TCP Settings

The following table describes TCP settings.
TCP Settings
Description
Urgent Data Flag
Use this option to configure whether the firewall allows the urgent pointer (URG bit flag) in the TCP header. The urgent pointer in the TCP header is used to promote a packet for immediate processing—the firewall removes it from the processing queue and expedites it through the TCP/IP stack on the host. This process is called out-of-band processing.
Because the implementation of the urgent pointer varies by host, setting this option to
Clear
(the default and recommended setting) eliminates any ambiguity by disallowing out-of-band processing so that the out-of-band byte in the payload becomes part of the payload and the packet is not processed urgently. Additionally, the
Clear
setting ensures that the firewall sees the exact stream in the protocol stack as the host for whom the packet is destined. To see a count of the number of segments in which the firewall cleared the URG flag when this option is set to
Clear
, run the following CLI command:
show counter global tcp_clear_urg
By default, this flag is set to
Clear
and should remain this way for the most secure deployment. This should not result in performance degradation; in the rare instance that applications, such as telnet, are using the urgent data feature, TCP may be impacted. If you set this flag to
Do Not Modify
, the firewall allows packets with the URG bit flag in the TCP header and enables out-of-band processing (
not recommended
).
Drop segments without flag
Illegal TCP segments without any flags set can be used to evade content inspection. With this option enabled (the default) the firewall drops packets that have no flags set in the TCP header. To see a count of the number of segments that the firewall dropped as a result of this option, run the following CLI command:
show counter global tcp_flag_zero
This option is enabled by default and should remain this way for the most secure deployment. Enabling this option should not result in performance degradation. However, if a network stack incorrectly generates segments with no TCP flags, enabling this option may result in connectivity issues.
Drop segments with null timestamp option
The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. With this option enabled, the firewall drops packets with null timestamps. To see a count of the number of segments that the firewall dropped as a result of enabling this option, run the following CLI command:
show counter global tcp_invalid_ts_option
This option is enabled by default and should remain this way for the most secure deployment. Enabling this option should not result in performance degradation. However, if a network stack incorrectly generates segments with a null TCP timestamp option value, enabling this option may result in connectivity issues.
Forward segments exceeding TCP out-of-order queue
Select this option if you want the firewall to forward segments that exceed the TCP out-of-order queue limit of 64 per session. If you disable this option, the firewall drops segments that exceed the out-of-order queue limit. To see a count of the number of segments that the firewall dropped as a result of enabling this option, run the following CLI command:
show counter global tcp_exceed_flow_seg_limit
This option is disabled by default and should remain this way for the most secure deployment. Disabling this option may result in increased latency for the specific stream that received over 64 segments out of order. There should be no loss of connectivity because the TCP stack should handle missing segments retransmission.

Related Documentation