Supported advanced Sidewinder Proxy settings
This table lists the most commonly used advanced settings for Sidewinder Proxies.
Note: All advanced Sidewinder Proxy settings can be configured for Firewalls. Some settings can be
configured for Master NGFW Engines or for Virtual Firewalls. Settings that do not apply to the
type of engine on which they are configured are ignored.
| Property | Supported proxy types | Accepted values | Default value | Supported engine types | Description |
|---|---|---|---|---|---|
| allow_client_half_close |
HTTP |
0 or 1 | 1 | Firewall | If 1, allows clients to receive data after indicating that they will send no more. |
| debug_level |
HTTP SSH TCP UDP |
0–4 | 0 | Firewall, Master NGFW Engine | If any value other than 0, enables debugging messages. Higher values produce more output. See also send_debug_to_log. |
| display_user_warning_ttl |
HTTP |
Numerical values in seconds | 43200 | Firewall | The default time an entry stays in the decryption warning page cache. |
| display_user_warning_dest |
HTTP |
0 or 1 | 0 | Firewall | If 1, the decryption warning page is displayed for each unique combination of source and destination address. If 0, the decryption warning page is displayed for each unique source address. |
| enable_certificate_revocation_ check |
HTTP |
0 or 1 | 1 | Firewall | If 1, the HTTP proxy validates the status of server certificates using certificate revocation lists (CRLs) or on-line certificate status protocol (OCSP). |
| encoded_url_max |
HTTP |
Numerical values in kilobytes | 100000 (100 megabytes) | Firewall, Master NGFW Engine | Maximum size of an encoded URL that can be decoded in normalization. Normalization can make up to 6 copies of a URL. |
| header_waiting |
HTTP |
0–100 | 25 | Firewall, Master NGFW Engine | Limit for the percentage of proxy sessions waiting for additional HTTP header information. If this limit is reached, half of the waiting sessions are discarded. |
| max_header_total_size |
HTTP |
Numerical values | 65536 | Firewall | Maximum size of all HTTP header data (not just individual lines). |
| net.inet.ip.random_id |
HTTP SSH TCP UDP |
0 or 1 | 0 | Firewall | If 1, assigns random ip_id values to outgoing IPv4 packets. The default behavior is to assign a random initial value for each proxy instance, and increment for each outgoing packet. |
| net.inet.ip.ttl |
HTTP SSH TCP UDP |
Numerical values in the number of hops | 64 | Firewall | The maximum time to live (TTL) in hops for IPv4 packets that are sent. |
| net.inet.tcp.always_keepalive |
HTTP SSH TCP |
0 or 1 | 1 | Firewall | If 1, enables use of TCP keepalive probes on all connections. |
| net.inet.tcp.drop_synfin |
HTTP SSH TCP |
0 or 1 | 1 | Firewall | If 1, drops TCP packets that have SYN+FIN set. |
| net.inet.tcp.keepidle |
HTTP SSH TCP |
Numerical values in milliseconds | 7200000 (2 hours) | Firewall | Time, in milliseconds, that the connection must be idle before keepalive probes are sent. |
| net.inet.tcp.keepinit |
HTTP SSH TCP |
Numerical values in milliseconds | 75000 (75 seconds) | Firewall | Time allowed to establish connection. |
| net.inet.tcp.keepintvl |
HTTP SSH TCP |
Numerical values in milliseconds | 75000 (75 seconds) | Firewall | Time between keepalive probes. |
| net.inet.tcp.msl |
HTTP SSH TCP |
Numerical values in milliseconds | 15000 (15 seconds, TCP TIME_WAIT time 30 seconds) | Firewall | Maximum segment lifetime. The default TCP TIME_WAIT time is double this value. |
| net.inet.tcp.recvbuf_auto |
HTTP SSH TCP |
0 or 1 | 1 | Firewall | If 1, enables automatic receive buffer sizing. |
| net.inet.tcp.recvbuf_inc |
HTTP SSH TCP |
Numerical values in bytes | 16K | Firewall | Incrementor step size of automatic receive buffer. Use the following suffixes to specify larger values:
|
| net.inet.tcp.recvbuf_max |
HTTP SSH TCP |
Numerical values in bytes | 96K | Firewall | Maximum size of automatic receive buffer. Use the following suffixes to specify larger values:
|
| net.inet.tcp.recvspace |
HTTP SSH TCP |
Numerical values in bytes | 64K | Firewall | Size of the initial TCP receive window. Use the following suffixes to specify larger values:
|
| net.inet.tcp.rfc1323 |
HTTP SSH TCP |
0 or 1 | 1 | Firewall | If 1, enables the TCP timestamp option and window scaling option specified in RFC 1323, which allows per-packet timestamps, protection against wrapped sequences, and windows larger than 65535 bytes. |
| net.inet.tcp.sendbuf_auto |
HTTP SSH TCP |
0 or 1 | 1 | Firewall | If 1, enables automatic send buffer sizing. |
| net.inet.tcp.sendbuf_inc |
HTTP SSH TCP |
Numerical values in bytes | 8K | Firewall | Incrementor step size of automatic send buffer. Use the following suffixes to specify larger values:
|
| net.inet.tcp.sendspace |
HTTP SSH TCP |
Numerical values in bytes | 32K | Firewall | Size of the initial TCP send window. Use the following suffixes to specify larger values:
|
| net.inet.udp.checksum |
UDP |
0 or 1 | 1 | Firewall | If 1, requires checksums on incoming UDP packets. |
| net.inet6.ip6.hlim |
HTTP SSH TCP UDP |
Numerical values | 64 | Firewall, Virtual Firewall | The hop limit for IPv6 packets that are sent. |
| reserved_allowed |
SSH |
0 or 1 | 1 | Firewall | If 1, allows messages in the reserved range. |
| send_debug_to_log |
HTTP SSH TCP UDP |
0 or 1 | 1 | Firewall, Master NGFW Engine | If 1, debugging messages are sent to the Log Server. If 0, messages are written to a file. Note: Change this value only if
instructed to do so by Forcepoint
support.
|
| server_requests_allowed |
SSH |
0 or 1 | 1 | Firewall | If 1, allows global requests from the server. |
| server_channels_allowed |
SSH |
0 or 1 | 1 | Firewall | If 1, allows the server to open channels. |
| sftp_extensions_allowed |
SSH |
0 or 1 | 1 | Firewall | If 1, allows local SFTP extension commands. |
| ssh_extensions_allowed |
SSH |
0 or 1 | 1 | Firewall | If 1, allows local SSH extension messages. |
| tls_cipher_override |
HTTP |
A single valid OpenSSL cipher string | ALL:-SEED: -RC4: -CAMELLIA: -PSK: -MD5: -SRP:-DES: -ADH: -AECDH: -kDH: -kECDH: -IDEA@ STRENGTH | Firewall | The list of cipher algorithms that the HTTP Proxy negotiates with its peers. The default cipher list includes only cipher
algorithms that are allowed in FIPS mode. Minus signs (-) exclude the specified ciphers from the ALL list. Tip: You can use this setting to restrict the default cipher list or to add more cipher algorithms.
|
| tls_curves_override |
HTTP |
A colon-separated list of OpenSSL elliptic curve names | P-521:P-384: P-256 | Firewall | The list of the elliptic curves supported by the HTTP Proxy. The default list includes only elliptic curves that are allowed in FIPS mode. |
| tls_key_curve_override |
HTTP |
A single OpenSSL elliptic curve name | P-521 | Firewall | The default curve that the HTTP Proxy uses to generate the elliptic curve private key for substitute certificates. |
| tls_protocol_override |
HTTP |
A colon-separated list of TLS version strings. Valid version strings are SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2. | TLSv1.0: TLSv1.1: TLSv1.2 | Firewall | The TLS protocol versions supported by the HTTP Proxy. The default list includes only TLS protocol versions that are allowed in
FIPS mode. Tip: You can use this setting to restrict the default list or to add TLS versions, such as SSLv3, that are not
included in the default list.
|
| undefined_allowed |
SSH |
0 or 1 | 1 | Firewall | If 1, allows messages for which the proxy does not have a protocol handler. |