Chapter 10 Firewalls

Table 57 Security > Firewall > Threshold (continued)

LABEL

DESCRIPTION

One Minute High

This is the rate of new half-open sessions per minute that causes the

 

firewall to start deleting half-open sessions. When the rate of new

 

connection attempts rises above this number, the ZyXEL Device deletes

 

half-open sessions as required to accommodate new connection

 

attempts.

 

For example, if you set the one minute high to 100, the ZyXEL Device

 

starts deleting half-open sessions when more than 100 session

 

establishment attempts have been detected in the last minute. It stops

 

deleting half-open sessions when the number of session establishment

 

attempts detected in a minute goes below the number set as the one

 

minute low.

 

 

Maximum

This is the number of existing half-open sessions that causes the

Incomplete Low

firewall to stop deleting half-open sessions. The ZyXEL Device

 

continues to delete half-open requests as necessary, until the number

 

of existing half-open sessions drops below this number.

 

 

Maximum

This is the number of existing half-open sessions that causes the

Incomplete High

firewall to start deleting half-open sessions. When the number of

 

existing half-open sessions rises above this number, the ZyXEL Device

 

deletes half-open sessions as required to accommodate new

 

connection requests. Do not set Maximum Incomplete High to lower

 

than the current Maximum Incomplete Low number.

 

For example, if you set the maximum incomplete high to 100, the

 

ZyXEL Device starts deleting half-open sessions when the number of

 

existing half-open sessions rises above 100. It stops deleting half-open

 

sessions when the number of existing half-open sessions drops below

 

the number set as the maximum incomplete low.

 

 

TCP Maximum

An unusually high number of half-open sessions with the same

Incomplete

destination host address could indicate that a DoS attack is being

 

launched against the host.

 

Specify the number of existing half-open TCP sessions with the same

 

destination host IP address that causes the firewall to start dropping

 

half-open sessions to that same destination host IP address. Enter a

 

number between 1 and 256. As a general rule, you should choose a

 

smaller number for a smaller network, a slower system or limited

 

bandwidth. The ZyXEL Device sends alerts whenever the TCP

 

Maximum Incomplete is exceeded.

 

 

Action taken

Select the action that ZyXEL Device should take when the TCP

when TCP

maximum incomplete threshold is reached. You can have the ZyXEL

Maximum

Device either:

Incomplete

Delete the oldest half open session when a new connection request

reached

comes.

threshold

 

 

or

 

Deny new connection requests for the number of minutes that you

 

specify (between 1 and 255).

 

 

Apply

Click this to save your changes.

 

 

Cancel

Click this to restore your previously saved settings.

 

 

204

 

P-660HW-Tx v3 Series User’s Guide