Using Packet Flow Options

Use the packet flow options to configure the security device to regulate packet flow.

The following sections detail each packet flow option:

ICMP Path MTU Discovery

The ICMP Path MTU Discovery option controls how the security device handles a packet that meets the following conditions: the Don’t Fragment (DF) bit is set in the IP header, the packet is intended for IPsec encapsulation, and the size of the packet after encapsulation exceeds the maximum transfer unit (MTU) of the egress interface, which is 1500 bytes:

By default, this option is disabled.

Allow DNS Reply Without Matched Request

Use the Allow DNS Reply Without Matched Request option to control how the security device handles DNS reply packets that do not have a matching DNS request:

By default, this option is disabled.

Allow MAC Cache for Management Traffic

Use the Allow Mac Cache for Management Traffic option to control how the security device handles a source MAC address for administrative traffic:

By default, this option is disabled.

Allow Unknown MAC Flooding

Use the Allow Unknown MAC Flooding option to control how the security device handles a packet that has a destination MAC address that is not in the MAC learning table:

By default, this option is enabled.

Skip TCP Sequence Number Check

Use the Skip TCP Sequence Number Check to control how the security device handles TCP packets with an out-of-sequence TCP number:

By default, this option is enabled.

TCP RST Invalid Session

Use the TCP RST Invalid Session to control how the security device handles a TCP reset packet (a TCP packet with the RST flag set):

By default, this option is disabled.

Check TCP SYN Bit Before Create Session

Use the TCP SYN Bit Before Create Session option to control how the security device handles a set SYN bit in the first packet of a session:

By default, security devices running ScreenOS 5.1 and later have this option enabled. However, in previous versions of ScreenOS, this option was disabled. If you upgraded from a ScreenOS release prior to ScreenOS 5.1 and did not change the default setting for this option, SYN checking remains disabled.

The security devices running ScreenOS 6.3 send a TCP session close notification acknowledgement (ACK) to both the client and the server when a session is being closed. To enable a policy to send a TCP session close notification, complete the following prerequisites:

Check TCP SYN Bit Before Create Session for Tunneled Packets

Use the TCP SYN Bit Before Create Session for Tunneled Packets option to control how the security device handles a set SYN bit in the first packet of a VPN session:

By default, this option is enabled.

Use SYN-Cookie for SYN Flood Protection

Use the SYN-Cookie for SYN Flood Protection option as an alternative to traditional SYN proxying mechanisms to help reduce CPU and memory usage:

By default, this option is disabled.

Note: This option is only available on devices running ScreenOS 5.2 and later.

Enforce TCP Sequence Number Check on TCP RST Packet

Use the Check TCP Sequence Number Check on TCP RST Packet option to control how the security device handles TCP reset (RST) packets with an out-of-sequence TCP number:

By default, this option is disabled.

Note: The NetScreen 5000 line does not support this option.

Use Hub-and-Spoke Policies for Untrust MIP Traffic

Use this option to control how the security device handles the forwarding of packets arriving in a VPN tunnel to and from a mapped IP (MIP) address:

By default, this option is enabled.

Note: This option affects traffic forwarding only when the outgoing interface is bound to the Untrust zone.

Max Fragmented Packet Size

Use the Max Fragmented Packet Size option to control the maximum size of a packet fragment generated by the security device. You can set the number value between 1024 and 1500 bytes inclusive. For example, if a received packet is 1500 bytes and this option is set to 1460 bytes, the device generates two fragment packets: The first is 1460 bytes and the second is 40 bytes. If you reset this option to 1024, the first fragment packet is 1024 bytes and the second is 476 bytes.

By default, this option is set to none.

Flow Initial Session Timeout (Seconds)

Use the Flow Initial Session Timeout to control the number of seconds the security device keeps an initial TCP session in the session table before dropping it or receiving a FIN or RST packet. You can set the number of seconds from 20 seconds to 300 seconds.

By default, this option is set to 20 seconds.

Multicast Flow Configuration

In earlier versions, all TCP, UDP, and ICMP traffic was supported by setting policy rules. Use this option to inspect IDP multicast traffic for devices running ScreenOS 6.3.

TCP MSS

Use the TCP MSS option to control how the security device handles the TCP-MSS value for TCP SYN packets in an IPsec VPN tunnel:

By default, this option is disabled.

Note: When you configure a value for the All TCP MSS option, that value overrides the settings defined for this option.

All TCP MSS

Use the All TCP-MSS to control how the security device handles the TCP MSS value for TCP SYN packets in all network traffic:

By default, this option is disabled.

GRE In TCP MSS

Use the GRE in TCP MSS option to control how the security device handles the TCP MSS value for generic routing encapsulation (GRE) packets destined for an IPsec VPN tunnel.

By default, this option is disabled.

GRE Out TCP MSS

Use the GRE Out TCP MSS option to control how the security device handles the TCP MSS value for GRE packets leaving an IPsec VPN tunnel.

By default, this option is disabled.

Aging

Use the Aging options to control how the security device uses aggressive aging to affect session timeout. Aggressive aging begins when the number of entries in the session table exceeds the high-watermark setting, and ends when the number of sessions falls below the low-watermark setting. When aggressive aging is in effect, the security device ages out sessions—beginning with the oldest sessions first—at the rate you specify.

When the session table is in any other state, the normal session timeout value is applied. Normal session timeout intervals for common protocols:

Early Ageout Time Before the Session’s Normal Ageout

Use this aging option to control how the security device uses aggressive aging to age out a session from its session table. The value range is 2 to 10 units, where each unit is 10 seconds; by default, the early-ageout value is 2 or 20 seconds.

Percentage of Used Sessions Before Early Aging Begins

Use this aging option to control when the security device begins aggressive aging. The value range is 1 to 100, which indicates percent of the session table capacity. By default, this option is set to 100% (used sessions must account for 100% of the session table capacity before aggressive aging begins).

Percentage of Used Sessions Before Early Aging Stops

Use this aging option to control when the security device ends aggressive aging. The value range is 1 to 100, which indicates percent of the session table capacity. By default, this option is set to 100% (used sessions must account for 100% of the session table capacity before aggressive aging ends).

Related Documentation