Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lesley
Leader Leader
Leader

SYN defender - fwaccel synatk

Hi everyone,

Today I configured SYN defender. I have enabled the IPS protection. R81.10 take 130

I have a few questions

- Is there any way to see in a log that the threshold was reached and traffic was blocked? Or can you see it live, for example with fw ctl zdebug?

- If the peak connection amount was reached in the fwaccel synatk monitor output, does this mean the protection was active?

So now the peak is set to 5000 and total on 10000 it will match the peak table?

- Why does my CLI config get's overwritten without a reason? The admin guide states:

Configure the applicable settings in the profile:

  • On the General Properties page:

    If you select Override with Action and then Accept or Drop, it overrides the settings you make on the Security Gateway with the fwaccel synatk commands.

  • On the Advanced page:

    The option you select in the Activation Settings (Protect all interfaces or Protect external interfaces only) overrides the settings you make on the Security Gateway with the fwaccel synatk commands.

Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_PerformanceTuning_AdminGuide...

Here you can see I put eth7 in disabled mode

fwaccel synatk state -i eth7 -d

fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status                                                         |
+-----------------------------------------------------------------------------+
| Configuration                                                     Enforcing |
| Status                                                               Normal |
| Non established connections                                              73 |
| Global Threshold                                                      10000 |
| Interface Threshold                                                    5000 |
+-----------------------------------------------------------------------------+
| IF              | Topology | Enforce | State (sec)  | Non-established conns |
|                 |          |         |              | Peak      | Current   |
+-----------------------------------------------------------------------------+
| eth2.X        | External | Prevent | Ready        | 80        | 73        |
| eth3.X        | Internal | Disable | Disable      | N/A       | N/A       |
| eth4.X        | External | Prevent | Ready        | 0         | 0         |
| eth7            | Internal | Disable | Disable      | N/A       | N/A       |

 

After some time config is resetted, I think it was policy push but this was not active. Also according the SK if I configure the IPS protection correctly it should not change it. 

| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Enforcing |
| Status Normal |
| Non established connections 141 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth2.X | External | Prevent | Ready | 101 | 84 |
| eth3.X | Internal | Detect | Monitor | 0 | 0 |

| eth4.X | External | Prevent | Ready |
| eth7 | Internal | Detect | Monitor | 0 | 0 |

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
2 Replies
PhoneBoy
Admin
Admin

It's been a while, but I believe when SYN Defender activates, you should see something in the traffic logs to that effect.
It also sounds like it's acting as expected with the fwaccel synatk commands as you've specified an override with the action drop.

0 Kudos
Pedro_Espindola
Advisor

I think individual interface states set in CLI are not permanent and a policy push or reboot will override them. However, the thresholds and enforcement options (-e and -g) should be kept if you uncheck "Override Security Gateways SYNDefender Configuration" in SmartConsole . Inspection Settings > SYN Attack.

You will get logs when the attack starts or ends, but the best place to check attack state is in the CLI with fwaccel synatk monitor. It will display a message of "Under attack" for the interface after the threshold is crossed and the connection count will be suppressed. While that does not happen, it will be shown as ready.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events