Table of Contents
Advertisement
Table 48 Security > Firewall > Threshold (continued)
LABEL
One Minute High
Maximum
Incomplete Low
Maximum
Incomplete High
TCP Maximum
Incomplete
Action taken
when TCP
Maximum
Incomplete
reached
threshold
Apply
Cancel
IAD User's Guide
DESCRIPTION
This is the rate of new half-open sessions per minute that causes the
firewall to start deleting half-open sessions. When the rate of new
connection attempts rises above this number, the IAD deletes half-
open sessions as required to accommodate new connection attempts.
For example, if you set the one minute high to 100, the IAD starts
deleting half-open sessions when more than 100 session establishment
attempts have been detected in the last minute. It stops deleting half-
open sessions when the number of session establishment attempts
detected in a minute goes below the number set as the one minute
low.
This is the number of existing half-open sessions that causes the
firewall to stop deleting half-open sessions. The IAD continues to
delete half-open requests as necessary, until the number of existing
half-open sessions drops below this number.
This is the number of existing half-open sessions that causes the
firewall to start deleting half-open sessions. When the number of
existing half-open sessions rises above this number, the IAD deletes
half-open sessions as required to accommodate new connection
requests. Do not set Maximum Incomplete High to lower than the
current Maximum Incomplete Low number.
For example, if you set the maximum incomplete high to 100, the IAD
starts deleting half-open sessions when the number of existing half-
open sessions rises above 100. It stops deleting half-open sessions
when the number of existing half-open sessions drops below the
number set as the maximum incomplete low.
An unusually high number of half-open sessions with the same
destination host address could indicate that a DoS attack is being
launched against the host.
Specify the number of existing half-open TCP sessions with the same
destination host IP address that causes the firewall to start dropping
half-open sessions to that same destination host IP address. Enter a
number between 1 and 256. As a general rule, you should choose a
smaller number for a smaller network, a slower system or limited
bandwidth. The IAD sends alerts whenever the TCP Maximum
Incomplete is exceeded.
Select the action that IAD should take when the TCP maximum
incomplete threshold is reached. You can have the IAD either:
Delete the oldest half open session when a new connection request
comes.
or
Deny new connection requests for the number of minutes that you
specify (between 1 and 255).
Click Apply to save your changes back to the IAD.
Click Cancel to begin configuring this screen afresh.
Chapter 12 Firewalls
153
Advertisement
Table of Contents
