Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

540

Brocade Mobility Access Point System Reference Guide

53-1003100-01

8

13. Select OK to continue disabling the captive portal.

14. Refer to the General field to enable or disable the following firewall parameters:

15. The firewall policy allows traffic filtering at the application layer using the Application Layer

Gateway feature. The Application Layer Gateway provides filters for the following common
protocols:

Enable Proxy ARP

Select the radio button to allow the Firewall Policy to use Proxy ARP responses for this
policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing
requests for devices behind the firewall. This feature is enabled by default.

DHCP Broadcast to Unicast

Select the radio button to enable the conversion of broadcast DHCP offers to unicast.
Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic
loads.This feature is disabled by default.

L2 Stateful Packet
Inspection

Select the radio button to enable stateful packet inspection for routed interfaces within
the Layer 2 Firewall. This feature is enabled by default.

IPMAC Conflict Enable

Select this option to log and act upon detected IPMAC conflicts. These occur when
removing a device from the network and attaching another using the same IP address.

IPMAC Conflict Logging

When enabled, use the drop-down menu to set the logging level (Error, Warning,
Notification, Information or Debug) if an attack is detected. The default setting is Warning.

IPMAC Conflict Action

Use the drop-down menu to set the action taken when an attack is detected. Options
include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.

IPMAC Routing Conflict
Enable

Select this option to enable IPMAC Routing Conflict detection. This is also known as a
Hole-196 attack in the network. This feature helps to detect if the client is sending routed
packets to the correct MAC address.

IPMAC Routing Conflict
Logging

Select enable logging for IPMAC Routing Conflict detection. This feature is enabled by
default and set to Warning.

IPMAC Routing Conflict
Action

Use the drop-down menu to set the action taken when an attack is detected. Options
include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop.

DNS Snoop Entry Timeout

Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry
stores information such as Client to IP Address and Client to Default Gateway(s) and uses
this information to detect if the client is sending routed packets to a wrong MAC address.

IP TCP Adjust MSS

Select this option and adjust the value for the maximum segment size (MSS) for TCP
segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS
segment size. The default value is 472 bytes.

TCP MSS Clamping

Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows configuration
for the maximum segment size of packets at a global level.

Max Fragments/
Datagram

Set the maximum number of fragments (from 2 - 8,129) allowed in a datagram before it is
dropped. The default value is 140 fragments.

Max Defragmentations/
Host

Set the maximum number of defragmentations, from 1 - 16,384 allowed per host before it
is dropped. The default value is 8.

Min Length Required

Select this option and set a minimum length, from 8 bytes - 1,500 bytes, to enforce a
minimum packet size before being subject to fragment based attack prevention.

IPv4 Virtual
Defragmentation

Select this option to enable IPv4 Virtual Defragmentation, this helps prevent IPv4
fragments based attacks, such as tiny fragments or large number of ipv4 fragments.

FTP ALG

Select the Enable box to allow FTP traffic through the firewall using its default ports. This
feature is enabled by default.

TFTP ALG

Select the Enable box to allow TFTP traffic through the firewall using its default ports. This
feature is enabled by default.