• SonicOS 7.0
• About Firewall
  • Firewall Workflow
• Advanced
  • Changing Between SonicOS
    • Changing From Classic to Policy Mode
    • Changing From Policy to Classic Mode
  • Detection Prevention
  • Dynamic Ports
  • Source Routed Packets
  • Internal VLAN
  • Access Rule Options
  • IP and UDP Checksum Enforcement
  • Jumbo Frame
  • Connections
  • Control Plane Flood Protection
  • IPv6 Advanced Configuration
  • TCP
    • TCP Settings
    • Layer 3 SYN Flood Protection- SYN Proxy
    • Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting
    • WAN DDOS Protection (Non-TCP Floods)
    • TCP Traffic Statistics
  • UDP
    • UDP Settings
    • UDP Flood Protection
    • UDP Traffic Statistics
    • UDPV6 Traffic Statistics
  • ICMP
    • ICMP Flood Protection for IPv4 version
    • ICMP Traffic Statistics
    • ICMP Flood Protection for IPv6 version
    • ICMPv6 Traffic Statistics
• Flood Protection
• SSL Control
  • Key Features of SSL Control
  • Key Concepts to SSL Control
  • Caveats and Advisories
  • Configuring SSL Control
  • Custom List
  • Enabling SSL Control on Zones
  • SSL Control Events
• Cipher Control
  • TLS Ciphers
    • Blocking/Unblocking Ciphers
    • Filtering Ciphers
      • Selecting Display Options
      • Displaying Ciphers by Strength
      • Displaying Ciphers by Block/Unblock
      • Displaying Ciphers by CBC Mode
      • Displaying Ciphers by TLS Protocol Version
  • SSH Ciphers
• Real-Time Black List (RBL) Filter
  • Configuring the RBL Filter
    • Enabling RBL Blocking
    • Adding RBL Services
    • Configuring User-Defined SMTP Server Lists
      • Configuring a White List
      • Configuring a Black List
    • Testing SMTP IP Addresses

Layer 3 SYN Flood Protection- SYN Proxy

This tab is available only in Policy mode under Network > Firewall > Flood Protection > TCP > Layer 3 SYN Flood Protection- SYN Proxy.

A SYN Flood Protection mode is the level of protection that you can select to protect your network against half‐opened TCP sessions and high frequency SYN packet transmissions. This feature is enabled and configured on the Network > Firewall > Flood Protection > TCP > Layer 3 SYN Flood Protection- SYN Proxy tab.

To configure Layer 3 SYN Flood Protection features:

• In the SYN Flood Protection Mode drop‐down menu, select a protection mode.

  • Watch and Report Possible SYN Floods – The device monitors SYN traffic on all interfaces and logs suspected SYN flood activity that exceeds a packet-count threshold. This option does not actually turn on the SYN Proxy on the device, so the device forwards the TCP three‐way handshake without modification.

    This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high‐risk environment.

    When this protection mode is selected, the SYN-Proxy options are not available.

  • Proxy WAN Client Connections When Attack is Suspected – The device enables the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second exceeds a specified threshold. This method ensures that the device continues to process valid traffic during the attack, and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring, or until the device blacklists all of them using the SYN Blacklisting feature.

    This is the intermediate level of SYN Flood protection. Select this option if your network sometimes experiences SYN Flood attacks from internal or external sources.

  • Always Proxy WAN Client Connections – This option sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. This is an extreme security measure, which directs the device to respond to port scans on all TCP ports. The SYN Proxy feature forces the device to respond to all TCP SYN connection attempts, which can degrade performance and generate false positive results. Select this option only if your network is in a high‐risk environment.

  SYN Attack Threshold

  Select the SYN Attack Threshold configuration options to provide limits for SYN Flood activity before the device drops packets. The device gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold.

  

  • Suggested value calculated from gathered statistics - This is a read-only field provided by the system. After you select the level of protection, the appliance gathers statistics on current WAN TCP connections, keeping track of the maximum, average maximum, and incomplete WAN connections per second. These calculations provide support for a suggested value for the SYN Attack threshold.

  • Attack Threshold - Enables you to set the threshold for the number of incomplete connection attempts per second before the device drops packets at any value between 5 and 200,000. The default is the Suggested value calculated from gathered statistics by the appliance.

  SYN Proxy Options

  If one of the higher levels of SYN Protection is selected, SYN‐Proxy options can be selected to provide more control over what is sent to WAN clients when in SYN Proxy mode. When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server responds to the TCP options normally provided on SYN/ACK packets.

  

  The options in this section are not available if Watch and report possible SYN floods option is selected for SYN Flood Protection Mode.

  • All LAN/DMZ servers support the TCP SACK option – Selecting this option enables SACK (Selective Acknowledgment), so that when a packet is dropped, the receiving device indicates which packets it received. This option is not enabled by default. Enable this checkbox only when you know that all servers covered by the firewall that are accessed from the WAN support the SACK option.

  • Limit MSS sent to WAN clients (when connections are proxied) – When you choose this option, you can enter the maximum MSS (Minimum Segment Size) value. This sets the threshold for the size of TCP segments, preventing a segment that is too large from being sent to the targeted server. For example, if the server is an IPsec gateway, it might need to limit the MSS it receives to provide space for IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server when it responds to the SYN manufactured packet during the proxy sequence. Being able to control the size of a segment makes it possible to control the manufactured MSS value sent to WAN clients. This option is not selected by default.

    If you specify an override value for the default of 1460, only a segment that size or smaller is sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value.

  • Maximum TCP MSS sent to WAN clients – This is the value of the MSS. The default is 1460, the minimum value is 32, and the maximum is 1460.

    When using Proxy WAN client connections, remember to set these options conservatively as they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can continue during an attack.

  • Always log SYN packets received – Select this option to log all SYN packets received. This option is only available with higher levels of SYN protection.