TMS zl Management and Configuration Guide ST.1.1.100226
4-25
Firewall
Firewall Access Policies
Table 4-3. Defining the TCP MSS
Note For the IPsec VPNs, the overhead added to the packet depends on several
variables, including the tunnel mode and the type of security algorithms that
are used.
The table includes the typical mode used with a particular type of VPN. IPsec
client-to-site and site-to-site VPNs usually run in tunnel mode; L2TP over IPsec
and GRE over IPsec VPNs typically use transport mode. You can use tunnel
mode for GRE over IPsec; however, this adds to the overhead unnecessarily.
(You would need to decrease the MSS by 56 bytes.)
This table uses a conservative estimate of 48 bytes of overhead for transport
mode IPsec and 104 bytes of overhead for tunnel mode IPsec. All of these
recommendations are only guidelines. You should determine the correct MSS
for your environment.
Default Access Policies
Some access policies are preconfigured on the factory default TMS zl Module.
These general policies allow basic network operation, such as allowing rout-
ing protocols between all zones.
Management Zone Access Policies
When you specify a zone as a management-access zone, the following unicast
policies are automatically created. (See “Configure Management Access” in
Chapter 2: “Initial Setup in Routing Mode.”)
Table 4-4. [Zone] to Self
Traffic selected by this policy is sent over Maximum Recommended MSS
A GRE tunnel 1436
A GRE over IPsec VPN (transport mode) 1388
An IPsec client-to-site VPN (tunnel mode)
*only necessary when local devices initiate
connections with remote clients
1356
An IPsec site-to-site VPN (tunnel mode) 1356
An L2TP over IPsec VPN (transport mode) 1360
ICMP/echo snmp
bootpc snmptrap
bootps ssh
https