Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    scio const

    Syntax

    scio const {list | -c name | -d | -p service | -s s0:qmodule | -v name} {list | get constant | set constant value}

    Description

    Displays or sets values for IDP OS kernel constants. Kernel constants determine whether features are enabled or disabled, as well as feature configuration parameters.

    Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:

    1. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    2. Add the constant below the line user_start_end(). For example:
      user_start_end()
      {
      $SCIO const -s s0 set sc_ssl_sessid_timeout 90
      
      }
    3. Save the file.
    4. Restart the IDP engine:
      [root@defaulthost admin]# idp.sh restart

      Restarting the IDP engine can take several moments.

    Options

    Table 1 describes the basic parameters of scio const commands.

    Table 1: Command Reference: scio const

    Options and Arguments

    Usage and Examples

    list

    When specified with no other options or arguments, the scio const list command lists constants related to memory, logging, storage, and debugging.

    [root@defaulthost admin]# scio const list
      sc_debug_features              = 0x10        [ 0...ffffffff ]
      sc_debug_qmodules              = 0x0         [ 0...ffffffff ]
      sc_debug_services              = 0x0         [ 0...ffffffff ]
      sc_debug_services2             = 0x0         [ 0...ffffffff ]
      sc_debug_level                 = 0x1         [ 0...3 ]
      sc_debug_detail                = 0x0         [ 0...1 ]
      sc_panic_on_assert             = 0x0         [ 0...1 ]
      sc_malloc_debug                = 0x0         [ 0...1 ]
      sc_malloc_debug_size           = 0x200       [ 0...f4240 ]
      sc_malloc_fail_report_freq     = 0xc350      [ 0...ffffffff ]
      sc_log_cache_size              = 0x3200      [ 1...ffff ]
      sc_log_chunk_size              = 0x4000      [ 400...4000 ]
      sc_log_chunk_timeout           = 0x186a0     [ 1...f4240 ]
      sc_pktlog_cache_size           = 0x100000    [ 400...ffffffff ]
      sc_pktlog_chunk_size           = 0x1f82e     [ 400...ffffffff ]
      sc_pktlog_chunk_timeout        = 0x186a0     [ 1...f4240 ]
      sc_pktlog_capture_timeout      = 0x5         [ 1...708 ]
      [...]

    -d

    Specify the -d option for commands related to protocol decoders.

    Specify the list option to display a list of which protocol decoders are enabled or disabled:

    [root@defaulthost admin]# scio const -d list
    Protocol Decoders Enabled are:
       AIM         APE         BGP         BWMON       CHARGEN     DHCP
       DISCARD     DNS         ECHO        FINGER      FTP         GNUTELLA
       GOPHER      H225RAS     H225SGN     ICMP        IDENT       IEC104
       IKE         IRC         LDAP        LPR         MGCP        MSN
       MSRPC       MSSQL       MYSQL       NBDS        NBNAME      NFS
       NNTP        NTP         POP3        PORTMAPPER  PROFILER    PTYPE
       REXEC       RLOGIN      RPC         RSH         RTSP        RUSERS
       SIP         SMB         SNMPTRAP    SQLMON      SSH         SSL
       SYSLOG      TELNET      TNS         VNC         WHOIS       YMSG
    
    Protocol Decoders Disabled are:
       HTTP        IMAP        RADIUS      SMTP        SNMP        TFTP
    

    Specify the get decoder option to display whether the specified decoder is enabled or disabled. (1 = enabled; 0 = disabled). For example, the following command displays the value for the SIP decoder. 1 indicates the SIP decoder is enabled.

    [root@defaulthost admin]# scio const -d get SIP
    scio: SIP = 0x1
    

    Specify the set decoder value option to change the enabled/disabled setting. The following example turns off the SIP decoder.

    [root@defaulthost admin]# scio const -d set SIP 0
    scio: setting SIP to 0x0
    [root@defaulthost admin]#
    

    -v name

    Specify the -v option for commands related to virtual routers.

    [root@defaulthost admin]# scio const -v vr1 list
    sc_arp_timeout                 = 0xe10       [ 1...ffffffff ]
      sc_arp_proxy_timeout           = 0x14        [ 1...ffffffff ]
      sc_arp_logging                 = 0x1         [ 0...1 ]
      sc_arp_spoof_detect            = 0x1         [ 0...1 ]
      sc_mac_timeout                 = 0xe10       [ 1...ffffffff ]
      sc_mac_unknown_timeout         = 0x14        [ 1...ffffffff ]
      sc_stp_enabled                 = 0x0         [ 0...1 ]
      sc_stp_bridge_priority         = 0x8000      [ 0...ffff ]
      sc_stp_bridge_max_age          = 0x14        [ 6...28 ]
      sc_stp_bridge_hello_time       = 0x2         [ 1...a ]
      sc_stp_bridge_forward_delay    = 0xf         [ 4...1e ]
      sc_stp_check_interval_ticks    = 0xa         [ 1...3e8 ]
      sc_stp_logging                 = 0x1         [ 0...1 ]
      sc_arp_request_record          = 0x1         [ 0...1 ]
      sc_arp_spoof_pass_thru         = 0x1         [ 0...1 ]
    

    -s s0:qmodule

    Specify the -s option for commands related to subscriber settings.

    s0 specifies subscriber s0, the only valid argument for scio const -s.

    In some cases, scio const syntax requires you specify the subscriber qmodule. The example commands in this reference use the construction s0:qmodule to include the subscriber qmodule when it is required. The example commands do not include the subscriber qmodule when it is not required.

    [root@defaulthost admin]# scio const -s s0 list
    sc_rpc_xid_timeout             = 0x5         [ 1...3c ]
      sc_rpc_program_timeout         = 0x12c       [ 1...12c ]
      sc_exempt_mgt_traffic          = 0x1         [ 0...1 ]
      sc_enable_statistics           = 0x0         [ 0...1 ]
      sc_bypass_dfa                  = 0x0         [ 0...1 ]
      sc_enable_packet_count         = 0x1         [ 0...1 ]
      sc_enable_rule_stats           = 0x0         [ 0...1 ]
      sc_ip_fragment_timeout         = 0x5         [ 1...3c ]
      sc_ip_fragment_min_size        = 0x0         [ 0...ffff ]
      sc_ip_fragment_max_ppf         = 0xffff      [ 8...ffff ]
    
    [...]

    -c name

    Specify the -c option for commands related to virtual circuits.

    [root@defaulthost admin]# scio const -c eth2 list
    sc_stp_port_enabled            = 0x1         [ 0...1 ]
      sc_stp_change_detection_enabled = 0x1         [ 0...1 ]
      sc_stp_port_priority           = 0x80        [ 0...ff ]
      sc_stp_port_path_cost          = 0x64        [ 1...ffff ]
      sc_xmit_queue_size             = 0x400       [ 0...4000 ]
    

    -p service

    Specify the -p option for commands related to service settings.

    [root@defaulthost admin]# scio const -p http list
    sc_http_request_length         = 0x2000      [ 1...2000 ]
      sc_http_header_length          = 0x2000      [ 1...2000 ]
      sc_http_cookie_length          = 0x2000      [ 1...2000 ]
      sc_http_auth_length            = 0x200       [ 1...400 ]
      sc_http_content_type_length    = 0x200       [ 1...2000 ]
      sc_http_user_agent_length      = 0x100       [ 1...2000 ]
      sc_http_soapaction_length      = 0x400       [ 1...2000 ]
      sc_http_host_length            = 0x40        [ 1...2000 ]
      sc_http_referer_length         = 0x2000      [ 1...2000 ]
      sc_http_alternate_ports        = 0x1         [ 0...1 ]
      sc_http_failed_logins          = 0x4         [ 2...64 ]
      sc_http_brute_search           = 0x10        [ 2...64 ]
      sc_http_ignore                 = 0x0         [ 0...4 ]
      sc_http_jpeg_depth             = 0x1000      [ 0...1000 ]
      sc_http_min_html_tag_len       = 0xa         [ 0...2000 ]
      sc_http_enable_parse_html      = 0x1         [ 0...1 ]
      sc_http_enable_parse_html_tags = 0x1         [ 0...1 ]
      sc_http_enable_chunk_contexts  = 0x1         [ 0...1 ]
      sc_http_chunk_min_len          = 0xa         [ 0...32 ]
    

    list

    When specified in syntax after the -c, -p, -s, or -v options, lists all constants related to the class specified by the flag.

    [root@defaulthost admin]# scio const -s s0 list
      sc_rpc_xid_timeout             = 0x5         [ 1...3c ]
      sc_rpc_program_timeout         = 0x12c       [ 1...12c ]
      sc_exempt_mgt_traffic          = 0x1         [ 0...1 ]
      sc_enable_statistics           = 0x0         [ 0...1 ]
      sc_bypass_dfa                  = 0x0         [ 0...1 ]
      sc_enable_packet_count         = 0x1         [ 0...1 ]
      sc_enable_rule_stats           = 0x0         [ 0...1 ]
      sc_ip_fragment_timeout         = 0x5         [ 1...3c ]
      sc_ip_fragment_min_size        = 0x0         [ 0...ffff ]
      sc_ip_fragment_max_ppf         = 0xffff      [ 8...ffff ]
    
    [...]

    get constant

    Gets values for the specified kernel constant.

    [root@defaulthost admin]# scio const -s s0 get sc_gre_decapsulation
    scio: sc_gre_decapsulation = 0x0
    

    set constant value

    Sets values for the specified kernel constant.

    [root@defaulthost admin]# scio const -s s0 set sc_gre_decapsulation 1
    scio: setting sc_gre_decapsulation to 0x1
    

    For information on particular constants, refer to the following tables:

    • Table 2 provides usage and examples of kernel constants related to the application identification feature.
    • Table 3 provides usage and examples of kernel constants related to the application policy enforcement (APE) rulebase.
    • Table 4 provides usage and examples of kernel constants related to the application volume tracking (AVT) feature.
    • Table 5 provides usage and examples of kernel constants related to the flow bypass feature.
    • Table 6 provides usage and examples of kernel constants related to flow behavior during policy load.
    • Table 7 provides usage and examples of kernel constants related to GRE decapsulation.
    • Table 8 provides usage and examples of kernel constants related to GTP decapsulation.
    • Table 9 provides usage and examples of kernel constants related to IPsec ESP NULL decapsulation.
    • Table 10 provides usage and examples of kernel constants related to MPLS decapsulation.
    • Table 11 provides usage and examples of kernel constants related to SSL inspection.
    • Table 12 provides usage and examples of the kernel constant that determines the maximum frame size processed by the IDP engine.
    • Table 13 provides usage and examples of kernel constants related to the SYN Protector rulebase.
    • Table 14 provides usage and examples of kernel constants related to the user role-based policy feature.

    Table 2 provides usage and examples of kernel constants related to the application identification feature.

    Table 2: scio const Arguments Related to the Application Identification Feature

    Constants and Values

    Usage and Examples

    sc_ai_enable

    Gets or sets the constant that determines whether the application identification feature is enabled or disabled.

    The default is 1 (on). 0 turns application identification off.

    [root@defaulthost admin]# scio const get sc_ai_enable
    scio: sc_ai_enable = 0x1
    
    [root@defaulthost admin]# scio const set sc_ai_enable 0
    scio: setting sc_ai_enable to 0x0
    

    Note: You can also configure this setting in NSM.

    sc_ai_check_first_session

    Gets or sets the constant that determines whether the application identification feature attempts to identify the application from the first session.

    The default is 1 (on). 0 turns the setting off.

    [root@defaulthost admin]# scio const get sc_ai_check_first_session
    scio: sc_ai_check_first_session = 0x1
    
    [root@defaulthost admin]# scio const set sc_ai_check_first_session 0
    scio: setting sc_ai_check_first_session to 0x0
    

    sc_ai_max_tcp_sess_pkt_mem

    Gets or sets the constant that determines the maximum bytes of memory used to perform application identification on TCP sessions.

    The default is 30,000 (0x7530).

    Possible values: 0 to 60,000.

    [root@defaulthost admin]# scio const get sc_ai_max_tcp_sess_pkt_mem
    scio: sc_ai_max_tcp_sess_pkt_mem = 0x7530
    
    [root@defaulthost admin]# scio const set sc_ai_max_tcp_sess_pkt_mem 60000
    scio: setting sc_ai_max_tcp_sess_pkt_mem to 0xEA60

    sc_ai_max_udp_sess_pkt_mem

    Gets or sets the constant that determines the maximum bytes of memory used to perform application identification on UDP sessions.

    The default is 10,000 (0x2710).

    Possible values: 0 to 20,000 (0x4e20).

    [root@defaulthost admin]# scio const get sc_ai_max_udp_sess_pkt_mem
    scio: sc_ai_max_udp_sess_pkt_mem = 0x7530
    
    [root@defaulthost admin]# scio const set sc_ai_max_udp_sess_pkt_mem 20000
    scio: setting sc_ai_max_udp_sess_pkt_mem to 0x4e20

    sc_ai_num_sess

    Gets or sets the constant that determines whether the maximum number of concurrent sessions where application identification can be used.

    The default is 50,000 (0xc350).

    Possible values: 0 to 200,000 (0x30d40).

    [root@defaulthost admin]# scio const get sc_ai_num_sess
    scio: sc_ai_num_sess  = 0xc350
    
    [root@defaulthost admin]# scio const set sc_ai_num_sess 200000
    scio: setting sc_ai_num_sess  to 0x30d40
    

    Note: You can also configure this setting in NSM.

    sc_ai_max_pkt_mem

    Gets or sets the constant that determines the maximum bytes of memory used to store packets processed by the application identification feature.

    The default is 50,000,000 (0x2faf080).

    Possible values: 0 to 200,000,000 (bebc200).

    [root@defaulthost admin]# scio const get sc_ai_max_pkt_mem
    scio: sc_ai_max_pkt_mem = 0x0x2faf080
    
    [root@defaulthost admin]# scio const set sc_ai_max_pkt_mem 200000000
    scio: setting sc_ai_max_pkt_mem to 0xbebc200
    

    sc_ai_check_bytes

    Gets or sets the constant that determines the length of the check byte.

    The default is 10 (0xa).

    Possible values: 0 to 2000 (0x7d0).

    [root@defaulthost admin]# scio const get sc_ai_check_bytes
    scio: sc_ai_check_bytes = 0xa 
    
    [root@defaulthost admin]# scio const set sc_ai_check_bytes 20
    scio: setting sc_ai_check_bytes to 0x14
    

    Table 3 provides usage and examples of kernel constants related to the application policy enforcement (APE) rulebase.

    Table 3: scio const Arguments Related to the APE Rulebase

    Constants and Values

    Usage and Examples

    sc_ape_enable

    Gets or sets the constant that determines whether the application policy enforcement rulebase is enabled or disabled.

    The default is 1 (on). 0 turns the APE rulebase off.

    [root@defaulthost admin]# scio const get sc_ape_enable
    scio: sc_ape_enable = 0x1
    
    [root@defaulthost admin]# scio const set sc_ape_enable 0
    scio: setting sc_ape_enable to 0x0
    

    sc_enable_ape_stats

    Gets or sets the constant for APE statistics collection.

    The default is 0 (off). 1 turns statistics collection on.

    [root@defaulthost admin]# scio const -s s0 get sc_enable_ape_stats
    scio: sc_enable_ape_stats = 0x0
    
    [root@defaulthost admin]# scio const –s s0 set sc_enable_ape_stats 1
    scio: setting sc_enable_ape_stats to 0x1
    

    sc_enable_ape_stats

    Gets or sets the constant for APE statistics collection.

    The default is 0 (off). 1 turns statistics collection on.

    [root@defaulthost admin]# scio const -s s0 get sc_enable_ape_stats
    scio: sc_enable_ape_stats = 0x0
    
    [root@defaulthost admin]# scio const –s s0 set sc_enable_ape_stats 1
    scio: setting sc_enable_ape_stats to 0x1
    

    sc_ape_default_rate_limit

    Gets or sets the constant that determines the default rate limit for sessions that do not match APE rules.

    Note: If you have enabled per user rate limiting (also called per subscriber rate limiting), the default rate limit is applied per user. If not, the default rate limit is a maximum allocation for all sessions that do not match APE rules.

    [root@defaulthost admin]# scio const get sc_ape_default_rate_limit
    scio: sc_ape_default_rate_limit = 0xffffffff
    

    The default is 4,294,967,295 bps (0xffffffff in hexadecimal; 4,096 Mbps or .5 Gbps), which effectively turns off the “default rate limit”.

    The following example sets a limit of .25 Gbps:

    [root@defaulthost admin]# scio const set sc_ape_default_rate_limit 2147483648
    scio: setting sc_ape_default_rate_limit to 0x80000000

    sc_per_subscriber_ratelimit

    Gets or sets the constant that determines whether rate limits are enforced per user role or per user. The default is 0 (rate limit applied when aggregate bandwidth for the user role reaches the threshold). Change to 1 if you want the rate limit applied when bandwidth utilization for any user reaches the threshold.

    [root@defaulthost admin]# scio const -s s0 get sc_per_subscriber_ratelimit
    scio: sc_per_subscriber_ratelimit = 0x0
    
    [root@defaulthost admin]# scio const -s s0 set sc_per_subscriber_ratelimit 1
    scio: setting sc_per_subscriber_ratelimit to 0x1
    

    Table 4 provides usage and examples of kernel constants related to the application volume tracking (AVT) feature.

    Table 4: scio const Arguments Related to the Application Volume Tracking Feature

    Constants and Values

    Usage and Examples

    sc_periodic_stat_update

    Gets or sets the constant that determines whether the application volume tracking feature is enabled or disabled.

    The default is 1 (on). 0 turns AVT off.

    [root@defaulthost admin]# scio const -s s0:flow get sc_periodic_stat_update
    scio: sc_periodic_stat_update = 0x1
    
    [root@defaulthost admin]# scio const -s s0:flow set sc_periodic_stat_update 0
    scio: setting sc_periodic_stat_update to 0x01
    

    Note: You can also configure this setting in NSM.

    Table 5 provides usage and examples of kernel constants related to the flow bypass feature.

    Table 5: scio const Arguments Related to Flow Bypass

    Constants and Values

    Usage and Examples

    sc_flow_bypass_enable

    Gets or sets the constant that determines whether the flow bypass feature is enabled or disabled.

    The default is 0 (off). 1 turns the flow bypass feature on.

    [root@defaulthost admin]# scio const -s s0:flow get sc_flow_bypass_enable
    scio: sc_flow_bypass_enable = 0x0
    
    [root@defaulthost admin]# scio const -s s0:flow set sc_flow_bypass_enable 1
    scio: setting sc_flow_bypass_enable to 0x1
    

    sc_flow_bypass_threshold_hi

    Gets or sets the constant that determines the system packet queue size rising threshold.

    The default is 90 (percent).

    Possible values 0-100.

    [root@defaulthost admin]# scio const -s s0:flow get sc_flow_bypass_threshold_hi
    scio: sc_flow_bypass_threshold_hi = 0x5a
    
    [root@defaulthost admin]# scio const -s s0:flow set sc_flow_bypass_threshold_hi 95
    scio: setting sc_flow_bypass_threshold_hi to 0x5f
    

    sc_flow_bypass_threshold_low

    Gets or sets the constant that determines the system packet queue size reset threshold.

    The default is 80 (percent).

    Possible values 0-100.

    [root@defaulthost admin]# scio const -s s0:flow get sc_flow_bypass_threshold_low
    scio: sc_flow_bypass_threshold_low = 0x50
    
    [root@defaulthost admin]# scio const -s s0:flow set sc_flow_bypass_threshold_low 85
    scio: setting sc_flow_bypass_threshold_low to 0x55
    

    Table 6 provides usage and examples of kernel constants related to flow behavior during policy load.

    Table 6: scio const Arguments Related to Policy Load

    Constants and Values

    Usage and Examples

    sc_flow_reset_on_policy

    Gets or sets the constant that determines whether the flow table is reset when a new policy is loaded. When the flow table is reset, existing sessions are passed through uninspected.

    Valid values are 0 (do not reset on policy load) or 1 (reset on policy load).

    For IDP75 and IDP200, the default is 1, and you cannot override the default.

    For high-end appliances, the default is 0. When you load a new policy, the IDP system flow table will maintain sessions belonging to the previously installed policy as well as the newly installed policy. The IDP engine will continue to use the previously installed security policy to inspect previous sessions; and use the newly installed security policy to inspect new sessions. When the previously installed policy is no longer in use, it is unloaded and all traffic is inspected using the newly installed policy. For IDP8200 and IDP250, the IDP system can maintain flows for as many as two security policies. For IDP1100, IDP800, and IDP600, the IDP system can maintain flows for as many as four security policies.

    The default is 0 (off). 1 turns the flow bypass feature on.

    [root@defaulthost admin]# scio const -s s0:flow get sc_flow_reset_on_policy
    scio: sc_flow_reset_on_policy = 0x0
    
    [root@defaulthost admin]# scio const -s s0:flow set sc_flow_reset_on_policy 1
    scio: setting sc_flow_reset_on_policy to 0x1
    

    Note: You can also configure this setting in NSM.

    sc_num_policies

    Gets or sets the number of policies maintained in the flow table

    For IDP75 and IDP200, the default is 1, and you cannot override the default.

    For IDP8200 and IDP250, the default is 2. Possible values are 1 or 2.

    For IDP1100, IDP800, and IDP600, the default is 2. Possible values are 1, 2, 3, or 4.

    [root@defaulthost admin]# scio const -s s0 get sc_num_policies
    scio: sc_num_policies = 0x2
    
    
    [root@defaulthost admin]# scio const -s s0 set sc_num_policies 4
    scio: sc_num_policies = 0x4
    
    

    Table 7 provides usage and examples of kernel constants related to GRE decapsulation.

    Table 7: scio const Arguments Related to GRE Decapsulation

    Constants and Values

    Usage and Examples

    sc_gre_decapsulation

    Gets or sets the constant that determines whether GRE decapsulation is enabled or disabled.

    The default is 0 (off). 1 turns GRE decapsulation on.

    [root@defaulthost admin]# scio const -s s0 get sc_gre_decapsulation
    scio: sc_gre_decapsulation = 0x0
    
    [root@defaulthost admin]# scio const -s s0 set sc_gre_decapsulation 1
    scio: setting sc_gre_decapsulation to 0x1
    

    Note: You can also configure this setting in NSM.

    sc_max_decapsulation

    Gets or sets the constant that determines how many layers can be decapsulated.

    The default is 1 (1 layer).

    Possible values 1, 2.

    [root@defaulthost admin]# scio const -s s0 get sc_max_decapsulation
    scio: sc_max_decapsulation = 0x1
    
    [root@defaulthost admin]# scio const -s s0 set sc_max_decapsulation 2
    scio: setting sc_max_decapsulation to 0x2
    

    Note: The sc_max_decapsulation constant is used with GRE, GTP, and IPsec ESP NULL decapsulation.

    Table 8 provides usage and examples of kernel constants related to GTP decapsulation.

    Table 8: scio const Arguments Related to GTP Decapsulation

    Constants and Values

    Usage and Examples

    sc_gtp_decapsulation

    Gets or sets the constant that determines whether GTP decapsulation is enabled or disabled.

    The default is 0 (off). 1 turns GTP decapsulation on.

    [root@defaulthost admin]# scio const -s s0 get sc_gtp_decapsulation
    scio: sc_gtp_decapsulation = 0x0
    
    [root@defaulthost admin]# scio const -s s0 set sc_gtp_decapsulation 1
    scio: setting sc_gtp_decapsulation to 0x1
    

    Note: You can also configure this setting in NSM.

    sc_max_decapsulation

    Gets or sets the constant that determines how many layers can be decapsulated.

    The default is 1 (1 layer).

    Possible values 1, 2.

    [root@defaulthost admin]# scio const -s s0 get sc_max_decapsulation
    scio: sc_max_decapsulation = 0x1
    
    [root@defaulthost admin]# scio const -s s0 set sc_max_decapsulation 2
    scio: setting sc_max_decapsulation to 0x2
    

    Note: The sc_max_decapsulation constant is used with GRE, GTP, and IPsec ESP NULL decapsulation.

    sc_gtp_timeout

    Gets or sets the constant that determines the time in seconds that the IDP engine maintains the GTP tunnel. If the time elapses before the IDP engine detects another GTP packet, it considers the tunnel closed.

    The default is 3600 (seconds).

    Possible values: 1-0xFFFFFFFF.

    [root@defaulthost admin]# scio const -s s0 get sc_gtp_timeout
    scio: sc_gtp_timeout = 0xe10
    
    [root@defaulthost admin]# scio const -s s0 set sc_gtp_timeout 7200
    scio: setting sc_gtp_timeout to 0x1c20
    

    sc_gtp_max_flows

    Gets or sets the constant that determines maximum number of GTP tunnels the IDP engine can handle at once.

    The default is 0x30D40 (200,000).

    Possible values: 2-0x61A80 (2-400,000).

    [root@defaulthost admin]# scio const -s s0 get sc_gtp_max_flows
    scio: sc_gtp_max_flows = 0x30d40
    
    [root@defaulthost admin]# scio const -s s0 set sc_gtp_max_flows 100000
    scio: setting sc_gtp_max_flows to 0x186a0
    

    Table 9 provides usage and examples of kernel constants related to IPsec ESP NULL decapsulation.

    Table 9: scio const Arguments Related to IPsec ESP NULL Decapsulation

    Constants and Values

    Usage and Examples

    sc_null_esp_decapsulation

    Gets or sets the constant that determines whether IPsec ESP NULL traffic decapsulation is enabled or disabled.

    The default is 0 (off). 1 turns IPsec ESP NULL traffic decapsulation on.

    [root@defaulthost admin]# scio const -s s0 get sc_null_esp_decapsulation
    scio:sc_null_esp_decapsulation = 0x0
    
    [root@defaulthost admin]# scio const -s s0 set sc_null_esp_decapsulation 1
    scio: setting sc_null_esp_decapsulation to 0x1
    

    sc_max_decapsulation

    Gets or sets the constant that determines how many layers can be decapsulated.

    The default is 1 (1 layer).

    Possible values 1, 2.

    [root@defaulthost admin]# scio const -s s0 get sc_max_decapsulation
    scio: sc_max_decapsulation = 0x1
    
    [root@defaulthost admin]# scio const -s s0 set sc_max_decapsulation 2
    scio: setting sc_max_decapsulation to 0x2
    

    Note: The sc_max_decapsulation constant is used with GRE, GTP, and IPsec ESP NULL decapsulation.

    Table 10 provides usage and examples of kernel constants related to MPLS decapsulation.

    Table 10: scio const Arguments Related to MPLS Decapsulation

    Constants and Values

    Usage and Examples

    sc_mpls_decapsulation

    Gets or sets the constant that determines whether MPLS decapsulation is enabled or disabled.

    The default is 0 (off). 1 turns MPLS decapsulation on.

    [root@defaulthost admin]# scio const -s s0 get sc_mpls_decapsulation
    scio: sc_mpls_decapsulation = 0x0
    
    [root@defaulthost admin]# scio const -s s0 set sc_mpls_decapsulation 1
    scio: sc_mpls_decapsulation = 0x1
    

    Table 11 provides usage and examples of kernel constants related to SSL inspection.

    Table 11: scio const Arguments Related to SSL Inspection

    Constants and Values

    Usage and Examples

    sc_ssl_decryption

    Gets or sets the constant that determines whether SSL decryption is enabled or disabled.

    The default is 0 (off). 1 turns the feature on.

    [root@defaulthost admin]# scio const -s s0 get sc_ssl_decryption
    scio: sc_ssl_decryption = 0x0
    
    [root@defaulthost admin]# scio const -s s0 set sc_ssl_decryption 1
    scio: setting sc_ssl_decryption to 0x1
    

    Note: You can also configure this setting in NSM.

    sc_ssl_inspection

    Turns off the SSL forward proxy feature. Use this command in test or troubleshooting cases. Note you can also disable the feature using scio ssl ca delete to delete the root CA. We recommend you use scio const -s s0 set sc_ssl_inspection 0 when testing or troubleshooting; and scio ssl ca delete when turning the feature off in production.

    The default is 1 (on). 0 turns the feature off.

    [root@defaulthost admin]# scio const -s s0 get sc_ssl_inspection
    scio: sc_ssl_inspection = 0x1
    
    [root@defaulthost admin]# scio const -s s0 set sc_ssl_inspection 0
    scio: setting sc_ssl_inspection to 0x0
    

    sc_ssl_sessid_timeout

    Gets or sets the constant that determines the SSL session security parameter cache timeout value (seconds).

    The default is 60.

    Possible values: 1–120.

    [root@defaulthost admin]# scio const -s s0 get sc_ssl_sessid_timeout
    scio: sc_ssl_sessid_timeout = 0x3c
    
    [root@defaulthost admin]# scio const -s s0 set sc_ssl_sessid_timeout 45
    scio: setting sc_ssl_sessid_timeout to 0x2d
    

    sc_ssl_pending_sessid_timeout

    Gets or sets the constant that determines the SSL pending session security parameter cache timeout value (seconds).

    The default is 30.

    Possible values: 1–60.

    [root@defaulthost admin]# scio const -s s0 get sc_ssl_pending_sessid_timeout
    scio: sc_ssl_pending_sessid_timeout = 0x1e
    
    [root@defaulthost admin]# scio const -s s0 set sc_ssl_pending_sessid_timeout 45
    scio: setting sc_ssl_pending_sessid_timeout to 0x2d
    

    sc_ssl_num_decrypt_sessions

    Gets or sets the constant that determines the maximum number of sessions that can be decrypted concurrently.

    The default is 10,000.

    Possible values: 1-100,000.

    [root@defaulthost admin]# scio const -s s0 get sc_ssl_num_decrypt_sessions
    scio: sc_ssl_num_decrypt_sessions = 0x2710
    
    [root@defaulthost admin]# scio const -s s0 set sc_ssl_num_decrypt_sessions 20000
    scio: setting sc_ssl_num_decrypt_sessions to 0x4e20
    

    Table 12 provides usage and examples of the kernel constant that determines the maximum frame size processed by the IDP Series device.

    Table 12: scio const Arguments Related to Maximum Frame Size

    Constants and Values

    Usage and Examples

    sc_max_frame_size

    Gets or sets the constant that determines maximum frame size.

    The default is 9014 (support for jumbo frames).

    Possible values: 1514–16,014.

    [root@defaulthost admin]# scio const -s s0 get sc_max_frame_size
    scio: sc_max_frame_size =  0x2336 
    
    [root@defaulthost admin]# scio const -s s0 set sc_max_frame_size 1514
    scio: sc_max_frame_size = 0x5EA

    Table 13 provides usage and examples of the kernel constants related to the SYN Protector rulebase.

    Table 13: scio const Arguments Related to the SYN Protector Rulebase

    Constants and Values

    Usage and Examples

    sc_syndef_timeout

    Gets or sets the constant that determines the timeout for the SYN protector rulebase in passive mode. The timeout specifies how many seconds the IDP system holds an incomplete SYN-ACK handshake before purging it.

    The default is 5 (seconds).

    Possible values: 1-0xFFFF.

    [root@defaulthost admin]# scio const -s s0:syndef get sc_syndef_timeout
    scio: sc_syndef_timeout = 0x5
    
    [root@defaulthost admin]# scio const -s s0:syndef set sc_syndef_timeout 10
    scio: setting sc_syndef_timeout to 0xa
    

    Note: You can also configure this setting in NSM.

    sc_syndef_threshhold

    Gets or sets the value for the constant that determines the lower threshold of SYNs per second that activates the SYN Protector rulebase. For relay mode, this is the only value that matters. For passive mode, you also set sc_syndef_threshhold_delta.

    The default is 0x3E8 (1000).

    Possible values: 1-0xFFFF.

    [root@defaulthost admin]# scio const -s s0:syndef get sc_syndef_threshhold
    scio: sc_syndef_threshhold = 0x3e8
    
    [root@defaulthost admin]# scio const -s s0:syndef set sc_syndef_threshhold 1020
    scio: setting sc_syndef_threshhold to 0x3fc
    

    Note: You can also configure this setting in NSM.

    sc_syndef_threshhold_delta

    Gets or sets the value for the constant that sets the upper threshold of SYNs per second. In passive mode, SYN Protection activates once the number of SYN packets per second for a given destination IP exceeds this number plus the lower threshold number. Passive mode protection deactivates once the value drops below the lower threshold.

    The default is 0x14 (20).

    Possible values: 1-0xFFFF.

    [root@defaulthost admin]# scio const -s s0:syndef get sc_syndef_threshhold_delta
    scio: sc_syndef_threshhold_delta = 0x14
    
    [root@defaulthost admin]# scio const -s s0:syndef set sc_syndef_threshhold_delta 25
    scio: setting sc_syndef_threshhold_delta to 0x19
    

    Note: You can also configure this setting in NSM.

    sc_syndef_report_freq

    Gets or sets the value for the constant that determines how often a SYN flood attempt is reported, in seconds.

    The default is 30 (seconds).

    Possible values: 1-86,400 (86,400 seconds is 1 day).

    [root@defaulthost admin]# scio const -s s0:syndef get sc_syndef_report_freq
    scio: sc_syndef_report_freq = 0x1e
    
    [root@defaulthost admin]# scio const -s s0:syndef set sc_syndef_report_freq 60
    scio: setting sc_syndef_report_freq to 0x3c
    

    sc_syndef_log_detail

    Gets or sets the constant that determines whether or not the destination IP address appears in the log variable data.

    The default is 1 (on).

    Possible values: 0-1 (0 = off, 1 = on).

    [root@defaulthost admin]# scio const -s s0:syndef get sc_syndef_log_detail
    scio: sc_syndef_log_detail = 0x0
    
    [root@defaulthost admin]# scio const -s s0:syndef set sc_syndef_log_detail 1
    scio: setting sc_syndef_log_detail to 0x1
    

    sc_syndef_log_ports

    Gets or sets the value for the constant that determines whether or not the destination port appears in the log variable data. If both sc_syndef_log_detail and sc_syndef_log_ports are set to 1 (on), the sc_syndef_log_ports value takes precedence and is displayed, not the IP.

    The default is 0 (off).

    Possible values: 0-1 (0 = off, 1 = on).

    [root@defaulthost admin]# scio const -s s0:syndef get sc_syndef_log_ports
    scio: sc_syndef_log_ports = 0x0
    
    [root@defaulthost admin]# scio const -s s0:syndef set sc_syndef_log_ports 1
    scio: setting sc_syndef_log_ports to 0x1
    

    Table 14 provides usage and examples of kernel constants related to the user role-based policy feature.

    Table 14: scio const Arguments Related to the User Role-Based Policy Feature

    Constants and Values

    Usage and Examples

    sc_enable_user_policy

    Gets or sets the constant that determines whether the feature is enabled or disabled.

    The default is 1 (on). 0 turns the feature off.

    [root@defaulthost admin]# scio const –s s0 get sc_enable_user_policy
    scio: sc_enable_user_policy = 0x1
    
    [root@defaulthost admin]# scio const –s s0 set sc_enable_user_policy 0
    scio: setting sc_enable_user_policy to 0x0
    

    sc_ic_reconcile_timeout

    Gets or sets the threshold where lost connectivity stops processing of user role-based rules.

    The default is 30 (seconds).

    Possible values 0-3600.

    [root@defaulthost admin]# scio const -s s0 get sc_ic_reconcile_timeout
    scio: sc_ic_reconcile_timeout = 0x1e
    
    [root@defaulthost admin]# scio const –s s0 set sc_ic_reconcile_timeout 3600
    scio: setting sc_ic_reconcile_timeout to 0xe10
    

    Published: 2012-01-30