Hi @Dor_Marcovitch 

There are only limited configuration settings for the "SYN Attack" protection in SmartConsole. Most of the configuration options can only be done directly on the Security Gateway with the 'fwaccel synatk' commands (see the R80.20 Performance Tuning Administration Guide - Chapter SecureXL - Section Accelerated SYN Defender).

I think the new feature in R80.20+  "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

To your question;

The values are chosen very high, since they must in principle match for all firewalls. The tricky question is how many TCP sessions your firewall normally used. You can adjust the values accordingly.