Step 1 | If you are not already in the Threat Defense Service Policy dialog box, choose , edit the access control policy, select Advanced Settings from the More drop-down arrow at the end of the packet flow line, then edit the Threat Defense Service Policy. |
Step 3 | In the Interface Object step, select the option that defines the interfaces that will use the policy.
-
Apply Globally—Select this option to create a global rule, which applies to all interfaces.
-
Select Interface Objects—Select this option to create an interface-based rule. Then, select the security zones or interface objects that contain the desired interfaces, and click > to move them to the Next selected list. The service policy rule will be configured on each interface contained in the selected objects; it is not configured on the zone/group itself.
Click when the interface criteria is complete.
|
Step 5 | In the Connection Setting step, configure the services to apply to this traffic class.
-
Enable TCP State Bypass (TCP connections only)—Implement TCP State Bypass. Connections subject to TCP State Bypass are not inspected by any inspection engines, and they bypass all TCP state checking and TCP normalization. For detailed information, see Bypass TCP State Checks for Asymetrical Routing (TCP State Bypass).
Note |
Use TCP State Bypass for troubleshooting purposes or when asymmetric routing cannot be resolved. This feature disables multiple security features, which can cause a high number of connections if you do not implement it properly with a narrowly-defined traffic class.
|
-
Randomize TCP Sequence Number (TCP connections only)—Whether to enable or disable TCP sequence number randomization. Randomization is enabled by default. For more information, see Disable TCP Sequence Randomization.
-
Enable Decrement TTL (TCP connections only)—Decrement the time-to-live (TTL) on packets that match the class. If you decrement time to live, packets with a TTL of 1 will be dropped, but a connection will be opened for the session on the assumption that the connection might contain packets with a greater TTL. Note that some packets, such as OSPF hello packets, are sent with TTL = 1, so decrementing time to live can have unexpected consequences.
-
Connections—Limits for the number of connections allowed for the entire class. You can configure these options:
-
Maximum TCP and UDP (TCP/UDP connections only)—The maximum number of simultaneous connections that are allowed, between 0 and 2000000, for the entire class. For TCP, this count applies to established connections only. The default is 0, which allows unlimited connections. Because the limit is applied to a class, one attacking host can consume all the connections and leave none for the rest of the hosts that are matched to the class. Set the per-client limit to ameliorate this problem.
-
Maximum Embryonic (TCP connections only)—The maximum number of simultaneous embryonic TCP connections (those that have not finished the TCP handshake) allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. By setting a non-zero limit, you enable TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. Also set the per-client options to protect against SYN flooding. For more information, see Protect Servers from a SYN Flood DoS Attack (TCP Intercept).
-
Connections Per Client—Limits for the number of connections allowed for a given client (source IP address). You can configure these options:
-
Maximum TCP and UDP (TCP/UDP connections only)—The maximum number of simultaneous connections allowed per client, between 0 and 2000000. For TCP, this includes established, half-open (embryonic), and half-closed connections. The default is 0, which allows unlimited connections. This option restricts the maximum number of simultaneous connections that are allowed for each host that is matched to the class.
-
Maximum Embryonic (TCP connections only)—The maximum number of simultaneous embryonic TCP connections allowed per client, between 0 and 2000000. The default is 0, which allows unlimited connections. For more information, see Protect Servers from a SYN Flood DoS Attack (TCP Intercept).
-
Connections Syn Cookie MSS—The server maximum
segment size (MSS) for SYN-cookie generation for embryonic
connections upon reaching the embryonic connections limit, from 48
to 65535 . The default is 1380. This setting is meaningful only if
you configure Maximum Embryonic for
connections or per-client, or both.
-
Connections Timeout—The timeout settings to apply to the traffic class. These timeouts override the global timeouts defined in the platform settings policy. You can configure the following:
-
Embryonic (TCP connections only)—The timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:5 and 1193:00:00. The default is 0:0:30.
-
Half Closed (TCP connections only)—The idle timeout period until a half-closed connection is closed, between 0:0:30 and 1193:0:0. The default is 0:10:0. Half-closed connections are not affected by Dead Connection Detection (DCD). Also, the system does not send a reset when taking down half-closed connections.
-
Idle (TCP, UDP, ICMP, IP connections)—The idle timeout period after which an established connection of any protocol closes, between 0:0:1 and 1193:0:0. The default is 1:0:0, unless you select the TCP State Bypass option, where the default is 0:2:0.
-
Reset Connection Upon Timeout (TCP connections only)—Whether to send a TCP RST packet to both end systems after idle connections are removed.
-
Detect Dead Connections (TCP connections
only)—Whether to enable Dead Connection Detection (DCD). Before
expiring an idle connection, the system probes the end hosts to
determine if the connection is valid. If both hosts respond, the
connection is preserved, otherwise the connection is freed. When
operating in transparent firewall mode, you must configure static
routes for the endpoints. You cannot configure DCD on connections
that are also offloaded, so do not configure DCD on connections you
are fast-pathing in the prefilter policy. Use the show
conn detail command in the threat
defense CLI to track how many DCD probes have been sent by the initiator
and responder.
Configure the following options:
-
Detection Timeout—The time duration in hh:mm:ss format to wait after each unresponsive DCD probe before sending another probe, between 0:0:1 and 24:0:0. The default is 0:0:15.
For systems that are operating in a cluster or high-availability configuration, we recommend that you do not set the interval to less than one minute (0:1:0). If the connection needs to be moved between systems, the changes required take longer than 30 seconds, and the connection might be deleted before the change is accomplished.
-
Detection Retries—The number of consecutive failed retries for DCD before declaring the connection dead, from 1 to 255. The default is 5.
|
