SonicOS 7.1 Objects
- SonicOS 7.1 Action Objects
- About SonicOS
- Match Objects
- Zones
- How Zones Work
- Default Zones
- Security Types
- Allow Interface Trust
- Effect of Wireless Controller Modes
- Zones Overview
- The Zones Page
- Adding a New Zone
- Adding a New Zone in Policy Mode
- Adding a New Zone in Classic Mode
- Configuring a Zone for Guest Access
- Configuring a Zone for Open Authentication and Social Login
- Configuring the WLAN Zone
- Configuring the RADIUS Server
- Configuring DPI-SSL Granular Control per Zone
- Enabling Automatic Redirection to the User-Policy Page
- Cloning a Zone
- Editing a Zone
- Deleting Custom Zones
- Addresses
- Addresses Page
- About UUIDs for Address Objects and Groups
- Working with Dynamic Address Objects
- Services
- URI Lists
- Schedules
- Dynamic Group
- Email Addresses
- Match Objects
- Countries
- Applications
- Web Categories
- Websites
- Match Patterns
- Custom Match
- Profile Objects
- Endpoint Security
- Bandwidth
- QoS Marking
- Content Filter
- DHCP Option
- DNS Filtering
- Block Page
- Anti-Spyware
- Gateway Anti-Virus
- Log and Alerts
- Intrusion Prevention
- AWS
- Action Profiles
- Security Action Profile
- DoS Action Profile
- Action Objects
- App Rule Actions
- Content Filter Actions
- Object viewer
- SonicWall Support
Layer 2 SYN/RST/FIN Flood Protection
The SYN/RST/FIN Blacklisting feature lists devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.
Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.
To configure the Layer 2 SYN/RST/FIN Flood Protection
- Navigate to OBJECT | Action Profiles > DoS Action Profile.
-
Do one of the following:
-
Add a new DoS Action Profile.
- Click the Add icon.
- Enter a friendly DoS Rule Action Name.
-
Edit an existing DoS Action Profile.
Hover over an existing DoS Action Profile and click the Edit icon.
-
-
Click Flood Protection > Layer 2 SYN/RST/FIN Flood Protection option.
- Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces to enable the blacklisting feature on all interfaces on the firewall and change the default settings.
-
Make the necessary changes to the default settings.
Never blacklist WAN machines To always skip adding WAN systems to the SYN Blacklist.
This option is recommended as leaving it cleared may interrupt traffic to and from the firewall's WAN ports.
Always allow SonicWall management traffic To skip filtering of the IP traffic from a blacklisted device targeting the firewall's WAN IP addresses.
This allows management traffic and routing protocols to maintain connectivity through a blacklisted device.
Threshold for SYN/RST/FIN flood blacklisting To specify the maximum number of SYN, RST, FIN, and TCP packets allowed per second.
The minimum is 10, the maximum is 800000, and the default is 1000.
This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
- Click Save.
- Click Cancel to go back to the DoS Action Profile page or proceed with other configurations.
Was This Article Helpful?
Help us to improve our support portal