Configure SYN rate limits for engines
You can configure SYN rate limits to reduce the risk of SYN flood attacks against the Firewall, IPS engine, Layer 2 Firewall, Master NGFW Engine, or Virtual NGFW Engine.
SYN rate limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN rate limits defined for the engine are reached, the engine drops new TCP connections.
The global SYN rate limits that you define in the NGFW Engine properties are applied as default settings on all interfaces. You can also define SYN rate limits that override the global settings in each interface’s properties.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor – Advanced Settings – SYN Rate Limits
Use this branch to change global SYN rate limits for the engine. SYN rate limits reduce the risk of SYN flood attacks against the engine.
Option | Definition |
---|---|
SYN Rate Limits | Limits for SYN packets sent to the engine.
|
Allowed SYNs per Second
(Custom only) |
The number of allowed SYN packets per second. |
Burst Size
(Custom only) |
The number of allowed SYNs before the engine starts limiting the SYN rate.
CAUTION: We recommend setting the
Burst Size value to at least one tenth of the
Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for
Allowed SYNs per Second is 10000, the
Burst Size value must be at least 1000.
|