Administrator’s Handbook

Stateful Inspection

Stateful inspection options are accessed by the security state-insptag.

set security state-insp [ ip-ppp dsl ] vccn option [ off on ] set security state-insp ethernet [ A B ] option [ off on ]

Sets the stateful inspection option off or on on the specified interface. This option is disabled by default. Stateful inspection prevents unsolicited inbound access when NAT is disabled.

set security state-insp [ ip-ppp dsl ] vccn default-mapping [ off on ]

set security state-insp ethernet [ A B ] default-mapping [ off on ]

Sets stateful inspection default mapping to router option off or on on the specified interface.

set security state-insp [ ip-ppp dsl ] vccn tcp-seq-diff [ 0 - 65535 ]

set security state-insp ethernet [ A B ] tcp-seq-diff [ 0 - 65535 ]

Sets the acceptable TCP sequence difference on the specified interface. The TCP sequence number differ- ence maximum allowed value is 65535. If the value of tcp-seq-diffis 0, it means that this check is dis- abled.

set security state-insp [ ip-ppp dsl ] vccn deny-fragments [ off on ]

set security state-insp ethernet [ A B ] deny-fragments [ off on ]

Sets whether fragmented packets are allowed to be received or not on the specified interface.

set security state-insp tcp-timeout [ 30 - 65535 ]

Sets the stateful inspection TCP timeout interval, in seconds.

set security state-insp udp-timeout [ 30 - 65535 ]

Sets the stateful inspection UDP timeout interval, in seconds.

set security state-insp dos-detect [ off on ]

Enables or disables the stateful inspection Denial of Service detection feature. If set to on, the device will monitor packets for Denial of Service (DoS) attack. Offending packets may be discarded if it is determined to be a DoS attack.

292

Page 292
Image 292
Motorola 7000, 3352N, 3342, 2200 manual Set security state-insp tcp-timeout 30, Set security state-insp udp-timeout 30, 292