TCP Settings

• Enforce strict TCP compliance with RFC 793 and RFC 1122 – This setting ensures strict compliance with several TCP timeout rules. This setting maximizes TCP security, but it might cause problems with the Window Scaling feature for Windows Vista users. This option is not selected by default.
• Enable TCP handshake enforcement – This option requires a successful three-way TCP handshake for all TCP connections. It is available only if the Enforce strict TCP compliance with RFC 793 and RFC 1122, is selected.
• Enable TCP checksum enforcement – If an invalid TCP checksum is calculated, the packet is dropped. This option is not selected by default.
• Drop TCP SYN packets with data - This option allows the system to drop TCP SYN packets with data.This option is not selected by default.
• Drop invalid TCP Urgent packets - This option allows the system to drop invalid TCP urgent packets. This option is selected by default.
• Enable TCP handshake timeout – This selection enforces the timeout period (in seconds) for a three-way TCP handshake to complete its connection. If the three-way TCP handshake does not complete in the timeout period, it is dropped. This option is selected by default.
• TCP Handshake Timeout – This is the maximum time a TCP handshake has to complete the connection. The default is 30 seconds. This option is only available if Enable TCP Handshake Timeout is selected.
• Default TCP Connection Timeout – This is the time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection is cleared by the firewall. The default value is 15 minutes, the minimum value is 1 minute, and the maximum value is 999 minutes.

Setting an excessively long connection time-out slows the reclamation of stale resources, and in extreme cases, could lead to exhaustion of the connection cache.

• Maximum Segment Lifetime – This setting determines the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection. The default value is 8 seconds, the minimum value is 1 second, and the maximum value is 60 seconds.

• Enable Half Open TCP Connections Threshold – This option denies new TCP connections if the threshold of TCP half‐open connections has been reached. By default, the half‐open TCP connection is not monitored, so this option is not selected by default.

• Maximum Half Open TCP Connections – This option specifies the maximum number of half‐open TCP connections. The default maximum is half the number of maximum connection caches. It is only available if the Enable Half Open TCP Connections Threshold is selected.
• Click Accept.