55-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 55 Configuring Security Policies on Firewall Devices
General Page
Configuring Floodguard, Anti-Spoofing and Fragment Settings
Use the General page under Platform > Security to enable or disable Floodguard (on a PIX 6.3 or FWSM
2.x device), to enable Unicast Reverse Path Forwarding (anti-spoofing) on individual interfaces, and to
configure IP fragment settings for the device, and for each interface of the device.
Floodguard
Floodguard lets you reclaim firewall resources if the user authentication subsystem runs out of resources.
If an inbound or outbound
uauth connection is being attacked or overused, the firewall will actively
reclaim TCP user resources.
If the user authentication subsystem is depleted, TCP user resources in different states are reclaimed in
the following order, depending on urgency:
1. Timewait
2. LastAck
3. FinWait
4. Embryonic
5. Idle
Floodguard is enabled by default. This option applies only to PIX 6.3 or FWSM 2.x devices.
Global Fragment Settings
Use these options to configure global fragment settings for the device. You can override these settings
for individual interfaces; see Add/Edit General Security Configuration Dialog Box, page 55-3 for more
information.
Enable Default Settings Check this box to enable the default fragment settings fields.
Size Specify the maximum number of fragments that can be in the IP
re-assembly database waiting for re-assembly. The default is 200.
Chain Specify the maximum number of fragments into which a full IP packet
can be fragmented. The default is 24 packets.
Timeout Specify the maximum number of seconds to wait for an entire
fragmented packet to arrive. The timer starts after the first fragment of
a packet arrives. If all fragments of the packet do not arrive by the
number of seconds specified, all fragments of the packet that were
already received will be discarded. The default is 5 seconds.
Interface Configuration Table
This table lists all interfaces on which individual anti-spoofing and fragment settings have been
defined. Refer to Configuring Floodguard, Anti-Spoofing and Fragment Settings, page 55-2 for more
information about these settings. Refer to Add/Edit General Security Configuration Dialog Box,
page 55-3 for more information about configuring these settings on individual interfaces.
Table 55-1 General Page (Continued)
Element Description