Through this tab it is possible to enable and configure the entry policies for the local ports and services of the Blockbit NGFW.

In addition, this tab allows you to configure the security parameters and firewall connection controls.


The item “Security Parameters” defines the basic security settings and the parameters of the connection controls responsible for maintaining the state information of all connections and Firewall sessions.


The pre-configured resources referring to the items of the “Connection Settings” of this interface refer to the connection control parameters, changing these values directly implies the performance result of the server.


To access, click on "General Settings".



General Settings tab


The “General Settings” screen will appear, as shown by the image below:

 

General Settings


The "General Settings" screen is made up of the following panels and features:



Below we will detail each component of the panels:


Security Settings


It serves to detail some of the configuration items of the security parameters.


General Settings - Security Settings


DoS Protection


This feature allows the blocking of denial of service counter attacks (also known as Denial of Service - DoS), it is an attempt to make system resources unavailable to its users. This is not an invasion of the system, but its invalidation due to overload, the supported techniques are: SYN Flood, TCP Flood, UDP Flood and ICMP Flood.


Dos Protection


When clicking on the [] button, the screen below will be displayed:


Dos Protection - Window


  • SYN Flood limit (per second): Determines the limit of incoming packets to prevent SYN Flood attacks. The minimum value is 100 and the default value is 2000;
  • SYN Burst: The minimum value is 1 and the default value is 100;
  • TCP Flood limit (per second): Determines the TCP access limit in order to prevent TCP Flood attacks. The minimum value is 100 and the default value is 2000;
  • TCP Burst: The minimum value is 1 and the default value is 100;
  • UDP Flood limit (per second): Determines the UDP access limit in order to prevent UDP Flood attacks. The minimum value is 100 and the default value is 2000;
  • UDP Burst: The minimum value is 1 and the default value is 100;
  • ICMP Flood limit (per second): Determines the ICMP access limit in order to prevent ICMP Flood attacks. The minimum value is 100 and the default value is 2000;
  • ICMP Burst: The minimum value is 1 and the default value is 100.


IP Spoofing Protection



This feature enables the protection of IP Spoofing in the desired network zone.


IP Spoofing protection.


Zones with [IP Spoofing Protection] do not allow the use of SD-WAN.


When clicking on the [] button, the screen below will be displayed:


IP Spoofing protection Zones


This feature enables the protection of IP Spoofing in the desired network zone.


This option can cause problems with the SD-WAN service


Alert: SD-WAN and IP Spoofing Protection problems.


PortScan Protection


This feature allows application identification and blocking in order to map TCP and UDP ports. PortScan applications try to identify the status of the ports, whether they are closed, listening or open. Port scanners are often used by malicious people to identify open doors, exploit vulnerabilities and plan intrusions. Recommendation: Ex: “[Enable]”. 


PortScan Protection


Invalid Packet Protection


Invalid packets are those that do not respect the TCP state diagram (handshake). Recommendation: Ex: “[Enable]”. The firewall service discards packets that are considered invalid.


Invalid Packet Protection


Allow Ping


This feature allows all PING requests (Echo Request and Echo Reply) to be answered through any network interface on the system. Recommendation: Ex: “[Disable]”.


Allow Ping 


Allow ICMP Redirect


This feature is a message type used by routers to notify hosts on the same network segment, that there is a better path (route) to a given destination.Recommendation: Ex: “[Disable]”.


Allows ICMP Redirect

This item comes with a standard [Enabled] for identifying numerous ill-defined network structures.

Ignore ICMP Broadcast


This feature ignores ICMP Broadcast traffic, used to make servers unwittingly participate in DOS attacks, sending large amounts of pings exponentially increasing NETBIOS network traffic and making real services unavailable.

Recommendation: Ex: “[Enable]” Ignore ICMP Broadcast.


Ignore ICMP Broadcast


Source Routing


This feature allows you to apply routing tests behind the firewall, allow the sender of the packet to specify the path to and from the packet. Recommendation: Ex: “[Disabled]”.


Source Routing 

Source Routing consists in a protocol mechanism that allows the transportaioin of information by an IP packet. Information like addresses lists, informing the router the path that the packet must follow. It also counts with an option to save leaps as the route is run. The route register, which lists the addresses, provides the destination with a return path, back to the origin. Which allows the origin (sender host) to specify the route, in a vague or strict manner, ignoring some or every routers' routing sheets. It also allows a user to redirect the network traffic for malicious ends. Therefore, the Source Routing must be disabled.


The Source Routing option makes that the network interfaces accept packets with a Strict Source Route (SSR) or Loose Source Routing (LSR) options set. The source routed packets acceptation is controlled by the kernel settings. Therefore, to issue the packet's discard command along the SSR or LSR options set, the checkbox must be kept disabled.

Checksum


Packages with bad checksums are in an invalid state. With this option enabled, such packets will not be considered for connection tracking in session tracking.


Checksum



Invalid Log


Enables package logs with INVALID state.


Invalid Log

Forward Error Correction

Consists in an error control method in a data transmission, in which ths source emits redundant data and the destination recognizes only a part of the data, apparently without any errors. With this option, the data packets are received twice and accepted only  with validation at least in a single instance.


FEC - Forward error correction

Max Connections

Maximum number of connection.

Max connections


TCP Max Orphans

Maximum number of TCP sockets not associated to processes or services, that are run by the OS in the user space. In case this mumber is exceeded the connections are immediately reset.


TCP Max Connections


Timeouts


The other preconfigured resources referring to the items of the “Connection settings” of this interface refer to the parameters of the “Session Track”, the change of these values directly implies the performance result of the server.


General Settings - Timeout


Generic Timeout


This parameter is used to inform the session tracking of the generic timeout in seconds if it is not possible to determine the protocol used or to use more specific values. Any flow or packet that enters the firewall that cannot be fully identified as any other type of protocol will receive a generic timeout defined in this parameter. The minimum value is 0 and the default value is 600 seconds.


Generic Timeout


ICMP Timeout


Used to set the timeout in seconds for ICMP packets that will result in return traffic. In other words, include ECHO REQUEST and REPLY, TIMESTAMP REQUEST and REPLY, INFORMATION REQUEST and REPLY and ADDRESS MASK REQUEST and REPLY. Once an order is placed, there must be a return package, and that is when the ICMP timeout is counted. An ICMP response is usually quite fast, unless a very slow connection is used. The minimum value is 0 and the default value is 30.


ICMP Timeout


Max Connections


Maximum size of the session tracking table, that is, of connections established simultaneously. The default value is 300,000 seconds.


Max Connections


TCP Loose


Enables / Disables the survey of new connection entries already established in the session tracking table. The minimum value is 0 and the default value is 1 (enabled), to disable, set the value to 0.


TCP Loose


TCP Max Retrans


Defines the maximum number of TCP packets that can be retransmitted without receiving an acceptable ACK from the destination. The minimum value is 0 and the default value is 3.


TCP max retrans


TCP Timeout Close


Sets the default timeout value in seconds for TCP connections in the CLOSE state, to be removed from the session tracking table. The minimum value is 0 and the default is 10 seconds.


TCP timeout close


TCP Timeout Close Wait


Defines the default timeout value in seconds for TCP connections with CLOSE-WAIT status, to be removed from the session tracking table. The minimum value is 0 and the default is 30 seconds.


TCP timeour close wait


TCP Timeout Established


Sets the timeout in seconds for established TCP connections, to be removed from the session tracking table. The minimum value is 0 and the default value is 180000 seconds (equivalent to 2.08 days).


TCP timeout established


TCP Timeout FIN Wait


Sets the timeout in seconds for TCP connections with FIN-WAIT-1 and FIN-WAIT-2 status, to be removed from the session tracking table. The minimum value is 0 and the default value is 30 seconds.


Timeout TCP FIN wait


TCP Timeout Last ACK


Sets the timeout in seconds for TCP connections with LAST-ACK status, to be removed from the session tracking table. The minimum value is 0 and the default value is 30 seconds.


TCP timeout last ACK


TCP Timeout Max Retrans


Defines the timeout in seconds for TCP connections that reach the maximum number of retransmissions defined in the "TCP max retrans" option without receiving an acceptable ACK from the destinations. The minimum value is 0 and the default value is 300 seconds.


TCP timeout max retrans


TCP Timeout SYN Recv


Sets the timeout in seconds for TCP connections with the SYN RECV status, to be removed from the session tracking table. The minimum value is 0 and the default value is 60 seconds.


TCP timeout SYN recv


TCP Timeout SYN Sent


Sets the timeout in seconds for TCP connections with the SYN SENT state, to be removed from the session tracking table. The minimum value is 0 and the default value is 120 seconds.


TCP timeout SYN sent


TCP Timeout Time Wait


Sets the timeout in seconds for TCP connections with TIME WAIT status, to be removed from the session tracking table. The minimum value is 0 and the default value is 60 seconds.


TCP timeout time wait


TCP Retries


Defines how many times to try to retransmit TCP packets over an established connection. When this limit is exceeded, before each new retransmission the network layer will have its route updated. The default value is 3.


TCP retries


TCP Max Retries


Defines the maximum number of times that TCP packets will be retransmitted before interrupting this process. The default value is 15 (approximately 13 to 30 minutes).


TCP max retries


TCP SYN Retries


Determines at most how many times the initial SYNs will be retransmitted in an active TCP connection attempt. The default value is 5 (equivalent to about 180 seconds) and the maximum value is 255.


TCP SYN retries


TCP Reordering


This value defines the maximum limit for reordering to be carried out on packets in a TCP stream without the protocol assuming that these packets are lost and their initialization performance is reduced. The default value is 3.


WARNING: Do not change this value without being completely sure what you are doing. It acts by detecting the reordering of the packets and serves to minimize retransmissions (necessary or not) caused by the reordering of the connection packets.


TCP reordering


TCP Enhanced Retransmission Timeout (F-RTO)


F-RTO stands for Forward Retransmission TimeOut, it is an algorithm whose function is to detect and improve the time limit in illegitimate retransmission using the TCP and SCTP protocol (flow control).


For more details regarding this feature, refer to RFC 4138.


TCP enhanced retransmission timeout (F-RTO)


TCP Selective Acknowledgements


This field allows you to enable or disable the TCP Selective Acknowledgements (SACK) feature. This functionality works by sending the sender a report of everything that was successfully received so that all data packets and segments that have been lost can be sent again by the sender, guaranteeing the integrity of the data packets and limiting the amount of retransmissions. By default, this field is enabled.


For more details regarding this feature, see the RFC 2018.


TCP selective acknowledgements


UDP Timeout


This feature defines the maximum time that a connection remains active in an idle state, that is, without any traffic. Once the configured timeout is reached, the system removes all UDP protocol connections, which are in idle state with the configured timeout exceeded. The minimum value is 0 and the default value is 30 seconds.


UDP timeout


UDP Timeout Stream


Sets the timeout in seconds for UDP STREAM (ASSURED) connections. The minimum value is 0 and the default value is 180 seconds.


UDP timeout stream

  • No labels