Select additional configuration options for multiple Firewall Clusters

You can define more properties for the Firewall Clusters on the Select Additional Configuration Options page.

We recommend that you define all shared properties of the Firewall Clusters in the wizard.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. If you do not want to configure additional options, click Next. Otherwise, continue to the next step.
  2. To define more properties for the Firewall Clusters, select Define Additional Firewall Properties.
    1. (Optional) Define tester settings.
    2. (Optional) Define NTP settings.
    3. (Optional) Define permissions.
    4. (Optional) Define advanced settings.
  3. On the Summary page, review the details of the Firewall Clusters you are about to create.
    Tip: To edit a detail, click Previous to navigate back to the correct wizard page, then click Next to navigate forward to the Summary page.
  4. Click Finish to add multiple Firewall Cluster elements to your system.

Browser-Based User Authentication dialog box

Use this dialog box to change browser-based user authentication settings for a Firewall.

Option Definition
General tab
HTTP Allows authentication using plain HTTP connections.
Port

(Optional)

Change the port settings if you want to use a different port for the authentication interface. The default ports are:
  • HTTP — 80
  • HTTPS — 443
HTTPS Allows authentication using encrypted HTTPS connections.
Always Use HTTPS Redirects connections to the HTTPS port and enforces the use of HTTPS if the engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.
Enable Session Handling Enables cookie-based strict session handling.
Refresh Status Page Every Defines how often the status page is automatically refreshed.
Option Definition
HTTPS Certificate tab
Common Name (CN) The fully qualified domain name (FQDN) of the authentication page as it appears in the certificate.
Organization (O)

(Optional)

The name of your organization as it appears in the certificate.
Organizational Unit (OU)

(Optional)

The name of your department or division as it appears in the certificate.
Country/Region (C)

(Optional)

Standard two-character country code for the country of your organization.
State/Province (ST)

(Optional)

The name of state or province as it appears in the certificate.
City/Locality (L)

(Optional)

The name of the city as it appears in the certificate.
Key Length Length of the key for the generated public-private key pair.

The default is 1024 bits.

Sign
With External Certificate Authority Select this option if you want to create a certificate request that another certificate authority signs.
Internally with Select this option to sign the certificate using an Internal CA for Gateways. If more than one valid internal certificate authority is available, select the internal CA that signs the certificate request. There can be multiple valid internal CAs for Gateways in the following cases:
  • There is both an internal RSA CA for gateways and an internal ECDSA CA for gateways.
  • The internal CA for gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available. Select the new CA in this case.
Generate Request Generates the request or the internal certificate details.
Certificate Request section

(External certificate authority)

Subject Name The identifier of the certified entity.
Export Opens the Export Certificate Request dialog box.
Import Certificate Opens the Import Certificate dialog box.
Delete Deletes the certificate request.
Sign Internally Signs the certificate with the chosen Internal CA. The Certificate Request details are displayed.
Certificate section

(Internal certificate authority)

Subject Name The identifier of the certified entity.
Valid From Shows start date of certificate validity.
Valid To Shows end date of certificate validity.
Fingerprint (SHA-1) Shows the certificate fingerprint using the SHA-1 algorithm.
Fingerprint (MD5) Shows the certificate fingerprint using the MD5 algorithm.
Fingerprint (SHA-512) Shows the certificate fingerprint using the SHA-512 algorithm.
Export Opens the Export Certificate dialog box.
Delete Deletes the certificate.

Sidewinder Proxy Settings dialog box

Use this dialog box to enable and configure Sidewinder Proxies on the engine.

Option Definition
Enable When selected, enables Sidewinder Proxy.
Sidewinder Logging Profile The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile.
SSH Proxy Settings specific to the SSM SSH Proxy.
SSH Known Hosts Lists The selected SSH Known Hosts List elements for the engine.
Add Opens the SSH Known Hosts Lists dialog box, where you can select an SSH Known Hosts List.
Remove Removes the selected element from the list.
Host Keys The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy.
Key Type Shows the signature algorithm used for the host key.
Key Length Shows the length of the host key.
SHA256 Fingerprint Shows the SHA256 fingerprint of the host key.
SSH Proxy Services The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element.
Comment

(Optional)

 A comment for your own reference.
Add Opens the Generate New Host Key dialog box.
Remove Removes the selected host key from the list.
Import Opens the Import Host Key dialog box, where you can import an existing host key.
Advanced Settings Opens the Advanced Sidewinder Proxy Settings dialog box.

Anti-Malware Settings dialog box

Use this dialog box to change the anti-malware settings.

Option Definition
Enable Enables anti-malware checks.
Malware Log Level The log level for anti-malware events.
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers an alert entry.
Alert When Alert is selected, specifies the Alert element that is sent.
Option Definition
Malware Signature Update Settings section
Update Frequency Defines how often the engine checks for updates to the anti-malware database.
  • Never — The engine does not check for updates. You must update the anti-malware database manually.
  • When Anti-Malware Daemon Starts — The anti-malware daemon starts, for example, when the anti-malware feature is enabled or when the engine restarts.
  • Every Hour — The engine checks for updates once an hour.
  • Daily — The engine checks for updates once a day. Set the Time of day that the engine checks for updates.
  • Weekly — The engine checks for updates once a week. Set the Day and Time of day that the engine checks for updates.
Option Definition
Malware Signature Mirror Settings section
Mirror(s) Enter the URL of the anti-malware database mirror that the engine contacts to update the anti-malware database. Separate multiple addresses with commas.
Use HTTP Proxy

(Optional)

Specifies that the Firewall uses an HTTP proxy to connect to the anti-malware database mirrors.
Host The IP address or DNS name of the HTTP proxy.
Port The listening port of the HTTP proxy.
Username The user name for authenticating to the HTTP proxy.
Password The password for authenticating to the HTTP proxy.
Hide Prevents the password from being shown as plain text. Deselect this option to show the password. Selected by default.

Sandbox Settings dialog box

Use this dialog box to select and configure sandbox servers.

Option Definition
Sandbox Type Specifies which type of sandbox the engine uses for sandbox file reputation scans.
  • Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection.
  • Local Sandbox - Forcepoint Advanced Malware Detection (ATD) — The engine uses the local sandbox for Forcepoint Advanced Malware Detection.
    Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.
  • Local Sandbox - McAfee Advanced Threat Defense (ATD) — The engine uses McAfee Advanced Threat Defense.
    Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and later. We recommend that you use Forcepoint Advanced Malware Detection instead.
  • None — The engine does not use a sandbox.
Option Definition
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection
License Key The license key for the connection to the cloud sandbox server.
Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data center.
CAUTION:
The license key and license token allow access to confidential analysis reports. Handle the license key and license token securely.
License Token The license token for the connection to the cloud sandbox server.
Sandbox Service Click Select to select a Sandbox Service element. Specifies the cloud sandbox data center that the firewall contacts to request file reputation scans.
  • Automatic — The firewall contacts the data center that is geographically closest.
  • EU Data Centers — The firewall contacts the EMEA data center in the Netherlands.
  • US Data Centers — The firewall contacts the data center in the USA.
Note: If the data center that the firewall contacts does not match the home data center that is specified in the license, files are forwarded to the home data center for analysis and stored in the home data center.
HTTP Proxies

(Optional)

 When specified, file reputation requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Note: You can only use one HTTP proxy for the connection to the sandbox service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.
Option Definition
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection
License Key The license key for the connection to the local sandbox server.
License Token The license token for the connection to the local sandbox server.
Sandbox Service Click Select to select a Sandbox Service element.
HTTP Proxies

(Optional)

 When specified, file reputation requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Note: You can only use one HTTP proxy for the connection to the sandbox service. If you select more than one HTTP proxy the additional HTTP proxies are ignored.

File Reputation Settings dialog box

Use this dialog box to enable file reputation services for file filtering.

Option Definition
File Reputation Service
Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE) — Enables the use of McAfee TIE file reputation services for file filtering.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
>When File Reputation Service is Threat Intelligence Exchange (TIE)
ePO Server Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC.
Select Opens the Select Element dialog box, where you can select an ePO Server element.
DXL Certificates Shows the currently valid DXL certificates.
Generate DXL Certificates Generates new certificates.
Option Definition
>When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies When specified, the engine uses an HTTP proxy to connect to the McAfee Global Threat Intelligence file reputation service.
  • Add — Allows you to add an HTTP Proxy to the list.
  • Remove — Removes the selected HTTP Proxy from the list.
Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one proxy, the additional HTTP proxies are ignored.

Log Handling Settings dialog box

Use this dialog box to change the settings for handling log entries.

Option Definition
Log Spooling Policy Defines what happens when the engine’s log spool becomes full.
  • Stop Traffic — The engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The engine keeps processing traffic.
Log Compression

(Discard Log only)

The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately.
Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default Returns Log Handling changes to the default settings.

Traffic Handling dialog box

Use this dialog box to change advanced parameters that control how the engine handles traffic.

Option Definition
Connection Tracking Mode

(IPS engines and Layer 2 Firewalls only)

Layer 3 Connection Tracking Mode

(Firewalls only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns.
On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Not Virtual NGFW Engines)

(Not editable on IPS engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine.

When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual NGFW Engines)

This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit

(Not Virtual NGFW Engines)

A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Access Policy

(IPS engines and Layer 2 Firewalls only)

Defines how connections that match Access rules with the Discard action are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Firewalls only)

The engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.

Clustering Properties dialog box

Use this dialog box to define clustering settings for a Firewall Cluster.

Setting Description
General tab
Clustering Mode
  • Balancing — All nodes are simultaneously online providing enhanced performance and high availability in case of node failure. Balancing mode is the default mode.
  • Standby — Only one node can be online at a time. We recommend having at least one other node on standby to allow automatic takeover in case of failure. Several nodes can be on standby at a time. A randomly selected standby node is turned online when the online node fails.
Heartbeat Message Period Specifies how often clustered engines send heartbeat messages to each other (notifying that they are up and running). Enter the value in milliseconds. The default value is 1000 milliseconds (one second).
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Heartbeat Failover Time Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds.
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Interface ID Shows the assigned interface ID.
State Sync Defines how the nodes exchange information about the traffic that they process.
  • All (recommended) — Both full and incremental synchronization messages are sent. This option allows frequent updates without consuming resources excessively. Regular full synchronization guarantees that all nodes stay synchronized even if some incremental messages are not delivered.
  • Full Only (not recommended) — Only full synchronization messages are sent. Incremental updates are not sent in between, so nodes might not have the same information about connections unless the full sync interval is reduced.
Note: We strongly recommend using Access rule options to disable state synchronization for specific traffic rather than adjusting the State Sync settings for the cluster.
Full Sync Interval

or

Incr Sync Interval 		Define how frequently the full synchronizations and incremental synchronizations are done. Do not set the values much higher or lower than their defaults (5000 ms for full, 50 ms for incremental)
CAUTION:
Adjusting the Sync Intervals has significant impact on the cluster's performance. Inappropriate settings seriously degrade the firewall's performance.
Sync Security Level
  • None — No security features. Do not select this option unless the heartbeat traffic uses a dedicated, secure network that does not handle other traffic.
  • Sign — (default) Transmissions are authenticated to prevent outside injections of connection state information.
  • Encrypt and Sign — Transmissions are authenticated and encrypted. This option increases the overhead compared to the default option. However, it is recommended if node-to-node communications are relayed through insecure networks (for example, if the backup heartbeat is configured on an interface that handles other traffic).
CAUTION:
If the Firewall Cluster's primary and secondary Heartbeat Interfaces are not connected to dedicated networks and you use None or Sign as the Sync Security Level, VPN traffic is transferred unencrypted between Firewall Cluster nodes when VPN traffic balancing requires that traffic is forwarded between the nodes.
Heartbeat IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications (default: 225.1.1.1). This multicast IP address must not be used for other purposes on any of the network interfaces.
Synchronization IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications (default: 225.1.1.2). This multicast IP address must not be used for other purposes on any of the network interfaces.
Advanced Settings tab This tab contains advanced settings for fine-tuning load-balancing filters.
CAUTION:
Do not manually tune the load-balancing filter unless you are certain it is necessary. Normally, there is no need to tune the filter, because the configuration generates all required entries automatically. Unnecessary tuning can adversely affect the operation of the filter.
Filter Mode Defines how traffic is balanced between the nodes.
  • Static — Packet ownership (the node to which the connection or packet belongs) can change only when nodes are added or removed from the cluster, or when they switch from one state to another.
  • Dynamic — Traffic is balanced to avoid node overloads and existing connections are moved between nodes whenever overload is detected.
Load-Balancing Filter Uses Ports When selected, includes a port value for selecting between all nodes.

This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally.

Note: Enabling this option is not compatible with some features, such as mobile VPNs.
Filter Entries
IP Address Double-click this cell to open the Load Balancing Filter IP Entry dialog box.
Action Select one of the following actions:
  • None — No action is performed for the IP address specified in this entry. Used with the Replacement IP, Use Ports, NAT Enforce, Use IPsec, or Ignore Other options.
  • Replace by — The IP address in the Replacement IP cell replaces the original IP address. This option is the default action.
  • Pass on All Nodes — The filter entry allows packets to all nodes.
  • Block on All Nodes — The filter entry blocks packets to all nodes.
  • Pass on Node <number> — The filter entry forces the selected node to handle all packets belonging to the connection specified in this entry.
Replacement IP Enter the replacement IP address.
Use Ports Overrides the global Load-Balancing Filter Uses Ports option. For example, if two hosts send most traffic through the Firewall, you can set the Use Ports option for one of them to divide the traffic between the cluster nodes, improving granularity. Using this option for IP addresses in a VPN site can reduce the granularity of VPN load balancing and prevent VPN client connections involving those IP addresses.
NAT Enforce Enables a specific NAT-related process in the load-balancing filter.
CAUTION:
Do not enable this option unless instructed to do so by Forcepoint support.
Use IPsec Specifies addresses receiving IPsec traffic on the node itself. The option enables a specific load-balancing process for all IPsec traffic directed to the IP address specified in the filter entry.
CAUTION:
Do not enable this option unless instructed to do so by Forcepoint support.
Ignore Other Forces the handling of packets to and from the specified IP addresses one node at a time.
Add Adds a filter entry row.
Remove Removes the selected filter entry row.

VPN Settings dialog box

Use this dialog box to change VPN settings.

Option Definition
Gateway Settings The Gateway Settings element that defines performance-related VPN options.
TCP Tunneling Port This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Translate IP Addresses Using NAT Pool When selected, the specified IP address range and port range are used for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
IP Address Range IP address range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
Port Range Port range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.

Policy Routing dialog box

Use this dialog box to change policy routing settings.

Option Definition
Source IP Address Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane.
Source Netmask (IPv4 only) Enter the netmask for the source IP address.
Source Prefix (IPv6 only) Enter the network prefix for the source IP address.
Destination IP Address Enter the destination IP address.
Destination Netmask (IPv4 only) Enter the netmask for the destination IP address.
Destination Prefix (IPv6 only) Enter the network prefix for the destination IP address.
Gateway IP Address Enter the IP address of the device to which packets that match the source/destination pair are forwarded.
Comment

(Optional)

 A comment for your own reference.
Up Moves the row up in the list.
Down Moves the row down in the list.
Add Adds a row to the table.
Remove Removes the selected row from the table.

Idle Timeouts dialog box

Use this dialog box to change timeouts for removing idle connections from the state table.

Option Definition
Protocol The protocol to use.
Timeout The length of the timeout in seconds.
Set to Default Returns idle timeout changes to the default settings.
Add Adds a protocol to the table. Opens the Select timeout dialog box.
Remove Removes the selected row from the table.

Default SYN Rate Limits dialog box

Use this dialog box to change the default SYN rate limits.

Option Definition
SYN Rate Limits Limits for SYN packets sent to the engine.
  • None — SYN rate limits are disabled.
  • Automatic — The engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the engine’s capacity and memory size.
  • Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second

(Custom only)

The number of allowed SYN packets per second.
Burst Size

(Custom only)

The number of allowed SYNs before the engine starts limiting the SYN rate.
CAUTION:
We recommend setting the burst size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the burst size must be at least 1000.

Scan Detection Settings dialog box

Use this dialog box to change scan detection settings.

Option Definition
Scan Detection Mode When you enable scan detection, the number of connections or connection attempts within a time window is counted. If the number of events reaches the limits set in the scan detection options, an alert is generated.
  • Disabled — Scan detection is not enabled.
  • Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
TCP Limits for scan detection in TCP traffic.
UDP Limits for scan detection in UDP traffic.
ICMP Limits for scan detection in ICMP traffic.
Set to Default Returns Scan Detection changes to the default settings.

DoS Protection Settings dialog box

Use this dialog box to change DoS protection settings.

Option Definition
Rate-Based DoS Protection Mode Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
  • Disabled — DoS protection is not enabled.
  • Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity When enabled, the engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
  • Off — SYN Flood Protection is not enabled.
  • Low — Allows the most SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server.
  • Medium — Allows a medium number of SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting.
  • High — Allows the fewest SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server.
Slow HTTP Request Sensitivity The engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the engine blacklists the sender’s IP address for a specified length of time.
  • Off — Slow HTTP Request Protection is not enabled.
  • Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting.
  • Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied.
  • High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity When enabled, the engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack.
  • Off — TCP reset protection is not enabled. This option is the default setting.
  • Low — Allows the most TCP reset requests before the engine considers itself to be under attack.
  • Medium — Allows a medium number of TCP reset requests before the engine considers itself to be under attack.
  • High — Allows the fewest TCP reset requests before the engine considers itself to be under attack.