Properties

TCPLogInvalidHeaderLen

Controls if TCP packets with invalid header length are logged and dropped or just dropped silently. (Default: Yes)

TCPChecksumVerification

Controls if the TCP checksum should be verified. (Default: AutoDropLogBad)

TCPUnusedNonZeroAckField

Force unused ACK fields to zero; helps prevent connection spoofing. (Default: Strip)

TCPUnusedNonZeroUrgField

Force unused URG fields to zero; prevents small information leak. (Default: Strip)

TCPNonZeroHeaderPadding

Force unused space between the header and the data to zero; prevents small information leak. (Default: Strip)

TCPSynUrg

The TCP URG flag together with SYN; normally invalid (strip=strip URG). (Default: DropLog)

TCPSynPsh

The TCP PSH flag together with SYN; normally invalid but always used by some IP stacks (strip=strip PSH). (Default: Strip)

TCPSynRst

The TCP RST flag together with SYN; normally invalid. (Default: DropLog)

TCPSynFin

The TCP FIN flag together with SYN; normally invalid (strip=strip FIN). (Default: DropLog)

TCPRstFin

The TCP FIN flag together with RST; normally invalid (strip=strip FIN). (Default: DropLog)

TCPFinUrg

The TCP URG flag together with FIN; normally invalid (strip=strip URG). (Default: DropLog)

TCPFinNoAck

The TCP FIN flag without ACK flag; normally invalid. (Default: DropLog)

TCPUrg

The TCP URG flag; many operating systems cannot handle this correctly. (Default: StripLog)

TCPECN

The Explicit Congestion Notification (ECN) flags. Previously known as the "XMAS" / "YMAS" flags. Also used in OS fingerprinting. (Default: StripLog)

TCPRF

The TCP Reserved field; should be zero. Used in OS fingerprinting. (Default: StripLog)

TCPNULL

TCP "NULL" packets without SYN, ACK, FIN or RST; normally invalid, used by scanners. (Default: DropLog)

TCPBadOptionLengths

Decides how the device will handle TCP packet's with incorrect structure of the options area or with wellknown options that has invalid length. (Default: DropLog)

TCPMSSMin

Minimum allowed TCP MSS (Maximum Segment Size). (Default: 100)

TCPMSSOnLow

How to handle too low MSS values. (Default: DropLog)

TCPMSSMax

Maximum allowed TCP MSS (Maximum Segment Size). (Default: 1460)

TCPMSSOnHigh

How to handle too high MSS values. (Default: Adjust)

TCPMSSLogLevel

When to log regarding too high TCP MSS, if not logged by TCPMSSOnHigh. Packets with an MSS that exceeds this level will be logged. (Default: 7000)

TCPMSSAutoClamping

Automatically clamp TCP MSS according to MTU of involved interfaces - in addition to TCPMSSMax. (Default: Yes)

TCPInconsistentSACK

Controls how segments with inconsistent sequence number in the SACK option should be handled. (Default: StripLog)

TCPSynOptInNonSyn

Controls how the device acts when it finds a TCP option, that only should occur in packets with the SYN flag set, in a packet with the SYN flag cleared. (Default: DropLog)

TCPOPT_WSOPT

The WSOPT (Window Scale) option (common). (Default: Allow)

TCPOPT_SACK

The SACK/SACKPERMIT (Selective ACK) options (common). (Default: Allow)

TCPOPT_TSOPT

The TSOPT (Timestamp) option (common). (Default: Allow)

TCPOPT_ALTCHK

The Alternate Checksum options (request and data). (Default: StripLog)

TCPOPT_CC

The CC (Connection Count) option series (semi common). (Default: Strip)

TCPOPT_OTHER

How to handle TCP options not specified above. (Default: StripLog)

TCPScrambleSequenceNumbers

Controls if TCP sequence numbers will be modified on their way through the device. (Default: Yes)

TCPLogStateViolations

Log packets that violate stateful tracking rules. (Default: Yes)

TCPSeqNumValidationMode

Validation of TCP sequence numbers. (Default: StrictLog)

TCPSeqTooLowLogLevel

Packets with a slightly too low sequence number to fall within the strict window are often quite harmless. They can be caused by, for instance, retransmissions and network delays. This setting sets a limit on how much too low the sequence number must be to be logged to avoid unnecessary logs of harmless packets. The value is a percentage of the maximal window that can be used on the flow. (Default: 125)

TCPAllowReopen

Allow clients to re-open TCP flow states that are either new or in the closed state. (Default: Never)

TCPMaxWindow

Upper limit on window announcements. (Default: 16776960)

TCPOversizedWindow

How to handle packets with too large windows. (Default: AdjustLog)

TCPOversizedSegment

How to handle packets that violates the announced MSS. (Default: DropLog)

TCPTruncHeaderInICMP

Determines how the device will handle ICMP messages with a truncated TCP header in the encapsulated packet. (Default: Allow8BytesLogBad)