Options: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 12: Line 12:
* Enable STP (Spanning Tree) on Bridges
* Enable STP (Spanning Tree) on Bridges
** This enables STP (Spanning Tree Protocol) on bridges which is a protocol used to help detect loops and avoid packet storms in this case. Given that a bridge loop is fatal configuration, this option is off by default so the fatal configuration will fail quickly. It is NOT suggested to rely on STP to stop bridge loops.
** This enables STP (Spanning Tree Protocol) on bridges which is a protocol used to help detect loops and avoid packet storms in this case. Given that a bridge loop is fatal configuration, this option is off by default so the fatal configuration will fail quickly. It is NOT suggested to rely on STP to stop bridge loops.
* Strict ARP Mode
** If enabled ARP replies will only go out to for network requests where the request source matches the expected configuration. This helps avoid ARP flux with complicated networks. Strict mode means arp_ignore = 1, arp_announce = 2. Loose mode means arp_ignore = 0, arp_announce = 0. More documentation about arp_ignore and arp_announce can be found [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt here]
* DHCP Authoritative
* DHCP Authoritative
** If enabled, all DHCP serving is authoritative. Default is on. DHCP Authoritative is documented [http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html here].
** If enabled, all DHCP serving is authoritative. Default is on. DHCP Authoritative is documented [http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html here].

Latest revision as of 01:35, 25 March 2018

Options

Options contains some global networking options.

  • Enable SIP NAT Helper
    • This enables the kernel SIP NAT fixup. Most SIP solutions handle NAT on their own, but sometimes rewriting of address inside SIP by the NAT device is necessary. Enabling this will enable bypassed SIP sessions to be rewritten in the kernel. Default is off.
  • Send ICMP Redirects
    • ICMP Redirects are used to alert machines if a shorter route is available. Default is on.
  • Enable STP (Spanning Tree) on Bridges
    • This enables STP (Spanning Tree Protocol) on bridges which is a protocol used to help detect loops and avoid packet storms in this case. Given that a bridge loop is fatal configuration, this option is off by default so the fatal configuration will fail quickly. It is NOT suggested to rely on STP to stop bridge loops.
  • Strict ARP Mode
    • If enabled ARP replies will only go out to for network requests where the request source matches the expected configuration. This helps avoid ARP flux with complicated networks. Strict mode means arp_ignore = 1, arp_announce = 2. Loose mode means arp_ignore = 0, arp_announce = 0. More documentation about arp_ignore and arp_announce can be found here
  • DHCP Authoritative
    • If enabled, all DHCP serving is authoritative. Default is on. DHCP Authoritative is documented here.
  • Block new sessions during network configuration
    • If enabled, all sessions will be blocked (dropped) when network settings changes are applied. This will provide increased security for router mode deployments and is not recommended for bridged mode deployments. The default setting is disabled.
  • Log bypassed sessions
    • If enabled, bypassed sessions will be logged to the sessions table
  • Log outbound local sessions
    • If enabled, bypassed sessions created by the Untangle server itself will be logged to the sessions table
  • Log inbound local sessions
    • If enabled, bypassed sessions to the Untangle server itself will be logged to the sessions table
  • Log blocked sessions
    • If enabled, all sessions blocked by filter rules or NAT or the shield will be logged to the sessions table.