetime ALG Select Facetime ALG to allow Facetime traffic through the firewall using its default ports. This feature is not selected by default.
    DNS ALG Select DNS ALG to allow DNS traffic through the firewall using its default ports. This feature is selected by default.
  6. Under the Flow Timeout pane, configure or modify the parameters as described in Firewall Flow Timeout Parameters.

    These parameters define flow timeout intervals for the flow types impacting the firewall.

    Table 4. Firewall Flow Timeout Parameters
    Parameters Description
    TCP Close Wait Define a flow timeout value in seconds (1 – 32,400). The default setting is 10 seconds.
    TCP Established Define a flow timeout value in seconds (1 – 32,400). The default setting is 5,400 seconds.
    TCP Reset Define a flow timeout value in seconds (1 – 32,400). The default setting is 10 seconds.
    TCP Setup Define a flow timeout value in seconds (1 – 32,400). The default setting is 10 seconds.
    Stateless TCP Flow Define a flow timeout value in seconds (1 – 32,400). The default setting is 90 seconds.
    Stateless FIN/RESET Flow Define a flow timeout value in seconds (1 – 32,400). The default setting is 10 seconds.
    ICMP Define a flow timeout value in seconds (1 – 32,400). The default setting is 30 seconds.
    UDP Define a flow timeout value in seconds (15 – 32,400). The default setting is 30 seconds.
    Any Other Flow Define a flow timeout value in seconds (1 – 32,400). The default setting is 30 seconds.
  7. Under the TCP Protocol Checks pane, configure or modify the parameters as described in Firewall TCP Protocol Checks Parameters.
    All of the TCP Protocol Checks are enabled by default.
    Table 5. Firewall TCP Protocol Checks Parameters
    Parameter Description
    Check TCP states where a SYN packet tears down the flow This option allows a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and creates a new flow.
    Check unnecessary resends of TCP packets This option allows the checking of unnecessary resends of TCP packets.
    Check sequence number in ICMP Unreachable error packets This option allows sequence number checks in ICMP unreachable error packets when an established TCP flow is stopped.
    Check acknowledgment number in RST packets This option allows the checking of the acknowledgment number in RST packets which stops a TCP flow in the SYN state.
    Check sequence number in RST packets This option checks the sequence number in RST packets which stops an established TCP flow.
  8. After you have completed configuring the settings, choose from the following actions:
    1. Select Revert to restore default settings.
      Note

      Note

      You cannot restore default settings after applying or saving changes.
    2. Select Apply to commit the configured settings.
      Note

      Note

      This does not permanently save the settings you configured. If you perform a Reload (warm reboot), applied settings will be lost.
    3. Select Save to commit and save the configured settings.
      Note

      Note

      If you do not select Apply or Save, the settings that you configured are not saved when you move away from the configuration window.