Configure SYN rate limits for engines

You can configure SYN rate limits to reduce the risk of SYN flood attacks against the Firewall, IPS engine, Layer 2 Firewall, Master NGFW Engine, or Virtual NGFW Engine.

SYN rate limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN rate limits defined for the engine are reached, the engine drops new TCP connections.

The global SYN rate limits that you define in the NGFW Engine properties are applied as default settings on all interfaces. You can also define SYN rate limits that override the global settings in each interface’s properties.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an engine element and select Edit <element type>.
    The Engine Editor opens.
  2. In the navigation pane on the left, browse to Advanced Settings > SYN Rate Limits.
    The SYN Rate Limits pane opens on the right.
  3. In the SYN Rate Limits Mode, select Automatic or Custom.
    CAUTION:
    The recommended values for the SYN rate limits depend on your network environment. If the custom settings are not carefully configured, the capacity of the engine might suffer or SYN rate limits might not work correctly.
  4. (Custom only) In the Allowed SYNs per Second field, enter the number of allowed SYN packets per second.
  5. (Custom only) In the Burst Size field, enter the number of allowed SYNs before the engine starts limiting the SYN rate.
    CAUTION:
    We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
  6. Click Save and Refresh to transfer the configuration changes.

Engine Editor – Advanced Settings – SYN Rate Limits

Use this branch to change global SYN rate limits for the engine. SYN rate limits reduce the risk of SYN flood attacks against the engine.

Option Definition
SYN Rate Limits Limits for SYN packets sent to the engine.
  • None — SYN rate limits are disabled.
  • Automatic — The engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the engine’s capacity and memory size.
  • Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second

(Custom only)

The number of allowed SYN packets per second.
Burst Size

(Custom only)

The number of allowed SYNs before the engine starts limiting the SYN rate.
CAUTION:
We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.