TCP Settings

The following table describes TCP settings.

TCP Settings	Description
Forward segments exceeding TCP out-of-order queue	Select this option if you want the firewall to forward segments that exceed the TCP out-of-order queue limit of 64 per session. If you disable this option, the firewall drops segments that exceed the out-of-order queue limit. To see a count of the number of segments that the firewall dropped as a result of enabling this option, run the following CLI command: show counter global tcp_exceed_flow_seg_limit This option is disabled by default and should remain this way for the most secure deployment. Disabling this option may result in increased latency for the specific stream that received over 64 segments out of order. There should be no loss of connectivity because the TCP stack should handle missing segments retransmission.
Drop segments with null timestamp option	The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. With this option enabled, the firewall drops packets with null timestamps. To see a count of the number of segments that the firewall dropped as a result of enabling this option, run the following CLI command: show counter global tcp_invalid_ts_option This option is enabled by default and should remain this way for the most secure deployment. Enabling this option should not result in performance degradation. However, if a network stack incorrectly generates segments with a null TCP timestamp option value, enabling this option may result in connectivity issues.
Urgent Data Flag	Use this option to configure whether the firewall allows the urgent pointer (URG bit flag) in the TCP header. The urgent pointer in the TCP header is used to promote a packet for immediate processing—the firewall removes it from the processing queue and expedites it through the TCP/IP stack on the host. This process is called out-of-band processing. Because the implementation of the urgent pointer varies by host, setting this option to Clear (the default and recommended setting) eliminates any ambiguity by disallowing out-of-band processing so that the out-of-band byte in the payload becomes part of the payload and the packet is not processed urgently. Additionally, the Clear setting ensures that the firewall sees the exact stream in the protocol stack as the host for whom the packet is destined. To see a count of the number of segments in which the firewall cleared the URG flag when this option is set to Clear , run the following CLI command: show counter global tcp_clear_urg By default, this flag is set to Clear and should remain this way for the most secure deployment. This should not result in performance degradation; in the rare instance that applications, such as telnet, are using the urgent data feature, TCP may be impacted. If you set this flag to Do Not Modify , the firewall allows packets with the URG bit flag in the TCP header and enables out-of-band processing (`not recommended`).
Drop segments without flag	Illegal TCP segments without any flags set can be used to evade content inspection. With this option enabled (the default) the firewall drops packets that have no flags set in the TCP header. To see a count of the number of segments that the firewall dropped as a result of this option, run the following CLI command: show counter global tcp_flag_zero This option is enabled by default and should remain this way for the most secure deployment. Enabling this option should not result in performance degradation. However, if a network stack incorrectly generates segments with no TCP flags, enabling this option may result in connectivity issues.