Filter
Top Products
17-90
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Settings for Inspection Rules for IOS Devices
Thresholds per Host
Max Sessions Per Host The number of half-open TCP sessions with the same host destination
address that can exist at a time before the software starts deleting
half-open sessions to the host. Possible values are 1-4294967295. The
default is 50.
A large number of half-open sessions can indicate there is a Denial of
Service attack against the host.
Max Sessions Blocking
Interval (min)
If the maximum sessions per host threshold is reached, the blocking
time to apply to help mitigate the potential TCP host-specific
denial-of-service (DoS) attack. Possible values are 0-35791 minutes.
The default is 0.
• If the blocking time value is 0, the software deletes the oldest
existing half-open session for the host for every new connection
request to the host above the maximum session limit. This ensures
that the number of half-open sessions to a given host will never
exceed the threshold.
• If the blocking time value is greater than 0, the software deletes all
existing half-open sessions for the host, then blocks all new
connection requests to the host. The software will continue to block
all new connection requests until the block-time expires.
Other
Session Hash Table Size
(buckets)
The size of the hash table in terms of buckets. Possible values for the
hash table are 1024, 2048, 4096, and 8192. The default is 1024.
You should increase the hash table size when the total number of
sessions running through the device is approximately twice the current
hash size; decrease the hash table size when the total number of
sessions is reduced to approximately half the current hash size.
Essentially, try to maintain a 1:1 ratio between the number of sessions
and the size of the hash table.
Enable Alert Messages Whether to generate stateful packet inspection alert messages on the
console.
Enable Audit Trail Messages Whether audit trail messages are logged to the syslog server or router.
Permit DHCP Passthrough
(Transparent Firewall)
Whether to permit a transparent firewall to forward DHCP packets
across the bridge without inspection.
Permitting DHCP passthrough overrides an ACL for DHCP packets, so
DHCP packets are forwarded even if the ACL is configured to deny all
IP packets. Thus, clients on one side of the bridge can get an IP address
from a DHCP server on the opposite side of the bridge.
Block Non-SYN Packets Whether to drop TCP packets that do not belong to an established
session. These are TCP packets that do not initiate sessions, that is, the
SYN bit is not set in them.
Log Dropped Packets Whether to create log messages for dropped packets to specify the
reason for dropping them.
Table 17-54 Inspection Page (Continued)
Element Description