Use this template to configure system-level features.
|IP ID auto optimization||Enables any IP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies).|
|TCP auto optimization||Enables any TCP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies).|
|Flows and tunnel failure||If there are parallel tunnels and one fails, Dynamic Path Control determines where to send the flows. There are three options:
fail-stick – When the failed tunnel comes back up, the flows do not return to the original tunnel. They stay where they are.
fail-back – When the failed tunnel comes back up, the flows return to the original tunnel.
disable – When the original tunnel fails, the flows are not routed to another tunnel.
|Encrypt data on disk||Enables encryption of all the cached data on the disks. Disabling this option is not recommended.|
Excess Flow Handling
|Excess flow policy||Specifies what happens to flows when the appliance reaches its maximum capacity for optimizing flows. The default is to bypass flows. Or, you can choose to drop the packets.|
|SSL optimization for non-IPSec tunnels||Specifies whether the appliance should perform SSL optimization when the outbound tunnel for SSL packets is not encrypted (for example, a GRE or UDP tunnel). To enable Network Memory for encrypted SSL-based applications, you must provision server certificates by using the Orchestrator. This activity can apply to the entire distributed network of EdgeConnect appliances or just to a specified group of appliances.|
|Bridge Loop Test||Only valid for virtual appliances. When enabled, the appliance can detect bridge loops. If it detects a loop, the appliance stops forwarding traffic and raises an alarm. Appliance alarms include recommended actions.|
|Always send pass-through traffic to original sender||If the tunnel goes down when using WCCP and PBR, traffic that was intended for the tunnel is sent back the way it came.|
|Enable default DNS lookup||Enables the default DNS server to be included with other configured DNS servers for associating cloud portal domain names to network IP addresses.|
|Enable HTTP/HTTPS snooping||Enables a more granular application classification of HTTP/HTTPS traffic by inspection of the HTTP/HTTPS header, Host. This is enabled by default.|
|Quiescent tunnel keep alive time||Specifies the rate at which to send keep alive packets after a tunnel has become idle (quiescent mode). The default is 60 seconds.|
|UDP flow timeout||Specifies how long to keep the UDP session open after traffic stops flowing. The default is 120 seconds (2 minutes).|
|Non-accelerated TCP Flow Timeout||Specifies how long to keep the TCP session open after traffic stops flowing. The default is 1800 seconds (30 minutes).|
|Maximum TCP MSS||Maximum Segment Size. The default value is 1328 bytes. This setting ensures that packets larger than the actual maximum transmission unit (MTU) are not dropped if fragmentation is not possible.
Some services such as (but not limited to) Zscaler or PPPoE require this setting to be 1328 for successful packet transmission. You can set the value from 500 to 9000, but 1328 works successfully across all known link, tunnel, and traffic types without any performance degradation.
NOTE: This setting applies only to passthrough or third-party IPSec tunnelled flows. Flows routed through IPSec UDP tunnels or other underlay tunnels do not use this setting.
|NAT-T keep alive time||If a device is behind a NAT, this specifies the rate at which to send keep alive packets between hosts to keep the mappings in the NAT device intact.|
|Tunnel Alarm Aggregation Threshold||Specifies the number of alarms to allow before alerting the tunnel alarm.|
|Maintain end-to-end overlay mapping||Enforces the same overlay to be used end-to-end when traffic is forwarded on multiple nodes.|
|IP Directed Broadcast||Allows an entire network to receive data that only the target subnet initially receives.|
|Allow WAN to WAN routing||Redirects inbound LAN traffic back to the WAN.|