TCP Service - Advanced
What can I do here?
Use this window to configure advanced options for the TCP service.
|
Getting Here - Object Explorer > New > Service > TCP > Advanced
|
TCP - Advanced Options
Advanced - sets the advanced options for this service.
- Source Port - Enter a port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected when inspecting packets of this service. Otherwise, the source port is not inspected.
- Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.
- Enable for TCP resource - Enables the TCP service for a TCP Resource, if checked.
- Match for Any - Indicates whether this service is used when 'Any' is set as the rule's service and there are several service objects with the same source port and protocol.
When there is a rule whose Service cell contains Any, and a connections protocol and source port match more than one service object, then the service object with the selected 'Match for Any' option will be used and its properties will be taken for handling this connection
- Keep connections open after policy has been installed even if they are not allowed under the new policy. This overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections.
Virtual session timeout - Time (in seconds) before the session times out. Select one of the following options:
- Default - Use the default value defined on the Stateful Inspection page in the Global Properties window.
- Specific - Manually define a timeout period specifically for this service.
Aggressive aging
- Enable Aggressive Aging - Enable to manage the connections table capacity and memory consumption of the firewall to increase durability and stability.
Cluster and Synchronization
- Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster.
Of the services allowed by the Rule Base, only those with Synchronize connections on cluster will be synchronized as they pass through the cluster. By default, all new and existing services are synchronized.
- Start Synchronizing X seconds after connection initiation - For all TCP services whose Protocol Type is HTTP or None, enable this option to delay telling the Security Gateway about a connection, so that the connection will only be synchronized if it still exists x seconds after the connection is initiated. Note that delayed synchronization is disabled if the log or account are enabled.
Some TCP services (HTTP for example) are characterized by connections with a very short duration. There is no point in synchronizing these connections because every synchronized connection consumes gateway resources, and the connection is likely to have finished by the time a failover occurs.
This capability is only available if a SecureXL-enabled device is installed on the Security Gateway through which the connection passes. The setting is ignored if connection templates are not off-loaded from the SecureXL-enabled device. See the Performance Pack documentation for additional information.