System > Global Configuration > Network Parameters
You can configure the methods and other options for IP fragment and TCP packet processing in the Global Configuration page.
Options in the Global Configuration dialog:
| Option | Description |
| Global Network Parameters Tab | |
|
Maximum Fragment Number |
Specifies a maximum fragment number for every IP packet. The value range is 1 to 1024. The default value is 48. Any IP packet that contains more fragments than this number will be dropped. |
|
Timeout |
Specifies a timeout period of fragment reassembling. The value range is 1 to 30. The default value is 2. If the Hillstone device has not received all the fragments after the timeout, the packet will be dropped. |
|
Long Duration Session |
Enables or disables long duration session. If this function is enabled, specify long duration session's percentage in the Percentage text box below. The default value is 10, i.e., 10% of long duration session in the total sessions. |
| TCP MSS |
Specifies a MSS value for all the TCP SYN/ACK packets. Select the Enable check box, and type the value into the Maximum MSS text box below. The value range is 64 to 65535. The default value is 1448. |
|
TCP MSS VPN |
Specifies a MSS value for IPSec VPN's TCP SYN packets. Select the Enable check box, and type the value into the Maximum MSS text box below. The value range is 64 to 65535. The default value is 1380. |
| TCP Sequence Number Check |
Configures if the TCP sequence number will be checked. When this function is enabled, if the TCP sequence number exceeds TCP window, that TCP packet will be dropped. |
|
TCP Three-way Handshaking |
Configures if the timeout of TCP three-way handshaking will be checked. Select the Enable check box to enable this function, and specify a timeout value in the Timeout text box below. The value range is 1 to 1800 seconds. The default value is 20. If the three-way handshaking has not been completed after timeout, the connection will be dropped. |
|
TCP SYN Packet Check |
Select the Enable check box to enable this function, and only when a packet is a TCP SYN packet can a connection be established. |
|
Non-IP and Non-ARP Packet |
Specifies how to process packets that are neither IP nor ARP. |
| Working Mode Tab | |
|
Working Mode |
Defense Mode - System not only generates protocol anomaly alarms and attacking behavior logs, but also blocks attackers or resets connections. Inspecting Mode - System only generates protocol anomaly alarms and attacking behavior logs, but will not block attackers or reset connections |