Hi Danny, Yes, all is this is done right out of the box. It's the basic tenet of ISA spoof detection. I don't recall if fragment filtering is done by default, but you can enable it if it isn't. Be careful with number 3 -- it only applies if the ISA firewall is the Internet edge firewall and there is no NAT device in front of it. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny Sent: Tuesday, August 22, 2006 9:04 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Being a good Internet citizen per Stefaan Pouseele I read this Stefaan's blog this evening; it is just loaded with fantastic information. (Don't forget the blogs of Dr. Shinder and Mr. Jim Harrison!, and many others!) One thing I had a question about was whether or not ISA 2004, ISA 2004 SP1, and ISA 2004 SP2 "out-of-box" provide the platform to be a good Internet citizen specific to what Stefaan has outlined. I believe that it is, but I just want to verify with the pro's. Here is the particular post: http://blogs.isaserver.org/pouseele/2006/06/11/be-a-good-internet-citize n/ Thanks, ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer