This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion
Champion
‎2018-10-02 04:20 AM

R80.20 - SYN Defender on SecureXL Level

I think the new feature "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.

 

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

 

You can find more in the manual under:

  • fwaccel synatk
  • fwaccel6 synatk

 

Regards,

Heiko

6 Replies
MRossi92
Participant
‎2019-10-17 05:51 AM

Hello

 

This feature is supported by R80.20 SP in a 64000 Appliance?

 

Thank you

 

 

0 Kudos
Yair_Shahar
Employee
Employee
‎2019-10-27 01:56 AM
In response to MRossi92

Yes, Supported using “g_fwaccel synatk” command.

Note that it is supported via Gateway CLI only and not via Smart Console

0 Kudos
Raymondn
Contributor
‎2020-01-02 02:36 PM
In response to Yair_Shahar

I am wondering if someone may clarify for me about the “Syn Attack protection” and the “Accesslerated SYN Defender (i.e. fwaccel synatk).

Are they the same thing, or they are two different things?

I feel the "Syn Attack protection" was the legacy configuration from the Syn Defender in R65, whereas this "Accesslerated SYN Defender" is a new(?) generation of the Syn Defender?

Am I correct?  Please educate me if I misunderstand these two terms.

 

Anyway, I hope I can understand these terms better, and start to configure one or both of them according to some kind "best practice" suggestion from Check Point.

 

Thanks.

 

_Val_
Admin
Admin
‎2020-01-03 12:15 AM
In response to Raymondn

@Raymondn , in a nutshell,  the idea of Syn Defender is still the same. It is just with R80.20, it can be moved from FW into SXL. If so, it is called "Accelerated Syn Defender". THis functionality did not exist in the previous releases. 

More information can be found here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

and here (under "Accelerated Syn Defender" chapter"): https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_PerformanceTuning_AdminGu...

Raymondn
Contributor
‎2020-01-10 04:02 PM
In response to _Val_

Thanks for the info.

Spent sometime reading some of those and now I have a better understanding.

 

If I read SK correctly, in the end of the sk it did leave a statement where keeping this Syn Attack protection feature 'disable' until you are facing a DOS attack, may be a wise choice.

How do people feel about this?  Is this a feature people typically disable, or leave it as "monitor only", and only set to enforcement when facing DOS issue?

 

Thanks.

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-01-11 05:49 AM
In response to Raymondn

I would agree with the recommendation in the SK and leave SYN Defender off unless you need it.  In R80.10 and earlier, enabling SYN Defender would kill SecureXL acceleration of most traffic traversing the firewall and make it go F2F, which could cause its own performance problems if the firewall was already under high load.  This is why the Inspection Setting "SYN Attack" still shows a Performance Impact rating of "Critical".  Now that SecureXL itself can perform this protection in R80.20+ turning it on is not likely to cause other performance problems.

Setting an email/SNMP alert for the Aggressive Aging signature could be one way to get alerted that you might need to turn on SYN Attack.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Labels