list

When specified with no other options or arguments, the scio const list command lists constants related to memory, logging, storage, and debugging.

  sc_debug_features              = 0x10        [ 0...ffffffff ]
  sc_debug_qmodules              = 0x0         [ 0...ffffffff ]
  sc_debug_services              = 0x0         [ 0...ffffffff ]
  sc_debug_services2             = 0x0         [ 0...ffffffff ]
  sc_debug_level                 = 0x1         [ 0...3 ]
  sc_debug_detail                = 0x0         [ 0...1 ]
  sc_panic_on_assert             = 0x0         [ 0...1 ]
  sc_malloc_debug                = 0x0         [ 0...1 ]
  sc_malloc_debug_size           = 0x200       [ 0...f4240 ]
  sc_malloc_fail_report_freq     = 0xc350      [ 0...ffffffff ]
  sc_log_cache_size              = 0x3200      [ 1...ffff ]
  sc_log_chunk_size              = 0x4000      [ 400...4000 ]
  sc_log_chunk_timeout           = 0x186a0     [ 1...f4240 ]
  sc_pktlog_cache_size           = 0x100000    [ 400...ffffffff ]
  sc_pktlog_chunk_size           = 0x1f82e     [ 400...ffffffff ]
  sc_pktlog_chunk_timeout        = 0x186a0     [ 1...f4240 ]
  sc_pktlog_capture_timeout      = 0x5         [ 1...708 ]
  [...]

-d

Specify the -d option for commands related to protocol decoders.

Specify the list option to display a list of which protocol decoders are enabled or disabled:

Protocol Decoders Enabled are:
   AIM         APE         BGP         BWMON       CHARGEN     DHCP
   DISCARD     DNS         ECHO        FINGER      FTP         GNUTELLA
   GOPHER      H225RAS     H225SGN     ICMP        IDENT       IEC104
   IKE         IRC         LDAP        LPR         MGCP        MSN
   MSRPC       MSSQL       MYSQL       NBDS        NBNAME      NFS
   NNTP        NTP         POP3        PORTMAPPER  PROFILER    PTYPE
   REXEC       RLOGIN      RPC         RSH         RTSP        RUSERS
   SIP         SMB         SNMPTRAP    SQLMON      SSH         SSL
   SYSLOG      TELNET      TNS         VNC         WHOIS       YMSG

Protocol Decoders Disabled are:
   HTTP        IMAP        RADIUS      SMTP        SNMP        TFTP

Specify the get decoder option to display whether the specified decoder is enabled or disabled. (1 = enabled; 0 = disabled). For example, the following command displays the value for the SIP decoder. 1 indicates the SIP decoder is enabled.

scio: SIP = 0x1

Specify the set decoder value option to change the enabled/disabled setting. The following example turns off the SIP decoder.

scio: setting SIP to 0x0
[root@defaulthost admin]#

-v name

Specify the -v option for commands related to virtual routers.

sc_arp_timeout                 = 0xe10       [ 1...ffffffff ]
  sc_arp_proxy_timeout           = 0x14        [ 1...ffffffff ]
  sc_arp_logging                 = 0x1         [ 0...1 ]
  sc_arp_spoof_detect            = 0x1         [ 0...1 ]
  sc_mac_timeout                 = 0xe10       [ 1...ffffffff ]
  sc_mac_unknown_timeout         = 0x14        [ 1...ffffffff ]
  sc_stp_enabled                 = 0x0         [ 0...1 ]
  sc_stp_bridge_priority         = 0x8000      [ 0...ffff ]
  sc_stp_bridge_max_age          = 0x14        [ 6...28 ]
  sc_stp_bridge_hello_time       = 0x2         [ 1...a ]
  sc_stp_bridge_forward_delay    = 0xf         [ 4...1e ]
  sc_stp_check_interval_ticks    = 0xa         [ 1...3e8 ]
  sc_stp_logging                 = 0x1         [ 0...1 ]
  sc_arp_request_record          = 0x1         [ 0...1 ]
  sc_arp_spoof_pass_thru         = 0x1         [ 0...1 ]

-s s0:qmodule

Specify the -s option for commands related to subscriber settings.

s0 specifies subscriber s0, the only valid argument for scio const -s.

In some cases, scio const syntax requires you specify the subscriber qmodule. The example commands in this reference use the construction s0:qmodule to include the subscriber qmodule when it is required. The example commands do not include the subscriber qmodule when it is not required.

sc_rpc_xid_timeout             = 0x5         [ 1...3c ]
  sc_rpc_program_timeout         = 0x12c       [ 1...12c ]
  sc_exempt_mgt_traffic          = 0x1         [ 0...1 ]
  sc_enable_statistics           = 0x0         [ 0...1 ]
  sc_bypass_dfa                  = 0x0         [ 0...1 ]
  sc_enable_packet_count         = 0x1         [ 0...1 ]
  sc_enable_rule_stats           = 0x0         [ 0...1 ]
  sc_ip_fragment_timeout         = 0x5         [ 1...3c ]
  sc_ip_fragment_min_size        = 0x0         [ 0...ffff ]
  sc_ip_fragment_max_ppf         = 0xffff      [ 8...ffff ]

[...]

-c name

Specify the -c option for commands related to virtual circuits.

sc_stp_port_enabled            = 0x1         [ 0...1 ]
  sc_stp_change_detection_enabled = 0x1         [ 0...1 ]
  sc_stp_port_priority           = 0x80        [ 0...ff ]
  sc_stp_port_path_cost          = 0x64        [ 1...ffff ]
  sc_xmit_queue_size             = 0x400       [ 0...4000 ]

-p service

Specify the -p option for commands related to service settings.

sc_http_request_length         = 0x2000      [ 1...2000 ]
  sc_http_header_length          = 0x2000      [ 1...2000 ]
  sc_http_cookie_length          = 0x2000      [ 1...2000 ]
  sc_http_auth_length            = 0x200       [ 1...400 ]
  sc_http_content_type_length    = 0x200       [ 1...2000 ]
  sc_http_user_agent_length      = 0x100       [ 1...2000 ]
  sc_http_soapaction_length      = 0x400       [ 1...2000 ]
  sc_http_host_length            = 0x40        [ 1...2000 ]
  sc_http_referer_length         = 0x2000      [ 1...2000 ]
  sc_http_alternate_ports        = 0x1         [ 0...1 ]
  sc_http_failed_logins          = 0x4         [ 2...64 ]
  sc_http_brute_search           = 0x10        [ 2...64 ]
  sc_http_ignore                 = 0x0         [ 0...4 ]
  sc_http_jpeg_depth             = 0x1000      [ 0...1000 ]
  sc_http_min_html_tag_len       = 0xa         [ 0...2000 ]
  sc_http_enable_parse_html      = 0x1         [ 0...1 ]
  sc_http_enable_parse_html_tags = 0x1         [ 0...1 ]
  sc_http_enable_chunk_contexts  = 0x1         [ 0...1 ]
  sc_http_chunk_min_len          = 0xa         [ 0...32 ]

list

When specified in syntax after the -c, -p, -s, or -v options, lists all constants related to the class specified by the flag.

  sc_rpc_xid_timeout             = 0x5         [ 1...3c ]
  sc_rpc_program_timeout         = 0x12c       [ 1...12c ]
  sc_exempt_mgt_traffic          = 0x1         [ 0...1 ]
  sc_enable_statistics           = 0x0         [ 0...1 ]
  sc_bypass_dfa                  = 0x0         [ 0...1 ]
  sc_enable_packet_count         = 0x1         [ 0...1 ]
  sc_enable_rule_stats           = 0x0         [ 0...1 ]
  sc_ip_fragment_timeout         = 0x5         [ 1...3c ]
  sc_ip_fragment_min_size        = 0x0         [ 0...ffff ]
  sc_ip_fragment_max_ppf         = 0xffff      [ 8...ffff ]

[...]

get constant

Gets values for the specified kernel constant.

scio: sc_gre_decapsulation = 0x0

set constant value

Sets values for the specified kernel constant.

scio: setting sc_gre_decapsulation to 0x1

For information on particular constants, refer to the following tables:

• Table 2 provides usage and examples of kernel constants related to the application identification feature.
• Table 3 provides usage and examples of kernel constants related to the application policy enforcement (APE) rulebase.
• Table 4 provides usage and examples of kernel constants related to the application volume tracking (AVT) feature.
• Table 5 provides usage and examples of kernel constants related to the flow bypass feature.
• Table 6 provides usage and examples of kernel constants related to flow behavior during policy load.
• Table 7 provides usage and examples of kernel constants related to GRE decapsulation.
• Table 8 provides usage and examples of kernel constants related to GTP decapsulation.
• Table 9 provides usage and examples of kernel constants related to IPsec ESP NULL decapsulation.
• Table 10 provides usage and examples of kernel constants related to MPLS decapsulation.
• Table 11 provides usage and examples of kernel constants related to SSL inspection.
• Table 12 provides usage and examples of kernel constant that determines the maximum frame size processed by IDP.
• Table 13 provides usage and examples of kernel constants related to the SYN Protector rulebase.
• Table 14 provides usage and examples of kernel constants related to the user role-based policy feature.

sc_ai_enable

Gets or sets the constant that determines whether the application identification feature is enabled or disabled.

The default is 1 (on). 0 turns application identification off.

scio: sc_ai_enable = 0x1

scio: setting sc_ai_enable to 0x0

Note: You can also configure this setting in NSM.

sc_ai_check_first_session

Gets or sets the constant that determines whether the application identification feature attempts to identify the application from the first session.

The default is 1 (on). 0 turns the setting off.

scio: sc_ai_check_first_session = 0x1

scio: setting sc_ai_check_first_session to 0x0

sc_ai_max_tcp_sess_pkt_mem

Gets or sets the constant that determines the maximum bytes of memory used to perform application identification on TCP sessions.

The default is 30,000 (0x7530).

Possible values: 0 to 60,000.

scio: sc_ai_max_tcp_sess_pkt_mem = 0x7530

scio: setting sc_ai_max_tcp_sess_pkt_mem to 0xEA60

sc_ai_max_udp_sess_pkt_mem

Gets or sets the constant that determines the maximum bytes of memory used to perform application identification on UDP sessions.

The default is 10,000 (0x2710).

Possible values: 0 to 20,000 (0x4e20).

scio: sc_ai_max_udp_sess_pkt_mem = 0x7530

scio: setting sc_ai_max_udp_sess_pkt_mem to 0x4e20

sc_ai_num_sess

Gets or sets the constant that determines whether the maximum number of concurrent sessions where application identification can be used.

The default is 50,000 (0xc350).

Possible values: 0 to 200,000 (0x30d40).

scio: sc_ai_num_sess  = 0xc350

scio: setting sc_ai_num_sess  to 0x30d40

Note: You can also configure this setting in NSM.

sc_ai_max_pkt_mem

Gets or sets the constant that determines the maximum bytes of memory used to store packets processed by the application identification feature.

The default is 50,000,000 (0x2faf080).

Possible values: 0 to 200,000,000 (bebc200).

scio: sc_ai_max_pkt_mem = 0x0x2faf080

scio: setting sc_ai_max_pkt_mem to 0xbebc200

sc_ai_check_bytes

Gets or sets the constant that determines the length of the check byte.

The default is 10 (0xa).

Possible values: 0 to 2000 (0x7d0).

scio: sc_ai_check_bytes = 0xa 

scio: setting sc_ai_check_bytes to 0x14

sc_ape_enable

Gets or sets the constant that determines whether the application policy enforcement rulebase is enabled or disabled.

The default is 1 (on). 0 turns the APE rulebase off.

scio: sc_ape_enable = 0x1

scio: setting sc_ape_enable to 0x0

sc_ape_default_rate_limit

Gets or sets the constant that determines the default rate limit for sessions that do not match APE rules.

The default is 4,294,967,295 bits per second (0xffffffff in hexadecimal; 4,096 Mbps or 4 Gbps), which effectively turns off rate limiting for sessions that do not match APE rules. The following example sets a limit of 409.6 Mbps:

scio: sc_ape_default_rate_limit = 0xffffffff

scio: setting sc_ape_default_rate_limit to 0x1999999A

sc_enable_ape_stats

Gets or sets the constant for APE statistics collection.

The default is 0 (off). 1 turns statistics collection on.

scio: sc_enable_ape_stats = 0x0

scio: setting sc_enable_ape_stats to 0x1

sc_periodic_stat_update

Gets or sets the constant that determines whether the application volume tracking feature is enabled or disabled.

The default is 1 (on). 0 turns AVT off.

scio: sc_periodic_stat_update = 0x1

scio: setting sc_periodic_stat_update to 0x01

Note: You can also configure this setting in NSM.

sc_flow_bypass_enable

Gets or sets the constant that determines whether the flow bypass feature is enabled or disabled.

The default is 0 (off). 1 turns the flow bypass feature on.

scio: sc_flow_bypass_enable = 0x0

scio: setting sc_flow_bypass_enable to 0x1

sc_flow_bypass_threshold_hi

Gets or sets the constant that determines the system packet queue size rising threshold.

The default is 90 (percent).

Possible values 0-100.

scio: sc_flow_bypass_threshold_hi = 0x5a

scio: setting sc_flow_bypass_threshold_hi to 0x5f

sc_flow_bypass_threshold_low

Gets or sets the constant that determines the system packet queue size reset threshold.

The default is 80 (percent).

Possible values 0-100.

scio: sc_flow_bypass_threshold_low = 0x50

scio: setting sc_flow_bypass_threshold_low to 0x55

sc_flow_reset_on_policy

Gets or sets the constant that determines whether the flow table is reset when a new policy is loaded. When the flow table is reset, existing sessions are passed through uninspected.

Valid values are 0 (do not reset on policy load) or 1 (reset on policy load).

For IDP75 and IDP200, the default is 1, and you cannot override the default.

For high-end appliances, the default is 0. When you load a new policy, the IDP flow table will maintain sessions belonging to the previously installed policy as well as the newly installed policy. The IDP process engine will continue to use the previously installed security policy to inspect previous sessions; and use the newly installed security policy to inspect new sessions. When the previously installed policy is no longer in use, it is unloaded and all traffic is inspected using the newly installed policy. For IDP8200 and IDP250, the IDP engine can maintain flows for as many as two security policies. For IDP1100, IDP800, and IDP600, the IDP engine can maintain flows for as many as four security policies.

The default is 0 (off). 1 turns the flow bypass feature on.

scio: sc_flow_reset_on_policy = 0x0

scio: setting sc_flow_reset_on_policy to 0x1

Note: You can also configure this setting in NSM.

sc_num_policies

Gets or sets the number of policies maintained in the flow table

For IDP75 and IDP200, the default is 1, and you cannot override the default.

For IDP8200 and IDP250, the default is 2. Possible values are 1 or 2.

For IDP1100, IDP800, and IDP600, the default is 2. Possible values are 1, 2, 3, or 4.

scio: sc_num_policies = 0x2

scio: sc_num_policies = 0x4

sc_gre_decapsulation

Gets or sets the constant that determines whether GRE decapsulation is enabled or disabled.

The default is 0 (off). 1 turns GRE decapsulation on.

scio: sc_gre_decapsulation = 0x0

scio: setting sc_gre_decapsulation to 0x1

Note: You can also configure this setting in NSM.

sc_max_decapsulation

Gets or sets the constant that determines how many layers can be decapsulated.

The default is 1 (1 layer).

Possible values 1, 2.

scio: sc_max_decapsulation = 0x1

scio: setting sc_max_decapsulation to 0x2

Note: The sc_max_decapsulation constant is used with GRE, GTP, and IPsec ESP NULL decapsulation.

sc_gtp_decapsulation

Gets or sets the constant that determines whether GTP decapsulation is enabled or disabled.

The default is 0 (off). 1 turns GTP decapsulation on.

scio: sc_gtp_decapsulation = 0x0

scio: setting sc_gtp_decapsulation to 0x1

Note: You can also configure this setting in NSM.

sc_max_decapsulation

Gets or sets the constant that determines how many layers can be decapsulated.

The default is 1 (1 layer).

Possible values 1, 2.

scio: sc_max_decapsulation = 0x1

scio: setting sc_max_decapsulation to 0x2

Note: The sc_max_decapsulation constant is used with GRE, GTP, and IPsec ESP NULL decapsulation.

sc_gtp_timeout

Gets or sets the constant that determines the time in seconds that the IDP engine should maintain the GTP tunnel. If the time elapses before the IDP engine detects another GTP packet, it considers the tunnel closed.

The default is 3600 (seconds).

Possible values: 1-0xFFFFFFFF.

scio: sc_gtp_timeout = 0xe10

scio: setting sc_gtp_timeout to 0x1c20

sc_gtp_max_flows

Gets or sets the constant that determines maximum number of GTP tunnels the IDP engine can handle at once.

The default is 0x30D40 (200,000).

Possible values: 2-0x61A80 (2-400,000).

scio: sc_gtp_max_flows = 0x30d40

scio: setting sc_gtp_max_flows to 0x186a0

sc_null_esp_decapsulation

Gets or sets the constant that determines whether IPsec ESP NULL traffic decapsulation is enabled or disabled.

The default is 0 (off). 1 turns IPsec ESP NULL traffic decapsulation on.

scio:sc_null_esp_decapsulation = 0x0

scio: setting sc_null_esp_decapsulation to 0x1

sc_max_decapsulation

Gets or sets the constant that determines how many layers can be decapsulated.

The default is 1 (1 layer).

Possible values 1, 2.

scio: sc_max_decapsulation = 0x1

scio: setting sc_max_decapsulation to 0x2

Note: The sc_max_decapsulation constant is used with GRE, GTP, and IPsec ESP NULL decapsulation.

sc_mpls_decapsulation

Gets or sets the constant that determines whether MPLS decapsulation is enabled or disabled.

The default is 0 (off). 1 turns MPLS decapsulation on.

scio: sc_mpls_decapsulation = 0x0

scio: sc_mpls_decapsulation = 0x1

sc_ssl_decryption

Gets or sets the constant that determines whether SSL decryption is enabled or disabled.

The default is 0 (off). 1 turns the feature on.

scio: sc_ssl_decryption = 0x0

scio: setting sc_ssl_decryption to 0x1

Note: You can also configure this setting in NSM.

sc_ssl_inspection

Turns off the SSL forward proxy feature. Use this command in test or troubleshooting cases. Note you can also disable the feature using scio ssl ca delete to delete the root CA. We recommend you use scio const -s s0 set sc_ssl_inspection 0 when testing or troubleshooting; and scio ssl ca delete when turning the feature off in production.

The default is 1 (on). 0 turns the feature off.

scio: sc_ssl_inspection = 0x1

scio: setting sc_ssl_inspection to 0x0

sc_ssl_sessid_timeout

Gets or sets the constant that determines the SSL session security parameter cache timeout value (seconds).

The default is 60.

Possible values: 1–120.

scio: sc_ssl_sessid_timeout = 0x3c

scio: setting sc_ssl_sessid_timeout to 0x2d

sc_ssl_pending_sessid_timeout

Gets or sets the constant that determines the SSL pending session security parameter cache timeout value (seconds).

The default is 30.

Possible values: 1–60.

scio: sc_ssl_pending_sessid_timeout = 0x1e

scio: setting sc_ssl_pending_sessid_timeout to 0x2d

sc_ssl_num_decrypt_sessions

Gets or sets the constant that determines the maximum number of sessions that can be decrypted concurrently.

The default is 10,000.

Possible values: 1-100,000.

scio: sc_ssl_num_decrypt_sessions = 0x2710

scio: setting sc_ssl_num_decrypt_sessions to 0x4e20

sc_max_frame_size

Gets or sets the constant that determines maximum frame size.

The default is 9014 (support for jumbo frames).

Possible values: 1514–16,014.

scio: sc_max_frame_size =  0x2336 

scio: sc_max_frame_size = 0x5EA

sc_syndef_timeout

Gets or sets the constant that determines the timeout for the SYN protector rulebase in passive mode. The timeout specifies how many seconds the IDP engine holds an incomplete SYN-ACK handshake before purging it.

The default is 5 (seconds).

Possible values: 1-0xFFFF.

scio: sc_syndef_timeout = 0x5

scio: setting sc_syndef_timeout to 0xa

Note: You can also configure this setting in NSM.

sc_syndef_threshhold

Gets or sets the value for the constant that determines the lower threshold of SYNs per second that activates the SYN Protector rulebase. For relay mode, this is the only value that matters. For passive mode, you also set sc_syndef_threshhold_delta.

The default is 0x3E8 (1000).

Possible values: 1-0xFFFF.

scio: sc_syndef_threshhold = 0x3e8

scio: setting sc_syndef_threshhold to 0x3fc

Note: You can also configure this setting in NSM.

sc_syndef_threshhold_delta

Gets or sets the value for the constant that sets the upper threshold of SYNs per second. In passive mode, SYN Protection activates once the number of SYN packets per second for a given destination IP exceeds this number plus the lower threshold number. Passive mode protection deactivates once the value drops below the lower threshold.

The default is 0x14 (20).

Possible values: 1-0xFFFF.

scio: sc_syndef_threshhold_delta = 0x14

scio: setting sc_syndef_threshhold_delta to 0x19

Note: You can also configure this setting in NSM.

sc_syndef_report_freq

Gets or sets the value for the constant that determines how often a SYN flood attempt is reported, in seconds.

The default is 30 (seconds).

Possible values: 1-86,400 (86,400 seconds is 1 day).

scio: sc_syndef_report_freq = 0x1e

scio: setting sc_syndef_report_freq to 0x3c

sc_syndef_log_detail

Gets or sets the constant that determines whether or not the destination IP address appears in the log variable data.

The default is 1 (on).

Possible values: 0-1 (0 = off, 1 = on).

scio: sc_syndef_log_detail = 0x0

scio: setting sc_syndef_log_detail to 0x1

sc_syndef_log_ports

Gets or sets the value for the constant that determines whether or not the destination port appears in the log variable data. If both sc_syndef_log_detail and sc_syndef_log_ports are set to 1 (on), the sc_syndef_log_ports value takes precedence and is displayed, not the IP.

The default is 0 (off).

Possible values: 0-1 (0 = off, 1 = on).

scio: sc_syndef_log_ports = 0x0

scio: setting sc_syndef_log_ports to 0x1

sc_enable_user_policy

Gets or sets the constant that determines whether the feature is enabled or disabled.

The default is 1 (on). 0 turns the feature off.

scio: sc_enable_user_policy = 0x1

scio: setting sc_enable_user_policy to 0x0

sc_ic_reconcile_timeout

Gets or sets the threshold where lost connectivity stops processing of user role-based rules.

The default is 30 (seconds).

Possible values 0-3600.

scio: sc_ic_reconcile_timeout = 0x1e

scio: setting sc_ic_reconcile_timeout to 0xe10