User`s guide
336 XSR User’s Guide
Firewall Limitations Chapter 13
Configuring Security on the XSR
Session Timeouts - Idle timeout defaults for the three firewall session
types are enforced as follows:
– TCP idle timeout sessions: 3600 seconds
– UDP and ICMP idle timeout sessions: 60 seconds
Pre-defined Services - Some pre-defined firewall services may not work
with applications which use dynamic source ports greater than 1024.
As a workaround, specify a user- defined service to cover a wider
source port range.
SNMP - SNMP is not supported for configuration, data and traps.
ACL/Firewall - Access Control Lists (ACLs) are supported for security
on a per interface basis. Interface ACLs allow or drop packets
traversing the port in a specified direction (in or out). Heading
outbound, packets face firewall inspection before ACLs. Going
inbound, packets first face ACLs, followed by the firewall. So, if the
firewall is enabled on an interface, we recommend ACLs not be used
on that port so that all checks can be performed in one place.
Firewall/NAT - On outgoing packets, stateful inspection is preformed
before NAT. This is due to the fact that NAT modifies the source
address of all packets to the XSR’s address and policy rules are
defined with respect to internal and external addresses. On incoming
Sessions 250 10000 20000 60000
Authentications 75 150 300 1000
Gating Rules 300 5000 10000 12000
External Hosts 250 5000 5000 20000
Fragment Table 50 100 200 600
FTP Requests 20 400 600 1000
UDP Requests 20 400 600 1000
Timers 20 100 200 200
Java & ActiveX 20 100 200 200
Table 13 Firewall Limitations
Firewall Objects
XSR 1800
@32MB
XSR 1800
@64MB
XSR 18/3000
@128
XSR 3000
@256