Supported advanced Sidewinder Proxy settings

This table lists the most commonly used advanced settings for Sidewinder Proxies.

Note: All advanced Sidewinder Proxy settings can be configured for Firewalls. Some settings can be configured for Master NGFW Engines or for Virtual Firewalls. Settings that do not apply to the type of engine on which they are configured are ignored.
Table 1. Supported advanced Sidewinder Proxy settings
Property Supported proxy types Accepted values Default value Supported engine types Description
allow_client_half_close

HTTP

0 or 1 1 Firewall If 1, allows clients to receive data after indicating that they will send no more.
debug_level

HTTP

SSH

TCP

UDP

0–4 0 Firewall, Master NGFW Engine If any value other than 0, enables debugging messages. Higher values produce more output. See also send_debug_to_log.
display_user_warning_ttl

HTTP

Numerical values in seconds 43200 Firewall The default time an entry stays in the decryption warning page cache.
display_user_warning_dest

HTTP

0 or 1 0 Firewall If 1, the decryption warning page is displayed for each unique combination of source and destination address.

If 0, the decryption warning page is displayed for each unique source address.

enable_certificate_revocation_ check

HTTP

0 or 1 1 Firewall If 1, the HTTP proxy validates the status of server certificates using certificate revocation lists (CRLs) or on-line certificate status protocol (OCSP).
encoded_url_max

HTTP

Numerical values in kilobytes 100000 (100 megabytes) Firewall, Master NGFW Engine Maximum size of an encoded URL that can be decoded in normalization. Normalization can make up to 6 copies of a URL.
header_waiting

HTTP

0–100 25 Firewall, Master NGFW Engine Limit for the percentage of proxy sessions waiting for additional HTTP header information. If this limit is reached, half of the waiting sessions are discarded.
max_header_total_size

HTTP

Numerical values 65536 Firewall Maximum size of all HTTP header data (not just individual lines).
net.inet.ip.random_id

HTTP

SSH

TCP

UDP

0 or 1 0 Firewall If 1, assigns random ip_id values to outgoing IPv4 packets. The default behavior is to assign a random initial value for each proxy instance, and increment for each outgoing packet.
net.inet.ip.ttl

HTTP

SSH

TCP

UDP

Numerical values in the number of hops 64 Firewall The maximum time to live (TTL) in hops for IPv4 packets that are sent.
net.inet.tcp.always_keepalive

HTTP

SSH

TCP

0 or 1 1 Firewall If 1, enables use of TCP keepalive probes on all connections.
net.inet.tcp.drop_synfin

HTTP

SSH

TCP

0 or 1 1 Firewall If 1, drops TCP packets that have SYN+FIN set.
net.inet.tcp.keepidle

HTTP

SSH

TCP

Numerical values in milliseconds 7200000 (2 hours) Firewall Time, in milliseconds, that the connection must be idle before keepalive probes are sent.
net.inet.tcp.keepinit

HTTP

SSH

TCP

Numerical values in milliseconds 75000 (75 seconds) Firewall Time allowed to establish connection.
net.inet.tcp.keepintvl

HTTP

SSH

TCP

Numerical values in milliseconds 75000 (75 seconds) Firewall Time between keepalive probes.
net.inet.tcp.msl

HTTP

SSH

TCP

Numerical values in milliseconds 15000 (15 seconds, TCP TIME_WAIT time 30 seconds) Firewall Maximum segment lifetime. The default TCP TIME_WAIT time is double this value.
net.inet.tcp.recvbuf_auto

HTTP

SSH

TCP

0 or 1 1 Firewall If 1, enables automatic receive buffer sizing.
net.inet.tcp.recvbuf_inc

HTTP

SSH

TCP

Numerical values in bytes 16K Firewall Incrementor step size of automatic receive buffer.
Use the following suffixes to specify larger values:
  • K — Kilobytes
  • M — Megabytes
  • G — Gigabytes
net.inet.tcp.recvbuf_max

HTTP

SSH

TCP

Numerical values in bytes 96K Firewall Maximum size of automatic receive buffer.
Use the following suffixes to specify larger values:
  • K — Kilobytes
  • M — Megabytes
  • G — Gigabytes
net.inet.tcp.recvspace

HTTP

SSH

TCP

Numerical values in bytes 64K Firewall Size of the initial TCP receive window.
Use the following suffixes to specify larger values:
  • K — Kilobytes
  • M — Megabytes
  • G — Gigabytes
net.inet.tcp.rfc1323

HTTP

SSH

TCP

0 or 1 1 Firewall If 1, enables the TCP timestamp option and window scaling option specified in RFC 1323, which allows per-packet timestamps, protection against wrapped sequences, and windows larger than 65535 bytes.
net.inet.tcp.sendbuf_auto

HTTP

SSH

TCP

0 or 1 1 Firewall If 1, enables automatic send buffer sizing.
net.inet.tcp.sendbuf_inc

HTTP

SSH

TCP

Numerical values in bytes 8K Firewall Incrementor step size of automatic send buffer.
Use the following suffixes to specify larger values:
  • K — Kilobytes
  • M — Megabytes
  • G — Gigabytes
net.inet.tcp.sendspace

HTTP

SSH

TCP

Numerical values in bytes 32K Firewall Size of the initial TCP send window.
Use the following suffixes to specify larger values:
  • K — Kilobytes
  • M — Megabytes
  • G — Gigabytes
net.inet.udp.checksum

UDP

0 or 1 1 Firewall If 1, requires checksums on incoming UDP packets.
net.inet6.ip6.hlim

HTTP

SSH

TCP

UDP

Numerical values 64 Firewall, Virtual Firewall The hop limit for IPv6 packets that are sent.
reserved_allowed

SSH

0 or 1 1 Firewall If 1, allows messages in the reserved range.
send_debug_to_log

HTTP

SSH

TCP

UDP

0 or 1 1 Firewall, Master NGFW Engine If 1, debugging messages are sent to the Log Server. If 0, messages are written to a file.
Note: Change this value only if instructed to do so by Forcepoint Customer Hub.
server_requests_allowed

SSH

0 or 1 1 Firewall If 1, allows global requests from the server.
server_channels_allowed

SSH

0 or 1 1 Firewall If 1, allows the server to open channels.
sftp_extensions_allowed

SSH

0 or 1 1 Firewall If 1, allows local SFTP extension commands.
ssh_extensions_allowed

SSH

0 or 1 1 Firewall If 1, allows local SSH extension messages.
tls_cipher_override

HTTP

A single valid OpenSSL cipher string ALL:-SEED: -RC4: -CAMELLIA: -PSK: -MD5: -SRP:-DES: -ADH: -AECDH: -kDH: -kECDH: -IDEA@ STRENGTH Firewall The list of cipher algorithms that the HTTP Proxy negotiates with its peers. The default cipher list includes only cipher algorithms that are allowed in FIPS mode.

Minus signs (-) exclude the specified ciphers from the ALL list.

Tip: You can use this setting to restrict the default cipher list or to add more cipher algorithms.
tls_curves_override

HTTP

A colon-separated list of OpenSSL elliptic curve names P-521:P-384: P-256 Firewall The list of the elliptic curves supported by the HTTP Proxy. The default list includes only elliptic curves that are allowed in FIPS mode.
tls_key_curve_override

HTTP

A single OpenSSL elliptic curve name P-521 Firewall The default curve that the HTTP Proxy uses to generate the elliptic curve private key for substitute certificates.
tls_protocol_override

HTTP

A colon-separated list of TLS version strings. Valid version strings are SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2. TLSv1.0: TLSv1.1: TLSv1.2 Firewall The TLS protocol versions supported by the HTTP Proxy. The default list includes only TLS protocol versions that are allowed in FIPS mode.
Tip: You can use this setting to restrict the default list or to add TLS versions, such as SSLv3, that are not included in the default list.
undefined_allowed

SSH

0 or 1 1 Firewall If 1, allows messages for which the proxy does not have a protocol handler.