Disabling Tcp Normalization On An Interface - Cisco 4700M Configuration Manual

Configuring Interface Normalization Parameters

Disabling TCP Normalization on an Interface

Note
Caution
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
4-34
Chapter 4
Disabling TCP Normalization on an Interface
•
Disabling the ICMP Security Checks on an Interface
•
Configuring SYN-Cookie Denial-of-Service Protection
•
Configuring How the ACE Handles the Don't Fragment Bit
•
Configuring How the ACE Handles IP Options
•
Setting the IP Packet TTL
•
• Configuring Unicast Reverse-Path Forwarding
By default, TCP normalization is enabled. To disable TCP normalization on an
interface, use the no normalization command in interface configuration mode.
Disabling TCP normalization affects only Layer 4 traffic. TCP normalization is
always enabled for Layer 7 traffic.
Use this command when you encounter the following two types of asymmetric
flows, which would otherwise be blocked by the normalization checks that the
ACE performs:
ACE only sees the client-to-server traffic. For example, for a TCP connection,
•
the ACE sees the SYN from the client, but not the SYN-ACK from the server.
In this case, apply the no normalization command to the client-side VLAN.
ACE only sees the server-to-client traffic. For example, for a TCP connection,
•
the ACE receives a SYN-ACK from the server without having received the
SYN from the client. In this case, apply the no normalization command to
the server-side VLAN.
With TCP normalization disabled, the ACE still sets up flows for the asymmetric
traffic described above and makes entries in the connection table.
Disabling TCP normalization may expose your ACE and your data center to
potential security risks. TCP normalization helps protect the ACE and the data
center from attackers by enforcing strict security policies that are designed to
examine traffic for malformed or malicious segments.
Configuring TCP/IP Normalization and IP Reassembly Parameters
OL-16202-01