P-660R/H-D Series User’s Guide

Table 39 Firewall: Threshold

LABEL

DESCRIPTION

DEFAULT VALUES

 

 

 

Denial of Service

 

 

Thresholds

 

 

One Minute Low

This is the rate of new half-open sessions that

80 existing half-open sessions.

 

causes the firewall to stop deleting half-open

 

 

sessions. The Prestige continues to delete

 

 

half-open sessions as necessary, until the

 

 

rate of new connection attempts drops below

 

 

this number.

 

One Minute High

This is the rate of new half-open sessions that

100 half-open sessions per minute.

 

causes the firewall to start deleting half-open

The above numbers cause the

 

sessions. When the rate of new connection

Prestige to start deleting half-open

 

attempts rises above this number, the

sessions when more than 100

 

Prestige deletes half-open sessions as

session establishment attempts

 

required to accommodate new connection

have been detected in the last

 

attempts.

minute, and to stop deleting half-

 

 

open sessions when fewer than 80

 

 

session establishment attempts

 

 

have been detected in the last

 

 

minute.

Maximum

This is the number of existing half-open

80 existing half-open sessions.

Incomplete Low

sessions that causes the firewall to stop

 

 

deleting half-open sessions. The Prestige

 

 

continues to delete half-open requests as

 

 

necessary, until the number of existing half-

 

 

open sessions drops below this number.

 

Maximum

This is the number of existing half-open

100 existing half-open sessions.

Incomplete High

sessions that causes the firewall to start

The above values causes the

 

deleting half-open sessions. When the

Prestige to start deleting half-open

 

number of existing half-open sessions rises

sessions when the number of

 

above this number, the Prestige deletes half-

existing half-open sessions rises

 

open sessions as required to accommodate

above 100, and to stop deleting

 

new connection requests. Do not set

half-open sessions with the

 

Maximum Incomplete High to lower than the

number of existing half-open

 

current Maximum Incomplete Low number.

sessions drops below 80.

TCP Maximum

This is the number of existing half-open TCP

30 existing half-open TCP

Incomplete

sessions with the same destination host IP

sessions.

 

address that causes the firewall to start

 

 

dropping half-open sessions to that same

 

 

destination host IP address. Enter a number

 

 

between 1 and 256. As a general rule, you

 

 

should choose a smaller number for a smaller

 

 

network, a slower system or limited

 

 

bandwidth.

 

Action taken when the TCP Maximum Incomplete threshold is reached.

 

 

 

Delete the oldest

Select this radio button to clear the oldest half

 

half open session

open session when a new connection request

 

when new

comes.

 

connection

 

 

request comes

 

 

Chapter 11 Firewall Configuration

132