55-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 55 Configuring Security Policies on Firewall Devices
Configuring Timeouts
• Configuring Floodguard, Anti-Spoofing and Fragment Settings, page 55-2
Field Reference
Configuring Timeouts
The Timeouts page lets you set a variety of timeout values on the security appliance. All times are in the
format hh:mm:ss.
These values represent idle timeouts for the connection and translation slots for various protocols. If a
slot has not been used for the idle time specified, the resource is returned to the free pool. TCP
connection slots are freed approximately 60 seconds after a normal connection close sequence.
Warning
We recommend that you do not change these values unless advised to do so by Customer Support.
Navigation Path
• (Device view) Select Platform > Security > Timeouts from the Device Policy selector.
• (Policy view) Select PIX/ASA/FWSM Platform > Security > Timeouts from the Policy Types
selector. Select an existing policy from the Policies selector, or create a new one.
Related Topics
• Chapter 55, “Configuring Security Policies on Firewall Devices”
Table 55-2 Add/Edit General Security Configuration Dialog Box
Element Description
Interface Enter or Select the name of the interface for which you want to
configure anti-spoofing or fragment settings.
Enable Anti-Spoofing Check this box to enable Unicast RPF (anti-spoofing) on the specified
interface.
Override Default Fragment
Settings
To override the default fragment settings on the specified interface,
check this box to enable the following fields, and then enter the new
values. See the General Page, page 55-1 for the default global fragment
settings on the device.
Size Specify the maximum number of fragments that can be in the IP
re-assembly database waiting for re-assembly for the specified
interface. The default is 200.
Chain Specify the maximum number of fragments into which a full IP packet
can be fragmented for the specified interface. The default is 24 packets.
Timeout Specify the maximum number of seconds to wait for an entire
fragmented packet to arrive on the specified interface. The timer starts
after the first fragment of a packet arrives. If all fragments of the packet
do not arrive by the number of seconds specified, all fragments of the
packet that were already received will be discarded. The default is 5
seconds.