https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216136#M35883 <P>For sure the SK's&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;sent you are super relevant in this case.</P> <P>Best,</P> <P>Andy</P> Sun, 02 Jun 2024 21:46:38 GMT the_rock 2024-06-02T21:46:38Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216094#M35871 <P>Hi expert,</P><P>I made a simple DOS test : flooding about 5000 syn packets from one source to firewall R81 (with SYN Attack and IPS enable).</P><P>But firewall didn't block these connections, it still accept.</P><DIV class="">&nbsp;</DIV><P>SYN Attack is activated:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sync1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26020i40951B2F7CDEDD7C/image-size/medium?v=v2&amp;px=400" role="button" title="sync1.png" alt="sync1.png" /></span></P><P>&nbsp;</P><P>But fw still accept all connections</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="log1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26021iC5F745FB832B3D13/image-size/large?v=v2&amp;px=999" role="button" title="log1.png" alt="log1.png" /></span></P><P>Please help , I want fw block syn flood.</P><P>Thanks all!!</P> Sun, 02 Jun 2024 01:22:45 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216094#M35871 minhhaivietnam 2024-06-02T01:22:45Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216103#M35875 <P>Check you have activated SynAttack feature properly, including the thresholds and delay. Read through&nbsp;<A href="https://support.checkpoint.com/results/sk/sk120476" target="_self"><SPAN>sk120476</SPAN></A>, relevant portion of&nbsp;<A href="https://support.checkpoint.com/results/sk/sk112241" target="_self"><SPAN>sk112241</SPAN></A>, and notes from <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_PerformanceTuning_AdminGuide/Content/Topics-PTG/SecureXL-Accelerated-SYN-Defender.htm" target="_self">SecureXL ATRG</A>&nbsp;for the matter.<BR /><BR />Also note, with the default settings, synattack has 5 seconds delay for activation.&nbsp;<BR /><BR />Instead of traffic logs, check your IPS logs for SynAttack triggers.</P> Sun, 02 Jun 2024 07:13:31 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216103#M35875 _Val_ 2024-06-02T07:13:31Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216113#M35879 <P>Thanks admin,</P><P>Finally, i use this command&nbsp;<SPAN>"fwaccel dos rate add concurrent-conns 100 destination cidr:192.168.199.10 service any" then it blocks as expected</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_1022.png" style="width: 907px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26025i650515C5B00AA79C/image-size/medium?v=v2&amp;px=400" role="button" title="IMG_1022.png" alt="IMG_1022.png" /></span></P><P>Also i need to change DOS simulation :</P><P>from: 5000 packets with same source port</P><P>to: 5000 packets with random source port</P> Sun, 02 Jun 2024 09:02:12 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216113#M35879 minhhaivietnam 2024-06-02T09:02:12Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216136#M35883 <P>For sure the SK's&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;sent you are super relevant in this case.</P> <P>Best,</P> <P>Andy</P> Sun, 02 Jun 2024 21:46:38 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/216136#M35883 the_rock 2024-06-02T21:46:38Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/265629#M44721 <P>Ok I performed the syn flood in my testlab as well. I have observed the below</P><P>When syn flood prevention aka syndefender is enabled, it only activates after the threshold is reached (default 5000 syns). You can confirm that syndefender is active and enforcing cookies by running the 'fwaccel monitor state' command). At this point the fw acts as man-in-the-middle: It does not forward the SYN packet to the web server unless it received an ACK from the client containing a valid cookie. The OP was looking for syn drops in the fw logs, but the fw doesn't drop the syns, it just doesn't forward them to the webserver. The OP enabled a dos rate policy which is a separate mechanism from syndefender.</P><P>The below sk explains the process</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topics-PTG/SecureXL-Accelerated-SYN-Defender.htm" target="_blank">Accelerated SYN Defender</A></P><P>&nbsp;</P> Thu, 18 Dec 2025 11:10:43 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-FW-R81-don-t-block-SYN-FLOOD/m-p/265629#M44721 ANARINE 2025-12-18T11:10:43Z