Print Download Documentation Send Feedback

Previous

Next

TCP, UDP, and SCTP Services - General

What can I do here?

Use this window to define general properties for TCP, UDP, and SCTP services.

Getting Here

Getting Here - Object Explorer > New > Service > TCP/UDP/SCTP > General

Understanding TCP, UDP, and SCTP Resources

Use a TCP Resource to perform CVP or UFP content security on any TCP Service, using a third party OPSEC compliant application.

The TCP resource turns on genericid, a generic daemon (security server) that receives data packets and sends them to a CVP or UFP server, as defined by the TCP Resource.

The TCP Resource is triggered when a Rule includes the TCP Resource, and a connection is encountered that matches the Source and Destination of the Rule, and also matches the TCP service that is associated with the TCP resource. If there is a match, then the action specified in the rule is applied.

To create a Rule with a TCP Resource, the TCP Resource must be associated with a particular TCP service. Only TCP services where Enable for TCP resource is checked can be associated with a TCP resource.

Match for 'Any' and Source Port

When installing a policy that contains services that have source ports (specified in the Advanced window) that require the Match for 'Any' option to be selected, a warning appears. The policy will be installed with a warning (for each such service), since Match for 'Any' is not supported for services that contain source port specification.

TCP, UDP, and SCTP General Options

Understanding SCTP

Stream Control Transmission Protocol (SCTP) is a message-based, multi-streaming transport layer protocol commonly used in telephony applications.

Configuring SCTP Inspection

When a Carrier license is installed, you can specify SCTP services in your Firewall rules. SCTP Inspection occurs in these cases:

To activate SCTP Inspection:

  1. Open SmartConsole > Menu > Object Explorer > New > Service > SCTP.

    The SCTP Properties window opens.

    On the General page:

    • Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS.
    • Port - The number of the port that matches this service.
  2. Click Advanced.
    • Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected.
    • Keep connections open after policy has been installed - If the connections are not allowed in the new policy, they are still kept. This overrides the settings in the Connection Persistence page. If you change this property, the change does not have effect on open connections, but only future connections.
    • Virtual session timeout - set the virtual session timeout or keep the default value (in seconds)
    • Enable Aggressive Aging - Sets short (aggressive) timeouts for idle connections. When a connection is idle for more than its aggressive timeout value, it is marked as eligible for deletion. When memory consumption or connections table capacity exceeds a user-defined threshold (high watermark), aggressive aging starts. Each incoming connection starts to delete k (10 by default) connections that are eligible for deletion. This continues until memory consumption or connections capacity decreases below the low value.
    • Synchronize connection on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster selected are synchronized as they go through the cluster. By default, all new and existing services are synchronized.
  3. Click OK.
  4. Open Global properties > Stateful Inspection.

    Configure these Stateful Inspection options:

Option

Meaning

SCTP start timeout

  • An SCTP connection times out if the interval between the arrival of the first packet and establishment of the connection (STCP four-way handshake) exceeds the SCTP start timeout in seconds.
  • Attribute name in GuiDBedit: sctpstarttimeout

SCTP session timeout

  • Length of time an idle connection remains in the Security Gateway connections table.
  • Attribute name in GuiDBedit: sctptimeout

SCTP end timeout

  • A SCTP connection will only terminate SCTP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet.
  • Attribute name in GuiDBedit: sctpendtimeout

Configure these options for Out of state packets:

Option

Meaning

Drop out of state SCTP packets

  • Drop SCTP packets that are not consistent with the current state of the SCTP connection.
  • Attribute name in GuiDBedit: fw_drop_out_of_state_sctp

Log on drop

  • Generates a log entry when out of state SCTP packets are dropped.
  • Attribute name in GuiDBedit: fw_log_out_of_state_sctp

To deactivate out of state packet drop in SmartConsole:

  1. Open Menu > Global properties > Stateful Inspection.
  2. Clear the Drop out of state SCTP packets option.
  3. Save and install the policy.

To deactivate packet inspection using GuiDBedit:

  1. Open GuiDBedit.
  2. Search for: fw_sctp_packet_inspection.
  3. Set the property to false.
  4. Save the database and install policy.

Configuring SCTP Acceleration

To enable SCTP acceleration:

sim feature sctp on

To disable SCTP acceleration, run: sim feature sctp off

Note: If SCTP acceleration is activated and SCTP inspection is deactivated, the Performance Pack accelerates all SCTP packet types.

Configuring SCTP NAT

SCTP NAT overrides the defined NAT policy. When this feature is not activated, SCTP connections do not use NAT.

To activate SCTP NAT:

On the Security Gateway, run: fw ctl set int fwx_enable_sctp_nat 1

To deactivate SCTP NAT: fw ctl set int fwx_enable_sctp_nat 0