[Prev][Next][Report an Error]

Configuring Firewall/NAT Flow—Quick Configuration

You can use J-Web Quick Configuration to quickly configure stateful firewall or NAT flow.

To configure Firewall/NAT Flow with Quick Configuration:

  1. Select Configuration > Quick Configuration > Firewall/NAT > Flow. See the figure below.

    Figure 72: Quick Configuration Page for Stateful Firewall or NAT Flow

    Quick Configuration Page for Stateful Firewall or NAT
Flow

  2. Fill in the options as shown in the table below.
  3. Click one of the following buttons:

Field

Function

Action

Firewall NAT

Allow DNS Reply

Allows an incoming DNS reply packet without a matched request. By default, if the query request does not match, the router drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. Using the allow-dns-reply statement directs the router to skip the check.

Select this checkbox to enable DNS replies.

Route Change Timeout

Applies the session timeout value on a route change to a nonexistent route. By default, this feature is disabled. If the timeout is not defined, sessions discovered to have no route are aged out using their current session timeout values.

Specify a value between 6 and 1800 seconds.

SYN Flood Protection Mode

Enables SYN-cookie defenses or SYN-proxy defenses against SYN attacks. Sets the flow from traditional SYN Proxy mode to SYN Cookie mode. SYN Cookie is enabled globally on the security router and is activated when the configured syn-flood attack-threshold is exceeded.

Select SYN Cookie or SYN Proxy.

Aging

Early Ageout

Defines the ageout value before the router aggressively ages out a session from its session table.

Specify a value between 1 and 65535 seconds. The default value is 20 seconds.

High Watermark

Sets percentage of session table capacity at which the aggressive aging-out process begins.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Low Watermark

Sets percentage of session-table capacity at which aggressive aging-out ends.

Specify a value between 0 and 100 percent. The default value is 100 percent.

TCP MSS

All TCP

Sets all TCP packets for network traffic.

Select the All TCP check box to enable all TCP packets.

All TCP MSS

Sets the TCP-maximum segment size (TCP-MSS) value for all TCP packets for network traffic.

Specify a value between 64 and 65535.

GRE in

Enables MSS override for all Generic Routing Encapsulation (GRE) packets exiting an IPSec tunnel.

Select the GRE in check box to enable TCP-MSS for GRE.

MSS

Enables and specifies the TCP-MSS for GRE packets that are about to go into an IPSec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

GRE out

Enables MSS override for all GRE packets entering an IPSec tunnel.

Select the GRE out check box to enable.

MSS

Enables and specifies the TCP-MSS for GRE packets that are leaving an IPSec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

IPSec VPN

Enables MSS override for all packets entering an IPSec tunnel.

Select the IPSec VPN check box to enable MSS override for all packets that enter an IPSec tunnel.

MSS

Enables and specifies the TCP-MSS for all packets that are entering an IPSec VPN tunnel.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

TCP Session

No Sequence Check

Disables the checking of sequence numbers in TCP segments during stateful inspection. By default, the router monitors the sequence numbers in TCP segments.

Select the checkbox to disable sequence number checking.

No SYN Check

Disables the checking of the TCP SYN bit before creating a session. By default, the router checks that the SYN bit is set in the first packet of a session. If it is not set, the router drops it.

Select the checkbox to disable creation time SYN-flag check.

No SYN Check in Tunnel

Disables the checking TCP SYN bit before creating a session for tunneled packets. By default, the router checks that the SYN bit is set in the first packet of a VPN session. If it is not set, the router drops it.

Select the checkbox to disable creation time SYN-flag check for tunnel packets.

RST Invalidate Session

Marks a session for immediate termination when it receives a TCP reset (RST) segment. By default, this statement is unset. When unset, the router applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select this checkbox to immediately end session on receipt of reset (RST) segment.

RST Sequence Check

Checks that the TCP sequence number in a TCP segment with the RST bit enabled matches the previous sequence number for a packet in that session or is the next higher number incrementally. By default, this check is disabled.

Select this checkbox to enable checking of sequence numbers in a RST statement.

TCP Initial Timeout

Defines the length of time (in seconds) that the router keeps an initial TCP session in the session table before dropping it, or until the router receives a FIN or RST packet.

Specify a value between 20 and 300 seconds. The default value is 20 seconds.


[Prev][Next][Report an Error]