Configuring the Threat Suppression Engine (TSE) Settings from the SMS

The TSE is a line-speed, hardware engine that contains all the functions needed for Intrusion Prevention, including IP defragmentation, TCP flow reassembly, statistical analysis, traffic shaping, flow blocking, flow state tracking and application-layer parsing of over 170 network protocols.

The TSE reconstructs and inspects flow payloads by parsing the traffic at the application layer. As each new packet of the traffic flow arrives, the engine re-evaluates the traffic for malicious content. The instant the engine detects malicious traffic, it blocks all current and all subsequent packets pertaining to the traffic flow. The block of the traffic and packets ensures that the attack never reaches its destination.

You can configure the global settings for the Threat Suppression Engine (TSE). These options include the following:

• Connection Table Timeout - The value for the global connection table timeout. This value is 30-1800 seconds. This value applies to all blocked streams in the connection table, and determines the amount of time that elapses before that connection is cleared from the connection table. Before that period of time elapses, any incoming packets for that stream are blocked at the box. After the connection is cleared, the incoming connection is allowed (if its action set has changed) or re-added to the blocked list. Separate settings are available for TCP and non-TCP traffic.
• Trusted Streams - Specifies the global timeout interval for the trust table. This value determines the time interval that elapses before the trusted connection is cleared from the trust table.
• Asymmetric Network - The dynamic sharing and use of bandwidth for increased network traffic performance. If you configure the device through the TSE configuration for an asymmetric network, the SYN flood detection, or DDoS filters, will be disabled. In effect, the TSE will not see both sides of a TCP connection.
• Quarantine - Specifies the global timeout for the quarantine table. For quarantined hosts in the quarantine table, this value determines the time interval that elapses before the quarantined host is cleared from the quarantine table. After the quarantined host is cleared (the timeout interval expires), quarantined addresses can be automatically released, if that option is selected.

• GZIP Decompression - When enabled, permits decompression of GZIP HTTP responses.
• IDS Mode - When enabled, automatically configures the device to operate in a manner similar to an Intrusion Detection System (IDS).
  • Performance protection is disabled.
  • Adaptive Filtering mode is set to Manual.
  • Filters currently set to Block are not switched to Permit, and Block filters can be still be set.

• HTTP Response Processing - Specifies inspection of encoded HTTP responses.
  • Accelerated inspection of responses: Hardware acceleration is used to detect and decode encoded HTTP responses.
  • Inspection of responses: Enables strict detection and decoding of encoded HTTP responses.
  • Ignore responses: The device does not detect or decode encoded HTTP responses.
• DNS Reputation - You can return the NXDOMAIN (domain name) response to DNS domain queries blocked by Reputation.
• HTTP Mode - You can enable the HTTP Mode for the device. Allows all TCP ports to be treated as HTTP ports for inspection purposes. Enable this feature only on devices that primarily handle HTTP traffic so that optimum performance is maintained.