2.2.42 FW_GLOBAL_CONFIG

This enumeration identifies the global policy configuration options. Each configuration option has a merge law that is used to determine how to merge the values of these options across stores.

 typedef  enum _tag_FW_GLOBAL_CONFIG
 {
   FW_GLOBAL_CONFIG_INVALID = 0,
   FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED = 1,
   FW_GLOBAL_CONFIG_CURRENT_PROFILE = 2,
   FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP = 3,
   FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP = 4,
   FW_GLOBAL_CONFIG_SA_IDLE_TIME = 5,
   FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING = 6,
   FW_GLOBAL_CONFIG_IPSEC_EXEMPT = 7,
   FW_GLOBAL_CONFIG_CRL_CHECK = 8,
   FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT = 9,
   FW_GLOBAL_CONFIG_POLICY_VERSION = 10,
   FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED = 11,
   FW_GLOBAL_CONFIG_IPSEC_TUNNEL_REMOTE_MACHINE_AUTHORIZATION_LIST = 12,
   FW_GLOBAL_CONFIG_IPSEC_TUNNEL_REMOTE_USER_AUTHORIZATION_LIST = 13,
   FW_GLOBAL_CONFIG_OPPORTUNISTICALLY_MATCH_AUTH_SET_PER_KM = 14,
   FW_GLOBAL_CONFIG_IPSEC_TRANSPORT_REMOTE_MACHINE_AUTHORIZATION_LIST = 15,
   FW_GLOBAL_CONFIG_IPSEC_TRANSPORT_REMOTE_USER_AUTHORIZATION_LIST = 16,
   FW_GLOBAL_CONFIG_ENABLE_PACKET_QUEUE = 17,
   FW_GLOBAL_CONFIG_MAX = 18
 } FW_GLOBAL_CONFIG;

FW_GLOBAL_CONFIG_INVALID:  This value MUST NOT be used. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0.

FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED:  This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. This symbolic constant has a value of 1.<12>

In section 2 structures and section 3 methods of this document, some section titles are appended with a schema version to which the particular structure or method applies. For example, the appended characters “2_20” in the “FW_RULE2_20” structure section name indicates that this structure applies to and corresponds with policy version 0x0214, as described just ahead.

Policy version numbers vary depending on the version of this protocol to which they apply. They also approximately correspond with regular product updates. Policy versions in this protocol are expressed in hexadecimal notation that presently consist of the following versions: 0x0200, 0x0201, 0x020A, 0x0214, 0x0216, 0x0218, 0x0219, 0x021A, 0x021B, 0x021C, 0x021D, 0x021E, 0x021F, and 0x0220. These policy versions are mapped to specific release versions of this protocol.

The policy versions referenced for the previous behavior note citation can be translated into binary versions by considering the two-byte hex values as organized with a "high byte" and a "low byte". To obtain the binary version, convert each byte to decimal and separate them with a period ("."). For example, hex firewall policy version 0x0214 is mapped to binary version 2.20. Schema versions are similar to binary versions except that they contain an underscore character ("_")  instead of a period. The latter is the format that is used when appending a schema version reference to a structure name or a method name, as described earlier in this section.

FW_GLOBAL_CONFIG_CURRENT_PROFILE:  This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE (section 2.2.2) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. This symbolic constant has a value of 2.

FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP:  This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win. This symbolic constant has a value of 3.

FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP:  This value is an on/off switch. If off, the firewall performs stateful Point-to-Point Tunneling Protocol (PPTP) analysis. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win. This symbolic constant has a value of 4.

FW_GLOBAL_CONFIG_SA_IDLE_TIME:  This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. This symbolic constant has a value of 5.

FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING:  This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. This symbolic constant has a value of 6.

FW_GLOBAL_CONFIG_IPSEC_EXEMPT:  This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in FW_GLOBAL_CONFIG_IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be FW_GLOBAL_CONFIG_IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and FW_GLOBAL_CONFIG_IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. This symbolic constant has a value of 7.

FW_GLOBAL_CONFIG_CRL_CHECK:  This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. This symbolic constant has a value of 8.

FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT:  This value is configured when an IPsec security association can be established with a computer across NAT devices. The value is of type FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_VALUES and MUST contain valid values of the same enumeration type. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. This symbolic constant has a value of 9.

FW_GLOBAL_CONFIG_POLICY_VERSION:  This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law. This symbolic constant has a value of 10.

FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED:  This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This symbolic constant has a value of 11. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

FW_GLOBAL_CONFIG_IPSEC_TUNNEL_REMOTE_MACHINE_AUTHORIZATION_LIST:  This value represents a list of remote machines that are allowed to send and receive traffic through the tunnels which request this access check. Machines in the list are allowed through the tunnels. Machines not in the list are denied through the tunnels. The list is specified as a security descriptor which specifies which SIDs ([MS-DTYP] section 2.4.2.1) of the remote machines. The value is a Unicode string in Security Descriptor Definition Language (SDDL) format ([MS-DTYP] section 2.5.1). This symbolic constant has a value of 12.

FW_GLOBAL_CONFIG_IPSEC_TUNNEL_REMOTE_USER_AUTHORIZATION_LIST:  This value represents a list of remote users who are allowed to send and receive traffic through the tunnels which request this access check. Users in the list are allowed through the tunnels. Users not in the list are denied through the tunnels. The list is specified as a security descriptor which specifies which SIDs ([MS-DTYP] section 2.4.2.1) of the remote users. The value is a Unicode string in SDDL format ([MS-DTYP] section 2.5.1). This symbolic constant has a value of 13.

FW_GLOBAL_CONFIG_OPPORTUNISTICALLY_MATCH_AUTH_SET_PER_KM:  This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. This symbolic constant has a value of 14.

FW_GLOBAL_CONFIG_IPSEC_TRANSPORT_REMOTE_MACHINE_AUTHORIZATION_LIST:  This value is a Unicode string in Security Descriptor Definition Language (SDDL) format ([MS-DTYP] section 2.5.1). The security descriptor describes which remote machines are allowed to send and receive traffic secured by transport mode connection security rules which request this access check. Machines granted access by the security descriptor are allowed to send and receive traffic. Machines denied access by the security descriptor are blocked from sending and receiving traffic. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. This symbolic constant has a value of 15.

FW_GLOBAL_CONFIG_IPSEC_TRANSPORT_REMOTE_USER_AUTHORIZATION_LIST:  This value is a Unicode string in Security Descriptor Definition Language (SDDL) format. The security descriptor describes which remote users are allowed to send and receive traffic secured by transport mode connection security rules which request this access check. Users granted access by the security descriptor are allowed to send and receive traffic. Users denied access by the security descriptor are blocked from sending and receiving traffic. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. This symbolic constant has a value of 16.

FW_GLOBAL_CONFIG_ENABLE_PACKET_QUEUE:  This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario (as configured by FW_CS_RULE (section 2.2.55)). Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. This symbolic constant has a value of 17.

FW_GLOBAL_CONFIG_MAX:  This value and values that exceed this value are not valid and MUST NOT be used. This symbolic constant is defined for simplicity in writing IDL definitions and code. It has a value of 18.

Note  The value of FW_GLOBAL_CONFIG_MAX depends of the number of members in this enumeration, which, in turn, depends on the schema version. See the descriptions of the previous enumeration members to determine what this value is for each schema version.