TMS zl Management and Configuration Guide ST.1.1.100430
4-32
Firewall
Firewall Access Policies
14. For TCP MSS (Optional), type the maximum segment size. Valid values are
between 1 and 9200 bytes. If you want to allow devices to select their MSS
on their own, leave this box empty.
Typically, devices can determine their MSS for the connection on their
own. However, you often need to set the MSS for access policies that
permit traffic that will be sent over a GRE tunnel or a VPN connection.
This requirement arises from the fact that GRE, IPsec, and L2TP add
headers that increase a packet’s size without the knowledge of the device
that sent the packet. For more information, see the introduction to firewall
access policies on page 22.
The recommendations in Table 4-6 are based on an environment with an
MTU of 1500 bytes. Adjust the values for your environment’s MTU
accordingly.
Table 4-6. Defining the TCP MSS
15. Under Limits, specify the limits to impose for the access policy.
• To place an absolute upper limit on the number of connections:
–For Maximum connections, specify the number of connections in
the space provided.
• To limit the number of connections within a time span:
–For Number of connections, specify the maximum number of con-
nections. Then specify the time interval in seconds.
• To limit the amount of bandwidth within a time span:
–For Number of Kilobytes, specify the maximum number of kilo-
bytes. Then specify the time interval in seconds.
• To limit the number of packets within a time span:
–For Number of packets, specify the maximum number of packets.
Then specify the time interval in seconds.
16. Click Apply.
17. Add another access policy (if you are in the Advanced tab, click the Basic
tab), or click Close.
18. Click Save.
Traffic selected by this policy is sent over Maximum Recommended MSS
A GRE tunnel 1436
A GRE over IPsec VPN (transport mode) 1388
An IPsec client-to-site VPN (tunnel mode) 1356
An IPsec site-to-site VPN (tunnel mode) 1356
An L2TP over IPsec VPN (transport mode) 1360