Link Search Menu Expand Document

System Template

Use this template to configure system-level features.

Optimization

Field Description
IP ID auto optimization Enables any IP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies).
TCP auto optimization Enables any TCP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies).
Flows and tunnel failure If there are parallel tunnels and one fails, Dynamic Path Control determines where to send the flows. There are three options:

fail-stick – When the failed tunnel comes back up, the flows do not return to the original tunnel. They stay where they are.

fail-back – When the failed tunnel comes back up, the flows return to the original tunnel.

disable – When the original tunnel fails, the flows are not routed to another tunnel.

Network Memory

Field Description
Encrypt data on disk Enables encryption of all the cached data on the disks. Disabling this option is not recommended.

Excess Flow Handling

Field Description
Excess flow policy Specifies what happens to flows when the appliance reaches its maximum capacity for optimizing flows. The default is to bypass flows. Or, you can choose to drop the packets.

Miscellaneous

Field Description
SSL optimization for non-IPSec tunnels Specifies whether the appliance should perform SSL optimization when the outbound tunnel for SSL packets is not encrypted (for example, a GRE or UDP tunnel). To enable Network Memory for encrypted SSL-based applications, you must provision server certificates by using the Orchestrator. This activity can apply to the entire distributed network of EdgeConnect appliances or just to a specified group of appliances.
Bridge loop test Only valid for virtual appliances. When enabled, the appliance can detect bridge loops. If it detects a loop, the appliance stops forwarding traffic and raises an alarm. Appliance alarms include recommended actions.
Always send pass-through traffic to original sender If the tunnel goes down when using WCCP and PBR, traffic that was intended for the tunnel is sent back the way it came.
Enable default DNS lookup Enables the default DNS server to be included with other configured DNS servers for associating cloud portal domain names to network IP addresses.
Enable HTTP/HTTPS snooping Enables a more granular application classification of HTTP/HTTPS traffic by inspection of the HTTP/HTTPS header, Host. This is enabled by default.
Quiescent tunnel keep alive time Specifies the rate at which to send keep alive packets after a tunnel has become idle (quiescent mode). The default is 60 seconds.
UDP flow timeout Specifies how long to keep the UDP session open after traffic stops flowing. The default is 120 seconds (2 minutes).
Non-accelerated TCP flow timeout Specifies how long to keep the TCP session open after traffic stops flowing. The default is 1800 seconds (30 minutes).
Maximum TCP MSS Maximum Segment Size. The default value is 1328 bytes. This setting ensures that packets larger than the actual maximum transmission unit (MTU) are not dropped if fragmentation is not possible.

Some services such as (but not limited to) Zscaler or PPPoE require this setting to be 1328 for successful packet transmission. You can set the value from 500 to 9000, but 1328 works successfully across all known link, tunnel, and traffic types without any performance degradation.

NOTE: This setting applies only to passthrough or third-party IPSec tunnelled flows. Flows routed through IPSec UDP tunnels or other underlay tunnels do not use this setting.
NAT-T keep alive time If a device is behind a NAT, this specifies the rate at which to send keep alive packets between hosts to keep the mappings in the NAT device intact.
Tunnel alarm aggregation Threshold Specifies the number of alarms to allow before alerting the tunnel alarm.
Maintain end-to-end overlay mapping Enforces the same overlay to be used end-to-end when traffic is forwarded on multiple nodes.
IP directed broadcast Allows an entire network to receive data that only the target subnet initially receives.
Allow WAN to WAN routing Redirects inbound WAN traffic back to the WAN.
Allow Unknown Destination Role Indicates whether to allow unknown destination roles.
Stateful-SNAT exceptions Name of the address group configured for Stateful-SNAT exceptions (for example, Stateful-SNAT-Exceptions). To set up this address group, see Disable Stateful+SNAT Processing for Selected LAN-side Subnets below.

Disable Stateful+SNAT Processing for Selected LAN-side Subnets

Most internet providers require that flows originate from the WAN-side IP address assigned to the appliance. When Stateful+SNAT is configured on a WAN-side interface, all traffic that leaves the interface will be Source NATed to the IP address of the WAN-side interface.

In certain situations, you want the original LAN-side IP address to be seen by the upstream network. You can use the Stateful-SNAT exceptions feature to avoid Source NATing for specific IP addresses or subnets.

Considerations:

  • Stateful-SNAT exceptions apply only to appliances with firewall mode set to “Stateful+SNAT”.

  • Exceptions apply only to outbound flows destined to external addresses.

  • Inbound flows initiated from the WAN side toward IP addresses within the address group rely on existing inbound port-forwarding functionality.

  • SNAT exceptions apply to the default segment only, not VRF SNAT.

  • This feature does not support IPv6 because the address groups feature does not support IPv6.

You can use the System template to set up Stateful-SNAT exceptions for all appliances or the System Information dialog box for individual appliances. To set up exceptions for individual appliances, see System Information.

To set up Stateful-SNAT exceptions for all appliances:

  1. Create an address group for all public IP space (subnets) used by your network across all branches, as follows:

    1. Navigate to Configuration > Templates & Policies > ACLs > Address Groups.

      The Address Groups tab opens.

    2. Click Add Group.

      The Add Address Group dialog box opens.

    3. In the Group name field, enter an appropriate name for the Stateful-SNAT exceptions (for example, Stateful-SNAT-Exceptions).

    4. In the IPs to include and IPs to exclude fields, enter IP addresses/masks to include/exclude individually or IP prefixes to include/exclude multiple addresses at once, as appropriate. Use commas to separate entries.

    5. If desired, use the Comment field to state the purpose of this address group.

    6. Click Add.

  2. In the System template’s Stateful-SNAT Exceptions field, enter the name of the address group you created for Stateful-SNAT exceptions.