Configure a TCP Template

You are here:

Configure a TCP Template

Perform the following actions to configure a TCP template:

Go to Configuration > Zone Templates > TCP.
Click Create and enter the following information:

Table 85 : TCP Template Fields

Field

Purpose

Name

Enter a name for the template.

NOTE:

If you try recreating a deleted template that is associated to a few zones, an Associated Zones link appears next to the Name field. This Associated Zones link displays the zones with which the template is associated.

Session Age

Enter the maximum amount of time a TCP session can remain idle. Time should be either in minutes or seconds.

Age Out Server Reset

Select Age Out Server Reset to send TCP reset request to server if aging time has passed.

Half Open Timeout

Enter the maximum time in seconds for a TCP 3-way handshake to complete.

Half Open Timeout Server Reset

Select Half Open Timeout Server Reset to send TCP reset request to server if TCP half-open session times out.

Allow TCP Fast Open

Select Enabled to speed up the opening of the TCP connections between the two end points.

Concurrent Connection

Select Enabled to enable the concurrent connection support on multiple protocol ports. The rule allows subsequent requests to other ports. However, if the entry to other ports is not allowed, this option enables the source to send a request to that port.

For example, enabling concurrent connection is required for passive FTP to work, if Drop On No Port Match option is enabled at the Layer 4 TCP level in the destination rule for the FTP server.

NOTE:

The concurrent command allows traffic to any port. Use this command only if you require to support the legitimate traffic.

SYN Cookie

Select Enabled for a strict TCP authentication. SYN cookies are used to challenge the sender of every TCP-SYN, even if the sender has already passed the authentication.

SYN Authentication is disabled if you select this option.

Connection SYN Only

Select Enabled to create a connection on SYN only.

SYN Authentication

Configure SYN Authentication to enable TCP authentication for senders of TCP SYNs.

Type—Select the appropriate authentication process used for SYN Authentication.
Fail Action—Select the appropriate action to be performed when the authentication fails.

Fail Action List—Select the appropriate action list to be applied when the authentication fails. If Action List is selected, only then the Fail Action List drop-down is displayed.

Type—Select the appropriate authentication process used for SYN Authentication.
Fail Action—Select the appropriate action to be performed when the authentication fails.

Pass Action List—Select appropriate action list to be applied when the authentication passes. If Action List is selected, the Pass Action List drop-down is displayed.

SYN-ACK Reset

Select the check box to send reset when SYN-ACK is received.

Connection Rate Limit on SYN Only

Select the check box to specify whether the connection rate limit is applicable only for SYN.

Allow SYN Other Flags

Select the check box to treat TCP SYN+PSH as a normal TCP SYN. This option is only supported on TCP ports.

Out of Sequence Packets

Enter the maximum number of TCP sequence errors allowed for a client session. If this limit is exceeded, the client is added to the Black List.

Retransmit Packets

Enter the maximum number of retransmitted TCP packets (segments) allowed for a client session. If this limit is exceeded, the client is added to the Black List.

Zero Window Packets

Enter the maximum number of TCP packets with receive window size 0 allowed for a client session. The client’s receive window is the maximum amount of data the client is willing to accept per TCP packet from the server.

Action—Select the appropriate action to be performed when the zero window packets exceed the configured threshold.
Action List—Select the appropriate action list to be applied when the zero window packets exceed the configured threshold.

If Action List is selected, only then the Action List drop-down is displayed.

Known Response Source Port

Select the check box to enable any well-known source port number to take an action on traffic.

Action—Select the appropriate action to be performed on the matching traffic.
Action List—Select the appropriate action list to be applied on the matching traffic. If Action List is selected, only then the Action List drop-down is displayed.

To perform Exclude identical source and destination port pair function, select the check box.

Per Connection Packet Rate Limit

Enter the maximum number of packets allowed for an individual connection (source-destination flow) per interval.

Action—Select the appropriate action to be performed when the rate limit exceeds the configured threshold.

Action List—Select the appropriate action list to be applied when the rate limit exceeds the configured threshold. If Action List is selected, only then the Action List drop-down is displayed.

Per Connection Rate Interval

The interval can be 100 milliseconds (ms) or 1 second (set by the Per Connection Rate Interval option), and is independent of the globally set DDoS Mitigation interval. Select one of the following options:

100ms
10 seconds
1 second

The default is 1 second.

Select the interval for per-connection packet-rate limiting. The interval set by this option only applies to the rate limiting set by the Per Connection Packet Rate Limit.

Per Connection Out of Sequence Rate Limit

Enter the maximum number of TCP sequence errors allowed for a client session.

See Action and Action List fields to enter the appropriate information.

Per Connection Retransmit Rate Limit

Specifies the maximum number of retransmitted TCP packets (segments) allowed for a client session.

See Action and Action List fields to enter the appropriate information.

Per Conn Zero Window Rate Limit

Specifies the maximum number of TCP packets with receive window size 0 allowed for a client session. The client’s receive window is the maximum amount of data the client is willing to accept per TCP packet from the server. If this limit is exceeded, the client is added to the Black List.

See Action and Action List fields to enter the appropriate information.

ACK Authentication

Select the check box to authenticate TCP ACK for which ACOS has no session-table entry. This option enables TCP authentication for client-to-server streams that are redirected to the Thunder TPS device after the 3-way handshake has occurred. When this option is enabled, ACOS drops the first ACK from a client and waits for the client to retransmit the same ACK. If enabled, this feature has the following defaults:

If the client replies with a valid ACK after a specified minimum retry gap interval and within the specified timeout period, ACOS marks the client as authenticated.
If the client does not reply within the timeout period, or sends an invalid reply, ACOS drops the packet.

Retransmit Check—Select the check box to allow a retransmit check applying a minimum delay and ACK retransmit timeout period configuration.
If Retransmit Check is selected for ACK Authentication, following options are displayed:

Minimum Delay—Enter the minimum interval required between the time ACOS drops the first ACK and the time ACOS receives a retry (another copy of the same ACK from the same sender). If a retry is received before the minimum amount of time has passed, ACOS will drop the retry packet and reset the gap timer. The supported value (Type) is 1 to 80 (100 ms) [Example 100ms to 8000ms (8 seconds)].
ACK Retransmit Timeout—Enter the maximum number of seconds ACOS waits for a valid ACK in reply.
RTO Authentication—Select the check box to enable the RTO authentication.
Once Per Source—Select the check box to authenticate TCP ACK only once per source entry.

See Configure a TCP Template, Configure a TCP Template, Configure a TCP Template and Configure a TCP Template fields to enter the appropriate information.

Allow SYN-ACK Skip Authentication

Select the check box to allow to create sessions on SYN-ACK without syn-auth and ack-auth (asymmetric Mode only).

SYN-ACK Rate Limit—Specify the maximum number of SYN-ACK.
Track together with syn—Select the check box to count the SYN-ACK in destination syn rate limit.

Action on ACK RTO retry count

Configure to take an action if ack-auth RTO-authentication fail over retry time. The default is 5.

Action on SYN RTO retry count

Configure to take an action if syn-auth RTO-authentication fail over retry time. The default is 5.

Source SYN Rate Limit

Select the check box to configure source SYN rate limiting.

Rate—Specify the maximum number of source SYN rate.
Action—Select the appropriate action to be performed.

Destination SYN Rate Limit

Specify the check box to configure destination SYN rate limiting.

Rate—Specify the maximum number of destination SYN rate.
Action—Select the appropriate action to be performed.

In the Filter field, content of TCP payload is filtered and specified action is applied to the matching (on non-matching) traffic. The traffic is filtered using regular expressions. Each TCP template can contain up to five filters. Configure the following parameters and click the Plus (+) sign to include:

Table 86 : Filter Fields for TCP Payload

Column Heading	Description
Name	Enter the name for the filter.
Sequence Number	Enter the sequence number for the filter.
Regex	Enter the filter string to match. A regular expression can be a string of up to 1275 characters in length. The ACOS device uses PCRE-compatible regular expressions.
Inverse Match	Select the check box to apply an inverse match for the Regex value.
Byte-offset Filter	Enter a byte-offset and a few bytes to compare. This value is compared to the value at that byte position.
Action	See Action and Action List fields to enter the appropriate information.
Create	Click Create to save the filter.

Click Submit to save the configuration.