Wireless Access

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Global Firewall settings

What is the difference between the "Enforce TCP Handshake Before Allowing Data" setting and the "Enforce TCP Sequence numbers" on the global firewall settings page?

MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: Global Firewall settings

Enforce TCP Handshake Before Allowing Data

Prevents data from passing between two clients until the three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

Default: Disabled

 

Enforce TCP Sequence numbers

Enforces the TCP sequence numbers for all packets.

Default:Disabled

 
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Global Firewall settings

Yes I read the guide and command line reference. The actual exaplanation there for the "Enforce TCP sequence numbers" is -

"If enabled, prevents data from passing between two clients until the three-way TCP handshake has been performed"

So what I am asking is what is the operational difference between the two.

MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: Global Firewall settings

This is to provide a defense mechanism against syn flood attacks and split handshake attack.

 

Enforce TCP Sequence numbers
Enforces the TCP sequence numbers for all packets.

 

Enforce TCP Handshake Before Allowing Data
Prevents data from passing between two clients until the three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.
Default: Disabled

 

Why are you trying to enable this option ?

 

If you are planning to , I suggest you open a TAC case and an Aruba Engineer should assist you with these settings

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Global Firewall settings

In the absence of any proper documentation I'm trying to understand what the settings are for - some customers have asked about IPS configuration and what the Aruba OS can do. I dont have an answer for them as I cant find out what the settings and how they work. Especially when two settings both have the same brief explanation.

MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: Global Firewall settings

As an IDS/IPS Aruba has RFProtect module :

 

http://www.arubanetworks.com/pdf/products/DS_AOS_RFPROTECT.pdf 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Global Firewall settings

Unfortunately that is a dead link.

MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: Global Firewall settings

Please find document attached

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: