Configure advanced properties for Virtual NGFW Engine interfaces

Advanced settings allow you to configure SYN Rate Limits and Log Compression on the interfaces of a Virtual NGFW Engine. You can also configure IPv6 Router Advertisements on a Virtual Firewall’s interfaces.

SYN Rate Limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN Rate Limits defined for the Virtual NGFW Engine are reached, the Virtual NGFW Engine drops new TCP connections.

By default, each generated Antispoofing (Virtual Firewalls only) and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression settings allow you to define the maximum number of separately logged entries. When the defined limit is reached, a single antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this log entry, the logging returns to normal and all generated entries are once more logged and displayed separately. Log Compression is useful when the routing configuration generates a large volume of antispoofing logs or the number of Discard logs becomes high.

Router advertisements are packets that contain network layer configuration parameters. Enabling IPv6 Router Advertisements allows devices that connect to the same IPv6 network as the Virtual Firewall to acquire IP addresses automatically. The Router Advertisement messages specify what configuration information the Virtual Firewall has available

Note: The SYN Rate Limits and Log Compression settings in the interface properties override the general SYN Rate Limits and Log Compression settings. These settings are defined in the Engine Editor.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Virtual Firewall, Virtual IPS engine, or Virtual Layer 2 Firewall and select Edit <element type>.
    The Engine Editor opens.
  2. In the navigation pane on the left, select Interfaces.
    The Interfaces pane opens on the right.
  3. Right-click a Physical Interface or a VLAN Interface and select Edit Physical Interface or Edit VLAN Interface.
    The properties dialog box for the interface opens.
  4. Switch to the Advanced tab.
  5. Select Override Engine’s Default Settings.
    The options for SYN Rate Limits, Log Compression, and IPv6 Router Advertisements are enabled.
  6. (Optional) Define the SYN Rate Limits.
    CAUTION:
    The recommended values for the SYN Rate Limits depend on your network environment. If the Custom settings are not carefully configured, the capacity of the engine might suffer or SYN Rate Limits might not work correctly.
  7. (Optional) Enable Log Compression and enter values for the Antispoofing entries (Virtual Firewalls only) and for Discard entries.
    Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting purposes).
  8. (Optional, Virtual Firewalls only) Select Send IPv6 Router Advertisements and specify what configuration information is offered in the Router Advertisement messages.
  9. Click OK.
  10. Continue the configuration in one of the following ways:
    • If you are creating a new Virtual Firewall, or if you want to change the roles the different interfaces have in the configuration, select interface options for Virtual Firewall interfaces.
    • Otherwise, click Save and Refresh to transfer the configuration changes.