Global Network Parameters
Global network parameter configuration includes IP fragment, TCP packet processing methods and other options.
To configure global network parameters, take the following steps:
- Select Network > Global Network Parameters > Global Network Parameters.
Configure the following parameters.
Option Description IP Fragment Maximum Fragment Number Specifies a maximum fragment number for every IP packet. The value range is 1 to 1024. The default value is 48. Any IP packet that contains more fragments than this number will be dropped. Timeout Specifies a timeout period of fragment reassembling. The value range is 1 to 30. The default value is 2. If the Hillstone device has not received all the fragments after the timeout, the packet will be dropped. Long Duration Session Enables or disables long duration session. If this function is enabled, specify long duration session's percentage in the Percentage text box below. The default value is 10, i.e., 10% of long duration session in the total sessions. TCP TCP MSS Specifies a MSS value for all the TCP SYN/ACK packets. Click the Enable button, and type the value into the Maximum MSS text box below. Maximum MSS Type the max MSS value into the Maximum MSS text box below. The value range is 64 to 65535. The default value is 1448. TCP MSS VPN Specifies a MSS value for IPSec VPN's TCP SYN packets. Click the Enable button, and type the value into the Maximum MSS text box below. Maximum MSS Type the max MSS value for IPSEC VPN into the Maximum MSS text box below. The value range is 64 to 65535. The default value is 1380. TCP Sequence Number Check Configures if the TCP sequence number will be checked. When this function is enabled, if the TCP sequence number exceeds TCP window, that TCP packet will be dropped. TCP Three-way Handshaking Configures if the timeout of TCP three-way handshaking will be checked. Click the Enable button to enable this function, and specify a timeout value in the Timeout text box below. The value range is 1 to 1800 seconds. The default value is 20. If the three-way handshaking has not been completed after timeout, the connection will be dropped. TCP SYN Packet Check Click the Enable button to enable this function and specify the action for TCP non-SYN packet. When the received packet is a TCP SYN packet, the TCP connection will be established. When the received packet is a TCP non-SYN packet, the packet will be processed according to the specified action.
- drop: When the received packet is a TCP non-SYN packet, the system will drop the packet.
- reset：When the received packet is a TCP non-SYN packet, the system will drop the packet and send RST packet to the peer device.
Others Non-IP and Non-ARP Packet Specifies how to process packets that are neither IP nor ARP. Jumbo Frame Click the Enable/Disable button to enable or disable the Jumbo Frame function. This function is enabled by default.
With the Jumbo Frame function enabled, the system can forward packets less than or equal to 9216 bytes as follows:
When the Jumbo Frame function is enabled, the MTU configuration range of the interface will be changed. For more information about the MTU value configuration of the interface, see Configuring an Interface.
- For IPv4/IPv6 packets that are less than the MTU value of the outbound interface, forward them directly.
- For IPv4 packets that are larger than the MTU value of the outbound interface, the packets are forwarded in fragments.
- For IPv6 packets that are larger than the MTU value of the outbound interface, an "ICMPv6 Packet Too Big" error message will be sent to the source node of the packets, and the sender is urged to shorten the length of the packets.
- Click OK.
Configuring Protection Mode
To configure the protection mode, take the following steps:
- Select Network > Global Network Parameters > Protection Mode.
- Configure the traffic working mode.
- Log only - System only generates protocol anomaly alarms and attacking behavior logs, but will not block attackers or reset connections.
- Protect - System not only records attack behavior detected by Intrusion Prevention System, Anti-Virus or AD, Policy, Black list, but also reset the connection or block the access.
Log & reset mode is recommended. In this mode, the security performance of the device can take effect normally. If log only mode is selected, system can only record logs, and functions which can block traffic in system will be invalid, including policy, IPS, AV, QoS, etc.