Chapter 11 Firewall
The following table describes the labels in this screen.
Table 73 SECURITY > FIREWALL > Threshold
LABEL | DESCRIPTION |
Disable DoS Attack | Select the check boxes of any interfaces (or all VPN tunnels) for which you want |
Protection on | the ZyWALL to not use the Denial of Service protection thresholds. This disables |
| DoS protection on the selected interface (or all VPN tunnels). |
| You may want to disable DoS protection for an interface if the ZyWALL is treating |
| valid traffic as DoS attacks. Another option would be to raise the thresholds. |
|
|
Denial of Service | The ZyWALL measures both the total number of existing |
Thresholds | the rate of session establishment attempts. Both TCP and UDP |
| sessions are counted in the total number and rate measurements. Measurements |
| are made once a minute. |
|
|
One Minute Low | This is the rate of new |
| stop deleting |
| sessions as necessary, until the rate of new connection attempts drops below this |
| number. |
|
|
One Minute High | This is the rate of new |
| start deleting |
| above this number, the ZyWALL deletes |
| accommodate new connection attempts. |
| For example, if you set the one minute high to 100, the ZyWALL starts deleting |
| |
| been detected in the last minute. It stops deleting |
| number of session establishment attempts detected in a minute goes below the |
| number set as the one minute low. |
|
|
Maximum | This is the number of existing |
Incomplete Low | deleting |
| as necessary, until the number of existing |
| number. |
|
|
Maximum | This is the number of existing |
Incomplete High | deleting |
| rises above this number, the ZyWALL deletes |
| accommodate new connection requests. Do not set Maximum Incomplete High |
| to lower than the current Maximum Incomplete Low number. |
| For example, if you set the maximum incomplete high to 100, the ZyWALL starts |
| deleting |
| above 100. It stops deleting |
| open sessions drops below the number set as the maximum incomplete low. |
|
|
TCP Maximum | An unusually high number of |
Incomplete | address could indicate that a DoS attack is being launched against the host. |
| Specify the number of existing |
| host IP address that causes the firewall to start dropping |
| that same destination host IP address. Enter a number between 1 and 256. As a |
| general rule, you should choose a smaller number for a smaller network, a slower |
| system or limited bandwidth. The ZyWALL sends alerts whenever the TCP |
| Maximum Incomplete is exceeded. |
Action taken when | Select the action that ZyWALL should take when the TCP maximum incomplete |
TCP Maximum | threshold is reached. You can have the ZyWALL either: |
Incomplete | Delete the oldest half open session when a new connection request comes. |
reached threshold | or |
| |
| Deny new connection requests for the number of minutes that you specify |
| (between 1 and 256). |
|
|
Apply | Click Apply to save your changes back to the ZyWALL. |
|
|
Reset | Click Reset to begin configuring this screen afresh. |
|
|
| 263 |
ZyWALL 2WG User’s Guide | |
|
|