https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144024#M22389 <P>Hi All</P><P>I looking at what we can do for basic ddos protection on our gateways, I can see the syn attack protection, but it is set to disabled by default.</P><P>Is there a reason for this? should we enable it? what are most people doing with this setting?</P><P>Cheers</P> Thu, 17 Mar 2022 10:25:47 GMT carl_t 2022-03-17T10:25:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144024#M22389 <P>Hi All</P><P>I looking at what we can do for basic ddos protection on our gateways, I can see the syn attack protection, but it is set to disabled by default.</P><P>Is there a reason for this? should we enable it? what are most people doing with this setting?</P><P>Cheers</P> Thu, 17 Mar 2022 10:25:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144024#M22389 carl_t 2022-03-17T10:25:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144028#M22390 <P><SPAN>In R80.20 SYN Attack moved from IPS to SXL. This is the only change. The same DDoS Best Practices remain [ described in sk112241], just with the new SYN Attack configuration [sk120476].&nbsp;See the </SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&amp;productTab=documents&amp;product=435" target="_blank" rel="noopener">Performance Tuning Administration Guide</A><SPAN> for your version - Chapter </SPAN><EM>SecureXL</EM><SPAN> - Section </SPAN><EM>Accelerated SYN Defender</EM></P> <P>Use this&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk120476&amp;partition=Basic&amp;product=IPS," target="_blank">sk120476: Important changes in IPS "<STRONG>SYN</STRONG> <STRONG>Attack</STRONG>" (<STRONG>SYN</STRONG> Defender) <STRONG>protection</STRONG></A>&nbsp;for new versions hight R80.20 or&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112241&amp;partition=Advanced&amp;product=Quantum" target="_blank">sk112241: Best Practices - DDoS attacks on Check Point Security Gateway</A>&nbsp;for older versions.</P> Thu, 17 Mar 2022 10:59:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144028#M22390 G_W_Albrecht 2022-03-17T10:59:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144083#M22402 <P>To expand on Gunter's answer, signatures/protections with a Performance Impact rating of Critical are never enabled by default or via automatic profile-based action, they must be manually enabled by the administrator.&nbsp; In R80.10 and earlier enabling this protection would cause almost all traffic traversing the gateway into the F2F path which frankly made it unusable in most scenarios.&nbsp; Even though SYN Attack enforcement is now performed by sim/SecureXL in R80.20 and no longer has this nasty effect, the protection is still sporting the "Critical" performance impact in the SmartConsole.&nbsp; It *probably* should be changed to "Low" now that R80.10 and earlier is no longer supported.</P> <P>Bottom line is as long as all your gateways are running at least R80.20 enabling this SYN Attack protection should not cause a major performance impact regardless of the Critical rating currently shown in the SmartConsole.</P> Thu, 17 Mar 2022 16:20:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Why-is-syn-attack-protection-disabled-on-the-inspection-profiles/m-p/144083#M22402 Timothy_Hall 2022-03-17T16:20:26Z