Description
Settings related to the IP protocol.
Properties
- IP6LogOnForwardHopLimit0
- Log any attempts of forwarding IPv6 packets with HopLimit=0 destined for outside the firewall; this should never happen! (Default: DropLog)
- IP6AnycastSrc
- Drop Log packets with anycast source address. (Default: DropLog)
- HopLimitMin
- The minimum IP Hop-Limit value accepted on receipt. (Default: 3)
- HopLimitOnLow
- What action to take on too low unicast Hop-Limit values. (Default: DropLog)
- HopLimitMinMulticast
- The minimum IP multicast Hop-Limit value accepted on receipt. (Default: 1)
- HopLimitOnLowMulticast
- What action to take on too low multicast Hop-Limit values. (Default: DropLog)
- DefaultHopLimit
- The default IP Hop-Limit of packets originated by the firewall (32-255). (Default: 255)
- IP6Fl
- Validate IPv6 Flow label header field. (Default: Ignore)
- IP6TC
- Validate IPv6 Traffic Class header field. (Default: Ignore)
- IP6MaxExtHdr
- Maximum allowed size of all IP6 extension headers. (Default: 256)
- IP6OnMaxExtHdr
- Validate the extension header length when it goes beyond IP6MaxExtHdr. (Default: DropLog)
- RejectUnorderedExtHdr
- Send an ICMPv6 error when encountering extension headers out of order. (Default: No)
- IP6MaxOptHdr
- Total number of options allowed per IPv6 extension header. (Default: 8)
- IP6OnMaxOptHdr
- Validate the number of options per extension header when it goes beyond IP6MaxOptHdr. (Default: DropLog)
- IP6ValidateSyntax
- Validate IPv6 syntax violation. (Default: ValidateLogBad)
- IP6OPT_PADN
- Validate when IPv6 padn option data fields are non-zero. (Default: StripLog)
- IP6OPT_JUMBO
- Validate jumbogram packets. (Default: ValidateLog)
- IP6OPT_RA
- Validate Router Alert packets. (Default: Ignore)
- IP6OPT_HA
- Validate Home Address option packets. (Default: Ignore)
- IP6OPT_OTH
- Validate unknown option types. (Default: RFC2460Log)
- IP6_RH0
- Validate routing header type 0 option. (Default: RFC5095NoSupportLog)
- IP6_RH2
- Validate routing header type 2 option. (Default: RFC2460NoSupportLog)
- IP6_RHOther
- Validate routing header other than type 0 or 2 option. (Default: RFC2460NoSupportLog)
- IP6OnLocalUnrecognizedHdr
- How to handle packets destined to the firewall with unrecognized IPv6 headers. (Default: DropLog)
- LogCheckSumErrors
- Log IP packets with bad checksums. (Default: Yes)
- LogNonIPv4IPv6
- Log occurrences of non-IPv4/IPv6 packets. (Default: Yes)
- LogReceivedTTL0
- Log received packets with TTL=0; this should never happen! (Default: Yes)
- LogOnForwardTTL0
- Log any attempts of forwarding IPv4 packets with TTL=0 destined for outside the firewall; this should never happen! (Default: DropLog)
- Log0000Src
- Log invalid 0.0.0.0 source address. (Default: Drop)
- Block0Net
- Block 0.* source addresses. (Default: DropLog)
- Block127Net
- Block 127.* source addresses. (Default: DropLog)
- BlockMulticastSrc
- Block multicast source addresses (224.0.0.0--239.255.255.255). (Default: DropLog)
- TTLMin
- The minimum IP Time-To-Live value accepted on receipt. (Default: 1)
- TTLOnLow
- What action to take on too low unicast TTL values. (Default: DropLog)
- TTLMinMulticast
- The minimum IP multicast Time-To-Live value accepted on receipt. (Default: 3)
- TTLOnLowMulticast
- What action to take on too low multicast TTL values. (Default: DropLog)
- DefaultTTL
- The default IP Time-To-Live of packets originated by the firewall (32-255). (Default: 255)
- LayerSizeConsistency
- TCP/UDP/ICMP/etc layer data and header sizes matching lower layer size information. (Default: ValidateLogBad)
- SecuRemoteUDPEncapCompat
- Allow IP data to contain eight bytes more than the UDP total length field specifies -- Checkpoint SecuRemote violates NAT-T
drafts. (Default: No)
- IPOptionSizes
- Validity of IP header option sizes. (Default: ValidateLogBad)
- IPOPT_SR
- How to handle IP packets with contained source or return routes. (Default: DropLog)
- IPOPT_TS
- How to handle IP packets with contained Timestamps. (Default: DropLog)
- IPOPT_RTRALT
- How to handle IP packets with contained route alert. (Default: ValidateLogBad)
- IPOPT_OTHER
- How to handle IP options not specified above. (Default: DropLog)
- DirectedBroadcasts
- How to handle directed broadcasts being passed from one interface to another. (Default: DropLog)
- TransparentBroadcastNAT
- How to handle Broadcast packets matching a NAT rule in Transparent mode. (Default: DropLog)
- IPRF
- How to handle the IP Reserved Flag, if set; it should never be. (Default: DropLog)
- StripDFOnSmall
- Strip the "DontFragment" flag for packets of this size or smaller. (Default: 65535)
- MulticastIPEnetOnMismatch
- What action to take when ethernet and IP multicast addresses do not match. (Default: DropLog)
- TTLMinBroadcast
- The shortest IP broadcast Time-To-Live value accepted on receipt. (Default: 1)
- TTLOnLowBroadcast
- What action to take on too low broadcast TTL values. (Default: DropLog)
![[Note]](images/note.png) |
Note |
| This object type does not have an identifier and is identified by the name of the type only. There can only be one instance
of this type.
|
cOS Core 15.00.01 CLI Reference Guide
