Define advanced settings for multiple Single Firewalls

On the Define Advanced Settings for the Firewalls page, you can define various system parameters and traffic handling parameters for the Firewalls.

CAUTION:

Improper adjustments to some of the advanced settings can seriously degrade the performance of the system.

For more details about the product and how to configure features, click Help or press F1.

Steps

If you do not want to configure advanced settings, click Next on the Define Advanced Settings for the Firewalls page of the Create Multiple Single Firewalls wizard, then select IP addresses as VPN endpoints for multiple Single Firewalls.
Otherwise, adjust the advanced settings.
1. Adjust the system parameters of the Firewalls.
2. Adjust the traffic handling parameters of the Firewalls.
Click Next.
Continue the configuration in the next relevant topic.
- If you are creating the Firewall elements using POS codes, upload the multiple Single Firewall initial configuration to the Installation Server.
- Otherwise, select IP addresses as VPN endpoints for multiple Single Firewalls.

Log Handling Settings dialog box

Use this dialog box to change the settings for handling log entries.

Option	Definition
Log Spooling Policy	Defines what happens when the engine’s log spool becomes full. Stop Traffic — The engine stops processing traffic and goes offline. Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The engine keeps processing traffic.
Log Compression (Discard Log only)	The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately. Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default	Returns Log Handling changes to the default settings.

Traffic Handling dialog box

Use this dialog box to change advanced parameters that control how the engine handles traffic.

Option	Definition
Connection Tracking Mode (IPS engines and Layer 2 Firewalls only) Layer 3 Connection Tracking Mode (Firewalls only)	When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules. Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic. Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed. Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns. On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting (Not Virtual NGFW Engines) (Not editable on IPS engines)	When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine. When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.
Strict TCP Mode for Deep Inspection (Not Virtual NGFW Engines)	This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit (Not Virtual NGFW Engines)	A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Access Policy (IPS engines and Layer 2 Firewalls only)	Defines how connections that match Access rules with the Discard action are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy	Defines how connections that match rules with the Terminate action in the Inspection Policy are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet (Firewalls only)	The engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The engine does not send a TCP reset if the TCP connection begins with a TCP reset packet. Discard Silently — The connection is silently dropped. Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.

VPN Settings dialog box

Use this dialog box to change VPN settings.

Option	Definition
Gateway Settings	The Gateway Settings element that defines performance-related VPN options.
TCP Tunneling Port	This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
Translate IP Addresses Using NAT Pool	When selected, the specified IP address range and port range are used for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
IP Address Range	IP address range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
Port Range	Port range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.

Policy Routing dialog box

Use this dialog box to change policy routing settings.

Option	Definition
Source IP Address	Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane.
Source Netmask (IPv4 only)	Enter the netmask for the source IP address.
Source Prefix (IPv6 only)	Enter the network prefix for the source IP address.
Destination IP Address	Enter the destination IP address.
Destination Netmask (IPv4 only)	Enter the netmask for the destination IP address.
Destination Prefix (IPv6 only)	Enter the network prefix for the destination IP address.
Gateway IP Address	Enter the IP address of the device to which packets that match the source/destination pair are forwarded.
Comment (Optional)	A comment for your own reference.
Up	Moves the row up in the list.
Down	Moves the row down in the list.
Add	Adds a row to the table.
Remove	Removes the selected row from the table.

Idle Timeouts dialog box

Use this dialog box to change timeouts for removing idle connections from the state table.

Option	Definition
Protocol	The protocol to use.
Timeout	The length of the timeout in seconds.
Set to Default	Returns idle timeout changes to the default settings.
Add	Adds a protocol to the table. Opens the Select timeout dialog box.
Remove	Removes the selected row from the table.

Default SYN Rate Limits dialog box

Use this dialog box to change the default SYN rate limits.

Option	Definition
SYN Rate Limits	Limits for SYN packets sent to the engine. None — SYN rate limits are disabled. Automatic — The engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the engine’s capacity and memory size. Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second (Custom only)	The number of allowed SYN packets per second.
Burst Size (Custom only)	The number of allowed SYNs before the engine starts limiting the SYN rate. CAUTION: We recommend setting the burst size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the burst size must be at least 1000.

Scan Detection Settings dialog box

Use this dialog box to change scan detection settings.

Option	Definition
Scan Detection Mode	When you enable scan detection, the number of connections or connection attempts within a time window is counted. If the number of events reaches the limits set in the scan detection options, an alert is generated. Disabled — Scan detection is not enabled. Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting. On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
TCP	Limits for scan detection in TCP traffic.
UDP	Limits for scan detection in UDP traffic.
ICMP	Limits for scan detection in ICMP traffic.
Set to Default	Returns Scan Detection changes to the default settings.

DoS Protection Settings dialog box

Use this dialog box to change DoS protection settings.

Option	Definition
Rate-Based DoS Protection Mode	Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks. Disabled — DoS protection is not enabled. Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting. On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity	When enabled, the engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake. Off — SYN Flood Protection is not enabled. Low — Allows the most SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server. Medium — Allows a medium number of SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting. High — Allows the fewest SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server.
Slow HTTP Request Sensitivity	The engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the engine blacklists the sender’s IP address for a specified length of time. Off — Slow HTTP Request Protection is not enabled. Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting. Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied. High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout	The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity	When enabled, the engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. Off — TCP reset protection is not enabled. This option is the default setting. Low — Allows the most TCP reset requests before the engine considers itself to be under attack. Medium — Allows a medium number of TCP reset requests before the engine considers itself to be under attack. High — Allows the fewest TCP reset requests before the engine considers itself to be under attack.