Filter
Top Products
21-31
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Configuring Inspection Maps for Zone-based Firewall Policies
TCP Max Incomplete Hosts
TCP Max Incomplete Block
Time
The threshold and blocking time (in minutes) for TCP host-specific
denial-of-service (DoS) detection and prevention.
The maximum incomplete hosts is the number of half-open TCP
sessions with the same host destination address that can simultaneously
exist before the software starts deleting half-open sessions to that host.
An unusually high number of half-open sessions with the same
destination host address could indicate that a DoS attack is being
launched against the host.
When the threshold is exceeded, half-open sessions are dropped based
on the maximum incomplete block time:
• If the block time is 0, the software deletes the oldest existing
half-open session for the host for every new connection request to
the host. This ensures that the number of half-open sessions to a
given host never exceeds the threshold.
• If the block time is greater than 0, the software deletes all existing
half-open sessions for the host and then blocks all new connection
requests to the host. The software continues to block all new
connection requests until the block time expires.
The software sends syslog messages whenever the specified threshold
is exceeded and when blocking of connection initiations to a host starts
or ends.
UDP Idle Timeout How long to maintain a UDP session while there is no activity in the
session, in seconds.
When the software detects a valid UDP packet, the software establishes
state information for a new UDP session. Because UDP is a
connectionless service, there are no actual sessions, so the software
approximates sessions by examining the information in the packet and
determining if the packet is similar to other UDP packets (for example,
it has similar source or destination addresses) and if the packet was
detected soon after another similar UDP packet.
If the software detects no UDP packets for the UDP session for the
period of time defined by the UDP idle timeout, the software will not
continue to manage state information for the session.
Enable Alert Whether to generate stateful packet inspection alert messages on the
console.
Enable Audit Trail Whether audit trail messages are logged to the syslog server or router.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Table 21-9 Add or Edit Inspect Parameter Map Dialog Boxes (Continued)
Element Description