Configuring Firewall/NAT Flow—Quick Configuration

You can use J-Web Quick Configuration to quickly configure stateful firewall or NAT flow.

To configure Firewall/NAT Flow with Quick Configuration:

Select Configuration > Quick Configuration > Firewall/NAT > Flow. See the figure below.
Figure 72: Quick Configuration Page for Stateful Firewall or NAT Flow
Fill in the options as shown in the table below.
Click one of the following buttons:
- To apply the configuration and stay on the Quick Configuration page, click Apply.
- To apply the configuration and return to the main Configuration page, click OK.
- To cancel your entries and return to the main page, click Cancel.

Field	Function	Action
Firewall NAT
Allow DNS Reply	Allows an incoming DNS reply packet without a matched request. By default, if the query request does not match, the router drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. Using the allow-dns-reply statement directs the router to skip the check.	Select this checkbox to enable DNS replies.
Route Change Timeout	Applies the session timeout value on a route change to a nonexistent route. By default, this feature is disabled. If the timeout is not defined, sessions discovered to have no route are aged out using their current session timeout values.	Specify a value between 6 and 1800 seconds.
SYN Flood Protection Mode	Enables SYN-cookie defenses or SYN-proxy defenses against SYN attacks. Sets the flow from traditional SYN Proxy mode to SYN Cookie mode. SYN Cookie is enabled globally on the security router and is activated when the configured syn-flood attack-threshold is exceeded.	Select SYN Cookie or SYN Proxy.
Aging
Early Ageout	Defines the ageout value before the router aggressively ages out a session from its session table.	Specify a value between 1 and 65535 seconds. The default value is 20 seconds.
High Watermark	Sets percentage of session table capacity at which the aggressive aging-out process begins.	Specify a value between 0 and 100 percent. The default value is 100 percent.
Low Watermark	Sets percentage of session-table capacity at which aggressive aging-out ends.	Specify a value between 0 and 100 percent. The default value is 100 percent.
TCP MSS
All TCP	Sets all TCP packets for network traffic.	Select the All TCP check box to enable all TCP packets.
All TCP MSS	Sets the TCP-maximum segment size (TCP-MSS) value for all TCP packets for network traffic.	Specify a value between 64 and 65535.
GRE in	Enables MSS override for all Generic Routing Encapsulation (GRE) packets exiting an IPSec tunnel.	Select the GRE in check box to enable TCP-MSS for GRE.
MSS	Enables and specifies the TCP-MSS for GRE packets that are about to go into an IPSec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.	Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.
GRE out	Enables MSS override for all GRE packets entering an IPSec tunnel.	Select the GRE out check box to enable.
MSS	Enables and specifies the TCP-MSS for GRE packets that are leaving an IPSec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.	Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.
IPSec VPN	Enables MSS override for all packets entering an IPSec tunnel.	Select the IPSec VPN check box to enable MSS override for all packets that enter an IPSec tunnel.
MSS	Enables and specifies the TCP-MSS for all packets that are entering an IPSec VPN tunnel.	Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.
TCP Session
No Sequence Check	Disables the checking of sequence numbers in TCP segments during stateful inspection. By default, the router monitors the sequence numbers in TCP segments.	Select the checkbox to disable sequence number checking.
No SYN Check	Disables the checking of the TCP SYN bit before creating a session. By default, the router checks that the SYN bit is set in the first packet of a session. If it is not set, the router drops it.	Select the checkbox to disable creation time SYN-flag check.
No SYN Check in Tunnel	Disables the checking TCP SYN bit before creating a session for tunneled packets. By default, the router checks that the SYN bit is set in the first packet of a VPN session. If it is not set, the router drops it.	Select the checkbox to disable creation time SYN-flag check for tunnel packets.
RST Invalidate Session	Marks a session for immediate termination when it receives a TCP reset (RST) segment. By default, this statement is unset. When unset, the router applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.	Select this checkbox to immediately end session on receipt of reset (RST) segment.
RST Sequence Check	Checks that the TCP sequence number in a TCP segment with the RST bit enabled matches the previous sequence number for a packet in that session or is the next higher number incrementally. By default, this check is disabled.	Select this checkbox to enable checking of sequence numbers in a RST statement.
TCP Initial Timeout	Defines the length of time (in seconds) that the router keeps an initial TCP session in the session table before dropping it, or until the router receives a FIN or RST packet.	Specify a value between 20 and 300 seconds. The default value is 20 seconds.

[Prev][Next][Report an Error]