• SonicOS 7.0
• About Firewall
  • Firewall Workflow
• Advanced
  • Changing Between SonicOS
    • Changing From Classic to Policy Mode
    • Changing From Policy to Classic Mode
  • Detection Prevention
  • Dynamic Ports
  • Source Routed Packets
  • Internal VLAN
  • Access Rule Options
  • IP and UDP Checksum Enforcement
  • Jumbo Frame
  • Connections
  • Control Plane Flood Protection
  • IPv6 Advanced Configuration
  • TCP
    • TCP Settings
    • Layer 3 SYN Flood Protection- SYN Proxy
    • Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting
    • WAN DDOS Protection (Non-TCP Floods)
    • TCP Traffic Statistics
  • UDP
    • UDP Settings
    • UDP Flood Protection
    • UDP Traffic Statistics
    • UDPV6 Traffic Statistics
  • ICMP
    • ICMP Flood Protection for IPv4 version
    • ICMP Traffic Statistics
    • ICMP Flood Protection for IPv6 version
    • ICMPv6 Traffic Statistics
• Flood Protection
• SSL Control
  • Key Features of SSL Control
  • Key Concepts to SSL Control
  • Caveats and Advisories
  • Configuring SSL Control
  • Custom List
  • Enabling SSL Control on Zones
  • SSL Control Events
• Cipher Control
  • TLS Ciphers
    • Blocking/Unblocking Ciphers
    • Filtering Ciphers
      • Selecting Display Options
      • Displaying Ciphers by Strength
      • Displaying Ciphers by Block/Unblock
      • Displaying Ciphers by CBC Mode
      • Displaying Ciphers by TLS Protocol Version
  • SSH Ciphers
• Real-Time Black List (RBL) Filter
  • Configuring the RBL Filter
    • Enabling RBL Blocking
    • Adding RBL Services
    • Configuring User-Defined SMTP Server Lists
      • Configuring a White List
      • Configuring a Black List
    • Testing SMTP IP Addresses

Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting

This tab is available only in Policy mode under Network > Firewall > Flood Protection > TCP > Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting.

The SYN/RST/FIN Blacklisting feature lists devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.

Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.

• Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces – Enables the blacklisting feature on all interfaces on the firewall. This option is not selected by default. When it is selected, the following options become available.
• Never blacklist WAN machines – Ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it cleared may interrupt traffic to and from the firewall’s WAN ports. This option is not selected by default.
• Always allow SonicWall management traffic – Causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device. This option is not selected by default.
• Threshold for SYN/RST/FIN flood blacklisting – Specifies the maximum number of SYN, RST, FIN, and TCP packets allowed per second. The minimum is 10, the maximum is 800000, and default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
• Click Accept.