SYN defender - fwaccel synatk

Lesley — Wed, 26 Jun 2024 09:18:21 GMT

Hi everyone,

Today I configured SYN defender. I have enabled the IPS protection. R81.10 take 130

I have a few questions

- Is there any way to see in a log that the threshold was reached and traffic was blocked? Or can you see it live, for example with fw ctl zdebug?

- If the peak connection amount was reached in the fwaccel synatk monitor output, does this mean the protection was active?

So now the peak is set to 5000 and total on 10000 it will match the peak table?

- Why does my CLI config get's overwritten without a reason? The admin guide states:

Configure the applicable settings in the profile:

On the General Properties page:

If you select Override with Action and then Accept or Drop, it overrides the settings you make on the Security Gateway with the fwaccel synatk commands.
On the Advanced page:

The option you select in the Activation Settings (Protect all interfaces or Protect external interfaces only) overrides the settings you make on the Security Gateway with the fwaccel synatk commands.

Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_PerformanceTuning_AdminGuide/Topics-PTG/SecureXL-Accelerated-SYN-Defender.htm?tocpath=SecureXL%7C_____9

Here you can see I put eth7 in disabled mode

fwaccel synatk state -i eth7 -d

After some time config is resetted, I think it was policy push but this was not active. Also according the SK if I configure the IPS protection correctly it should not change it.

Re: SYN defender - fwaccel synatk

PhoneBoy — Fri, 28 Jun 2024 20:15:15 GMT

It's been a while, but I believe when SYN Defender activates, you should see something in the traffic logs to that effect.
It also sounds like it's acting as expected with the fwaccel synatk commands as you've specified an override with the action drop.

Re: SYN defender - fwaccel synatk

Pedro_Espindola — Fri, 28 Jun 2024 22:50:08 GMT

I think individual interface states set in CLI are not permanent and a policy push or reboot will override them. However, the thresholds and enforcement options (-e and -g) should be kept if you uncheck "Override Security Gateways SYNDefender Configuration" in SmartConsole . Inspection Settings > SYN Attack.

You will get logs when the attack starts or ends, but the best place to check attack state is in the CLI with fwaccel synatk monitor. It will display a message of "Under attack" for the interface after the threshold is crossed and the connection count will be suppressed. While that does not happen, it will be shown as ready.

topic SYN defender - fwaccel synatk in Firewall and Security Management

SYN defender - fwaccel synatk

Re: SYN defender - fwaccel synatk

Re: SYN defender - fwaccel synatk