Inline Normalization Options

Minimum TTL

When Reset TTL is greater than or equal to the value set for this option, specifies the following:

  • the minimum value the system will permit in the IPv4 Time to Live (TTL) field when Normalize IPv4 is enabled; a lower value results in normalizing the packet value for TTL to the value set for Reset TTL

  • the minimum value the system will permit in the IPv6 Hop Limit field when Normalize IPv6 is enabled; a lower value results in normalizing the packet value for Hop Limit to the value set for Reset TTL

The system assumes a value of 1 when the field is empty.

Note

For threat defense routed and transparent interfaces, the Minimum TTL and Reset TTL options are ignored. The maximum TTL for a connection is determined by the TTL in the initial packet. The TTL for subsequent packets can decrease, but it cannot increase. The system will reset the TTL to the lowest previously-seen TTL for that connection. This prevents TTL evasion attacks.

When the packet decoding Detect Protocol Header Anomalies option is enabled, you can enable the following rules in the decoder rule category to generate events and, in an inline deployment, drop offending packets for this option:

  • You can enable rule 116:428 to trigger when the system detects an IPv4 packet with a TTL less than the specified minimum.

  • You can enable rule 116:270 to trigger when the system detects an IPv6 packet with a hop limit that is less than the specified minimum.

Reset TTL

When set to a value greater than or equal to Minimum TTL, normalizes the following:

  • the IPv4 TTL field when Normalize IPv4 is enabled

  • the IPv6 Hop Limit field when Normalize IPv6 is enabled

The system normalizes the packet by changing its TTL or Hop Limit value to the value set for this option when the packet value is less than Minimum TTL. Leaving this field blank, or setting it to 0, or to any value less than Minimum TTL, disables the option.

Normalize IPv4

Enables normalization of IPv4 traffic. The system also normalizes the TTL field as needed when:

  • this option is enabled, and

  • the value set for Reset TTL enables TTL normalization.

You can also enable additional IPv4 options when this option is enabled.

When you enable this option, the system performs the following base IPv4 normalizations:

  • truncates packets with excess payload to the datagram length specified in the IP header

  • clears the Differentiated Services (DS) field, formerly known as the Type of Service (TOS) field

  • sets all option octets to 1 (No Operation)

This option is ignored for threat defense routed and transparent interfaces. Threat Defense devices will drop any RSVP packet that contains IP options other than the router alert, end of options list (EOOL), and no operation (NOP) options on any routed or transparent interface.

Normalize Don't Fragment Bit

Clears the single-bit Don’t Fragment subfield of the IPv4 Flags header field. Enabling this option allows a downstream router to fragment packets if necessary instead of dropping them; enabling this option can also prevent evasions based on crafting packets to be dropped. You must enable Normalize IPv4 to select this option.

Normalize Reserved Bit

Clears the single-bit Reserved subfield of the IPv4 Flags header field. You would typically enable this option. You must enable Normalize IPv4 to select this option.

Normalize TOS Bit

Clears the one byte Differentiated Services field, formerly known as Type of Service. You must enable Normalize IPv4 to select this option.

Normalize Excess Payload

Truncates packets with excess payload to the datagram length specified in the IP header plus the Layer 2 (for example, Ethernet) header, but does not truncate below the minimum frame length. You must enable Normalize IPv4 to select this option.

This option is ignored for threat defense routed and transparent interfaces. Packets with excess payload are always dropped on these interfaces.

Normalize IPv6

Sets all Option Type fields in the Hop-by-Hop Options and Destination Options extension headers to 00 (Skip and continue processing). The system also normalizes the Hop Limit field as needed when this option is enabled and the value set for Reset TTL enables hop limit normalization.

Normalize ICMPv4

Clears the 8-bit Code field in Echo (Request) and Echo Reply messages in ICMPv4 traffic.

Normalize ICMPv6

Clears the 8-bit Code field in Echo (Request) and Echo Reply messages in ICMPv6 traffic.

Normalize/Clear Reserved Bits

Clears the Reserved bits in the TCP header.

Normalize/Clear Option Padding Bytes

Clears any TCP option padding bytes.

Clear Urgent Pointer if URG=0

Clears the 16-bit TCP header Urgent Pointer field if the urgent (URG) control bit is not set.

Clear Urgent Pointer/URG on Empty Payload

Clears the TCP header Urgent Pointer field and the URG control bit if there is no payload.

Clear URG if Urgent Pointer is Not Set

Clears the TCP header URG control bit if the urgent pointer is not set.

Normalize Urgent Pointer

Sets the two-byte TCP header Urgent Pointer field to the payload length if the pointer is greater than the payload length.

Normalize TCP Payload

Enables normalization of the TCP Data field to ensure consistency in retransmitted data. Any segment that cannot be properly reassembled is dropped.

Remove Data on SYN

Removes data in synchronization (SYN) packets if your TCP operating system policy is not Mac OS.

This option also disables rule 129:2, which can otherwise trigger when the TCP stream preprocessor Policy option is not set to Mac OS.

Remove Data on RST

Removes any data from a TCP reset (RST) packet.

Trim Data to Window

Trims the TCP Data field to the size specified in the Window field.

Trim Data to MSS

Trims the TCP Data field to the Maximum Segment Size (MSS) if the payload is longer than MSS.

Block Unresolvable TCP Header Anomalies

When you enable this option, the system blocks anomalous TCP packets that, if normalized, would be invalid and likely would be blocked by the receiving host. For example, the system blocks any SYN packet transmitted subsequent to an established session.

The system also drops any packet that matches any of the following TCP stream preprocessor rules, regardless of whether the rules are enabled:

  • 129:1

  • 129:3

  • 129:4

  • 129:6

  • 129:8

  • 129:11

  • 129:14 through 129:19

The Total Blocked Packets performance graph tracks the number of packets blocked in inline deployments and, in passive deployments and inline deployments in tap mode, the number that would have been blocked in an inline deployment.

Explicit Congestion Notification

Enables per-packet or per-stream normalization of Explicit Congestion Notification (ECN) flags as follows:

  • select Packet to clear ECN flags on a per-packet basis regardless of negotiation

  • select Stream to clear ECN flags on a per-stream basis if ECN use was not negotiated

If you select Stream, you must also ensure that the TCP stream preprocessor Require TCP 3-Way Handshake option is enabled for this normalization to take place.

Clear Existing TCP Options

Enables Allow These TCP Options.

Allow These TCP Options

Disables normalization of specific TCP options you allow in traffic.

The system does not normalize options that you explicitly allow. It normalizes options that you do not explicitly allow by setting the options to No Operation (TCP Option 1).

The system always allows the following options regardless of the configuration of Allow These TCP Options because they are commonly used for optimal TCP performance:

  • Maximum Segment Size (MSS)

  • Window Scale

  • Time Stamp TCP

The system does not automatically allow other less commonly used options.

You can allow specific options by configuring a comma-separated list of option keywords, option numbers, or both as shown in the following example: 


	sack, echo, 19

Specifying an option keyword is the same as specifying the number for one or more TCP options associated with the keyword. For example, specifying sack is the same as specifying TCP options 4 (Selective Acknowledgment Permitted) and 5 (Selective Acknowledgment). Option keywords are not case sensitive.

You can also specify any, which allows all TCP options and effectively disables normalization of all TCP options.

The following table summarizes how you can specify TCP options to allow. If you leave the field empty, the system allows only the MSS, Window Scale, and Time Stamp options.

Specify...

To allow...

sack

TCP options 4 (Selective Acknowledgment Permitted) and 5 (Selective Acknowledgment)

echo

TCP options 6 (Echo Request) and 7 (Echo Reply)

partial_order

TCP options 9 (Partial Order Connection Permitted) and 10 (Partial Order Service Profile)

conn_count

TCP Connection Count options 11 (CC), 12 (CC.New), and 13 (CC.Echo)

alt_checksum

TCP options 14 (Alternate Checksum Request) and 15 (Alternate Checksum)

md5

TCP option 19 (MD5 Signature)

the option number, 2 to 255

a specific option, including options for which there is no keyword

any

all TCP options; this setting effectively disables TCP option normalization

When you do not specify any for this option, normalizations include the following:

  • except MSS, Window Scale, Time Stamp, and any explicitly allowed options, sets all option bytes to No Operation (TCP Option 1)

  • sets the Time Stamp octets to No Operation if Time Stamp is present but invalid, or valid but not negotiated

  • blocks the packet if Time Stamp is negotiated but not present

  • clears the Time Stamp Echo Reply (TSecr) option field if the Acknowledgment (ACK) control bit is not set

  • sets the MSS and Window Scale options to No Operation (TCP Option 1) if the SYN control bit is not set