Configure advanced properties for firewall interfaces

Advanced settings for firewall interfaces allow you to configure SYN Rate Limits, Log Compression, and IPv6 Router Advertisements.

SYN Rate Limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN Rate Limits defined for the Firewall are reached, the Firewall drops new TCP connections.

Log Compression is useful when the routing configuration generates a large volume of antispoofing logs or the number of Discard logs becomes high (for example, as a result of a SYN flood attack).

Router advertisements are packets that contain network layer configuration parameters. Enabling IPv6 Router Advertisements in the Physical Interface properties or Port Group Interface properties of an integrated Switch allows devices that connect to the same IPv6 network as the Firewall to acquire IP addresses automatically. The Router Advertisement messages specify what configuration information the Firewall offers to devices that connect to the same network as the firewall.

Note: The SYN Rate Limits and Log Compression settings in the interface properties override the general SYN Rate Limits and Log Compression settings. These settings are defined in the Engine Editor.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Single Firewall or Firewall Cluster and select Edit <element type>.
    The Engine Editor opens.
  2. In the navigation pane on the left, select Interfaces.
    The Interfaces pane opens on the right.
  3. Right-click a Physical Interface, a VLAN Interface, an ADSL Interface, a Tunnel Interface, Wireless Interface, or a Port Group Interface of an integrated Switch and select Edit Physical Interface, Edit VLAN Interface, Edit ADSL Interface, Edit Tunnel Interface, Edit Wireless Interface, or Edit Port Group Interface.
    The properties dialog box for the interface opens.
  4. Switch to the Advanced tab.
  5. Select Override Engine’s Default Settings.
    The options for SYN Rate Limits and Log Compression are enabled.
  6. (Optional) Define the SYN Rate Limits.
    CAUTION:
    The recommended values for the SYN Rate Limits depend on your network environment. If the Custom settings are not carefully configured, the capacity of the Firewall engine might suffer or SYN Rate Limits might not work correctly.
  7. (Optional) Enable Log Compression and enter values for the Antispoofing entries and (optionally) for Discard entries.
    • Do not enable Log Compression if you want all the antispoofing and Discard entries to be logged as separate log entries (for example, for reporting purposes or for Firewall statistics).
    • By default, each generated Antispoofing and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression settings allow you to define the maximum number of separately logged entries. When the defined limit is reached, a single antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, the logging returns to normal and all generated entries are once more logged and displayed separately.
  8. (Physical Interfaces or Port Group Interfaces of an integrated Switch only) Select Send IPv6 Router Advertisements and specify what configuration information is offered in the Router Advertisement messages to devices that connect to the same network as the firewall.
  9. Click OK.
  10. Click Save and Refresh.