Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller System Reference Guide

573

53-1003099-01

10

3. Refer to the General field to enable or disable the following firewall configuration parameters:

Enable Proxy ARP

Select this check box to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of
another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the
firewall. This feature is enabled by default.

DHCP Broadcast to
Unicast

Select this check box to enable the conversion of broadcast DHCP offers to unicast. Converting DHCP
broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is disabled by
default.

L2 Stateful Packet
Inspection

Select the check box to enable stateful packet inspection for RF Domain manager routed interfaces
within the Layer 2 firewall. This feature is disabled by default.

IPMAC Conflict Enable

When multiple devices on the network have the same IP or MAC address this can create routing issues for
traffic being passed through the firewall. To avoid these issues, enable Conflict Detection to enable IP and
MAC conflict detection. This feature is disabled by default.

IPMAC Conflict
Logging

Select this option to enable logging for IP and MAC address conflict detection. This feature is disabled by
default.

IPMAC Conflict Action

Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only,
Drop Only or Log and Drop. The default setting is Log and Drop.

IPMAC Routing
Conflict Enable

Select this option to enable IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in
the network. This feature helps to detect if the client is sending routed packets to the correct
router-mac-address.

IPMAC Routing
Conflict Logging

Select enable logging for IPMAC Routing Conflict detection. This feature is disabled by default.

IPMAC Routing
Conflict Action

Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only,
Drop Only or Log and Drop. The default setting is Log and Drop.

DNS Snoop Entry
Timeout

Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry stores
information such as Client to IP Address and Client to Default Gateway(s) and uses this information to
detect if the client is sending routed packets to a wrong MAC address.

IP TCP Adjust MSS

Select this option and adjust the value for the maximum segment size (MSS) for TCP segments on the
router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value
is 472 bytes.

TCP Adjust MSS

Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the
maximum segment size of packets at a global level.

Max
Fragments/Datagram

Set a value for the maximum number of fragments (between 2 and 8,129) allowed in a datagram before
it is dropped. The default value is 140 fragments.

Max
Defragmentations/Ho
st

Set a value for the maximum number of defragmentations, between 1 and 16,384 allowed per host
before it is dropped. The default value is 8.

Min Length Required

Select this option and set a minimum length, between 8 bytes and 1,500 bytes, to enforce a minimum
packet size before being subject to fragment based attack prevention.

IPv4 Virtual
Defragmentation

Select this option to enable IPv4 Virtual Defragmentation, this helps prevent IPv4 fragments based
attacks such as tiny fragments or large number of ipv4 fragments.