8 - 10 WiNG 5.5 Access Point System Reference Guide
16. Refer to the General field to enable or disable the following firewall parameters:
Enable Proxy ARP Select the radio button to allow the Firewall Policy to use Proxy ARP responses for this
policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing
requests for devices behind the firewall. This feature is enabled by default.
DHCP Broadcast to
Unicast
Select the radio button to enable the conversion of broadcast DHCP offers to unicast.
Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic
loads.This feature is disabled by default.
L2 Stateful Packet
Inspection
Select the radio button to enable stateful packet inspection for routed interfaces within
the Layer 2 Firewall. This feature is enabled by default.
IPMAC Conflict Enable Select this option to log and act upon detected IPMAC conflicts. These occur when
removing a device from the network and attaching another using the same IP address.
IPMAC Conflict Logging When enabled, use the drop-down menu to set the logging level (Error, Warning,
Notification, Information or Debug) if an attack is detected. The default setting is
Warning.
IPMAC Conflict Action Use the drop-down menu to set the action taken when an attack is detected. Options
include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
IPMAC Routing Conflict
Enable
Select this option to enable IPMAC Routing Conflict detection. This is also known as a
Hole-196 attack in the network. This feature helps to detect if the client is sending routed
packets to the correct MAC address.
IPMAC Routing Conflict
Logging
Select enable logging for IPMAC Routing Conflict detection. This feature is enabled by
default and set to Warning.
IPMAC Routing Conflict
Action
Use the drop-down menu to set the action taken when an attack is detected. Options
include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.
DNS Snoop Entry
Timeout
Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry
stores information such as Client to IP Address and Client to Default Gateway(s) and uses
this information to detect if the client is sending routed packets to a wrong MAC address.
IP TCP Adjust MSS Select this option and adjust the value for the maximum segment size (MSS) for TCP
segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS
segment size. The default value is 472 bytes.
TCP MSS Clamping Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows configuration
for the maximum segment size of packets at a global level.
Max Fragments/
Datagram
Set the maximum number of fragments (from 2 - 8,129) allowed in a datagram before it is
dropped. The default value is 140 fragments.
Max Defragmentations/
Host
Set the maximum number of defragmentations, from 1 - 16,384 allowed per host before it
is dropped. The default value is 8.
Min Length Required Select this option and set a minimum length, from 8 bytes - 1,500 bytes, to enforce a
minimum packet size before being subject to fragment based attack prevention.
IPv4 Virtual
Defragmentation
Select this option to enable IPv4 Virtual Defragmentation, this helps prevent IPv4
fragments based attacks, such as tiny fragments or large number of ipv4 fragments.
To Next Page
Loading...
