Configuring Advanced Interface Properties for Firewalls

Prerequisites: See Firewall Interface Configuration

Advanced settings allow you to configure SYN Flood Protection, Log Compression, and IPv6 Router Advertisements on the interfaces. Log Compression is useful when the routing configuration generates a lot of antispoofing logs or the number of Discard logs becomes high (for example, as a result of a SYN flood attack). Enabling IPv6 Router Advertisements allows the firewall to send Router Advertisement messages for IPv6 neighbor discovery. The Router Advertisement messages specify what configuration information the firewall has available.

Note –

The SYN Flood Protection and Log Compression settings in the interface properties override the firewall’s general SYN Flood Protection and Log Compression settings that are defined on the Advanced tab in the Firewall or Firewall Cluster properties. See Configuring Default SYN Flood Protection for a Firewall and Configuring Log Handling Settings.

To configure advanced interface properties for firewalls

1.   In the properties dialog for the firewall, switch to the Interfaces tab.

2.   Right-click a Physical Interface, a VLAN, an ADSL Interface, or a Wireless Interface and select Edit Physical Interface, Edit VLAN Interface, Edit ADSL Interface, or Edit Wireless Interface. The properties dialog for the interface opens.

3.   Switch to the Advanced tab.

FWInterfaceProperties_Advanced.png

4.   Select Override Firewall’s Default Settings. The options for SYN Flood Protection and Log Compression are enabled.

5.   (Optional) Define the SYN Flood Protection Mode

Setting

Description

Default

The interface uses the SYN Flood Protection settings defined on the Advanced tab in the firewall properties (see Configuring Default SYN Flood Protection for a Firewall.

Off

SYN Flood Protection is disabled on the interface.

Automatic

This is the recommended mode if you want to override the general SYN Flood Protection settings defined in the firewall properties. The firewall automatically calculates the number of Allowed SYNs per Second and the Burst Size for the interface based on the engine’s capacity and memory size.

Custom

Enter the desired values for Allowed SYNs per Second (the number of allowed SYN packets per second) and Burst Size (the number of allowed SYNs before the firewall starts limiting the SYN rate). We recommend that Burst Size be at least one tenth of the Allowed SYNs per Second value. If Burst Size is too small, SYN Flood Protection does not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size must be at least 1000.

Caution –

The recommended values for the SYN Flood Settings depend on your network environment. If the Custom settings are not carefully configured, the capacity of the firewall engine may suffer or SYN Flood Protection may not work correctly.

6.   (Optional) Enable/Disable Log Compression and enter the desired values for the Antispoofing entries and (optionally) for Discard entries.

Setting

Description

Log Rate (Entries/s)

The maximum number of entries per second. The default value for antispoofing entries is 100 entries/s. By default, Discard log entries are not compressed.

Burst Size (Entries)

The maximum number of matching entries in a single burst. The default value for antispoofing entries is 1000 entries. By default, Discard log entries are not compressed.

7.   (Optional) Select Send Router Advertisements and specify what configuration information is offered in the Router Advertisement messages:

Setting

Description

Managed address configuration

The firewall offers IPv6 addresses over the Dynamic Host Configuration Protocol (DHCPv6). When this option is selected, any other available configuration information is also sent in the DHCPv6 communications.

Other configuration

The firewall offers other configuration information, such as DNS-related information or information on other servers within the network, over DHCPv6.

8.   Click OK.

    Close the firewall’s Properties dialog and refresh the firewall’s policy to transfer the configuration changes.