Engine Editor > Advanced Settings > Traffic Handling

Use this branch to change advanced parameters that control how the Secure SD-WAN Engine handles traffic.

Option Definition
Layer 3 Connection Tracking Mode

(Engines only)

Connection Tracking Mode

(IPS engines and Layer 2 Engines only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this Secure SD-WAN Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The Secure SD-WAN Engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The Secure SD-WAN Engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The Secure SD-WAN Engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The Secure SD-WAN Engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Secure SD-WAN Engine to receive non-standard traffic patterns.
On Engines and Layer 2 Engines, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Not Virtual Engines)

(Not editable on IPS engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the Secure SD-WAN Engine.

When the Secure SD-WAN Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual Engines)

This option is included for backward compatibility with legacy software versions.
Concurrent Connection Limit

(Not Virtual Engines)

A global limit for the number of open connections. When the set number of connections is reached, the Secure SD-WAN Engine stops the next connection attempts until a previously open connection is closed.
Inspection CPU Balancing Mode

(Not Virtual Engines)

Specifies how inspected connections are allocated between the CPUs. Select from the following options:
  • Default — The connection is allocated to the CPU that received the first packet of the connection. If the utilization on the CPU is high, a different CPU is dynamically selected. Incoming and outgoing packets might be handled by different CPUs.
  • Round Robin — Connections are allocated evenly between all CPUs in order. This option can improve CPU balancing when there are a large number of CPUs.
  • NUMA local Round Robin — Connections are balanced within the CPU that received the first packet of the connection. Incoming and outgoing packets are handled by the same CPU.
Active Wait Time Between Inspected Packets

(Not Virtual Engines)

Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
  • Short — The inspection process stays active for the minimum amount of time. This setting provides the best CPU performance, but can increase latency in inspection. This is the default setting.
  • Medium — The inspection process stays longer for a moderate amount of time. This setting provides a balance between CPU performance and latency in inspection.
  • Long — The inspection process stays active for the maximum amount of time. This setting provides the lowest latency in inspection, but decreases CPU performance.
Default Connection Termination in Access Policy

(IPS engines and Layer 2 Engines only)

Defines how connections that match Access rules with the Discard action are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Not Master Engines)

The Secure SD-WAN Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The Secure SD-WAN Engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.