You are here: Configure > Security Services > Security Policy > Rules.
To add global options:
The Global Options page appears.
Table 186 describes the fields on the Global Options page.
Table 186: Fields on the Global Options Page
Field | Action |
|---|---|
| Policy Options | |
Default policy action | Select a value from the list. Specifies that specific protocol actions are overridden. This action is also non terminating. The options available are:
|
Policy rematch | Select the check box. Specifies that a policy is added that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues. |
Extensive | Select the check box. |
Unified Policy Explicit Match | Select the check box. |
| Flow - Main | |
Early ageout | Enter a value from 1 through 65,535 seconds. The default value is 20 seconds. Specifies the amount of time before the device aggressively ages out a session from its session table. |
High watermark | Enter a value from 0 through 100 percent. The default value is 100 percent. Specifies the percentage of session table capacity at which the aggressive aging-out process begins. |
Low watermark | Enter a value from 0 through 100 percent. The default value is 100 percent. Specifies the percentage of session table capacity at which the aggressive aging-out process ends. |
Enable SYN cookie protection | Select the check box. Enables SYN cookie defenses against SYN attacks. |
Enable SYN proxy protection | Select the check box. Enables SYN proxy defenses against SYN attacks. |
Allow DNS reply | Select the check box. Specifies that an incoming DNS reply packet without a matched request is allowed. |
Force IP reassembly | Specifies reassemble all IP fragmented packets before forwarding. |
Enable Routing Mode | Enables routing mode on uPIM and ePIM ports that correspond to the interfaces that will carry the VPLS traffic. |
Route change to nonexistent route timeout | Specifies the session timeout value on a route change to a nonexistent route. Enter a value from 6 through 1800 seconds. |
| Flow - TCP MSS | |
Enable MSS override for all packets | Select the check box. Enables maximum segment size override for all TCP packets for network traffic. Enter an maximum segment size value from 64 through 65,535. |
Enable MSS override for all GRE packets coming out of an IPSec tunnel | Select the check box. Enables maximum segment size override for all generic routing encapsulation packets exiting an IPsec tunnel. Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes. |
Enable MSS override for all GRE packets entering an IPsec tunnel | Select the check box. Enables maximum segment size override for all generic routing encapsulation packets entering an IPsec tunnel. Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes. |
Enable MSS override for all packets entering IPSec tunnel | Select the check box. Enables maximum segment size override for all packets entering an IPsec tunnel. Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes. |
| Flow - TCP Session | |
Disable sequence-number checking | Select the check box. Disables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments. |
Strict SYN-flag check | Select the check box. Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled. |
Disable SYN-flag check | Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet. Select the check box. |
Disable SYN-flag check (tunnel packets) | Select the check box. Disables the first packet check for the SYN flag when forming a TCP flow session. |
RST invalidate session | Select the check box. Specifies that a session ismarked for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute. |
RST sequence check | Select the check box. Specifies that the TCP sequence number in a TCP segment can be checked, with the RST bit enabled. This matches the previous sequence number for a packet in that session or is the next higher number incrementally. |
TCP Initial Timeout | Select the check box. Specifies the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet. |
| Pre-id Default Policy | |
Session Timeout | |
ICMP | Type the interval in seconds from 4 through 86400. |
ICMP6 | Type the interval in seconds from 4 through 86400. |
OSPF | Type the interval in seconds from 4 through 86400. |
Others | Type the interval in seconds from 4 through 86400. |
TCP | Type the interval in seconds from 4 through 86400. |
UDP | Type the interval in seconds from 4 through 86400. |
| Log | |
Enable Session init | Select the check box to enable Session init. |
Enable Session close | Select the check box to enable Session close. |
| NGFW Options | |
Default SSL Profile | Select the default SSL profile. |