Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-651

331

332

333

334

335

336

337

338

339

340

Dell PowerConnect W-Series ArubaOS 6.1 | User Guide Roles and Policies | 335

Global Firewall Parameters

Table 62 describes optional firewall parameters you can set on the controller for IPv4 traffic. To set these options

in the WebUI, navigate to the Configuration > Advanced Services > Stateful Firewall > Global Setting page

and select or enter values in the IPv4 column. To set these options in the CLI, use the firewall configuration

commands.

See Chapter 35, “IPv6 Support” for information about configuring firewall parameters for IPv6 traffic.

Table 62 IPv4 Firewall Parameters

Parameter Description

Monitor Ping Attack Number of ICMP pings per second, which if exceeded, can indicate a denial of service

attack. Valid range is 1-255 pings per second. Recommended value is 4.

Default: No default

Monitor TCP SYN Attack rate Number of TCP SYN messages per second, which if exceeded, can indicate a denial of

service attack. Valid range is 1-255 messages per second. Recommended value is 32.

Default: No default

Monitor IP Session Attack Number of TCP or UDP connection requests per second, which if exceeded, can

indicate a denial of service attack. Valid range is 1-255 requests per second.

Recommended value is 32.

Default: No default

Monitor/Police CP Attack rate (per

sec)

Rate of misbehaving user’s inbound traffic, which if exceeded, can indicate a denial or

service attack.

Recommended value is 100 frames per second.

Deny Inter User Bridging Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can

configure user role policies that prevent Layer-3 traffic between users or networks but

this does not block Layer-2 traffic. This option can be used to prevent traffic, such as

Appletalk or IPX, from being forwarded.

Default: Disabled

Deny Inter User Traffic Denies traffic between untrusted users by disallowing layer2 and layer3 traffic. This

parameter does not depend on the deny-inter-user-bridging parameter being enabled or

disabled.

Default: Disabled

Deny All IP Fragments Drops all IP fragments.

NOTE: Do not enable this option unless instructed to do so by an Dell representative.

Default: Disabled

Enforce TCP Handshake Before

Allowing Data

Prevents data from passing between two clients until the three-way TCP handshake has

been performed. This option should be disabled when you have mobile clients on the

network as enabling this option will cause mobility to fail. You can enable this option if

there are no mobile clients on the network.

Default: Disabled

Prohibit IP Spoofing Enables detection of IP spoofing (where an intruder sends messages using the IP

address of a trusted client). When this option is enabled, source and destination IP and

MAC addresses are checked for each ARP request/response. Traffic from a second

MAC address using a specific IP address is denied, and the entry is not added to the

user table. Possible IP spoofing attacks are logged and an SNMP trap is sent.

Default: Disabled

Prohibit RST Replay Attack When enabled, closes a TCP connection in both directions if a TCP RST is received from

either direction. You should not enable this option unless instructed to do so by an Dell

representative.

Default: Disabled