Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

55-4

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 55 Configuring Security Policies on Firewall Devices

Configuring Timeouts

• Configuring Floodguard, Anti-Spoofing and Fragment Settings, page 55-2

Field Reference

Configuring Timeouts

The Timeouts page lets you set a variety of timeout values on the security appliance. All times are in the

format hh:mm:ss.

These values represent idle timeouts for the connection and translation slots for various protocols. If a

slot has not been used for the idle time specified, the resource is returned to the free pool. TCP

connection slots are freed approximately 60 seconds after a normal connection close sequence.

Warning

We recommend that you do not change these values unless advised to do so by Customer Support.

Navigation Path

• (Device view) Select Platform > Security > Timeouts from the Device Policy selector.

• (Policy view) Select PIX/ASA/FWSM Platform > Security > Timeouts from the Policy Types

selector. Select an existing policy from the Policies selector, or create a new one.

Related Topics

• Chapter 55, “Configuring Security Policies on Firewall Devices”

Table 55-2 Add/Edit General Security Configuration Dialog Box

Element Description

Interface Enter or Select the name of the interface for which you want to

configure anti-spoofing or fragment settings.

Enable Anti-Spoofing Check this box to enable Unicast RPF (anti-spoofing) on the specified

interface.

Override Default Fragment

Settings

To override the default fragment settings on the specified interface,

check this box to enable the following fields, and then enter the new

values. See the General Page, page 55-1 for the default global fragment

settings on the device.

Size Specify the maximum number of fragments that can be in the IP

re-assembly database waiting for re-assembly for the specified

interface. The default is 200.

Chain Specify the maximum number of fragments into which a full IP packet

can be fragmented for the specified interface. The default is 24 packets.

Timeout Specify the maximum number of seconds to wait for an entire

fragmented packet to arrive on the specified interface. The timer starts

after the first fragment of a packet arrives. If all fragments of the packet

do not arrive by the number of seconds specified, all fragments of the

packet that were already received will be discarded. The default is 5

seconds.

previous next