Engine Editor > General > Layer 2 Settings

Use this branch to configure settings for layer 2 physical interfaces on Single Engines, Engine Clusters, and Virtual Engines.

Option Definition
Policy for Layer 2 Interfaces

The Layer 2 Interface Policy that contains rules for traffic detected by layer 2 physical interfaces.

All layer 2 physical interfaces on the Secure SD-WAN Engine use the same Layer 2 Interface Policy. If there are no layer 2 physical interfaces, this setting is ignored.

Layer 2 Interface Settings section Defines settings for connection tracking on layer 2 physical interfaces.
Layer 2 Connection Tracking Mode

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns.
Inline IPS and Capture Interface Settings section Defines advanced settings for Inline IPS Interfaces and Capture Interfaces.
Bypass Traffic on Overload

When selected, the Secure SD-WAN Engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the Secure SD-WAN Engine inspects all connections. Some connections might not get through if the engine gets overloaded.