Create a Post
Showing results for 
Search instead for 
Did you mean: 

Why is syn attack protection disabled on the inspection profiles by default ?

Hi All

I looking at what we can do for basic ddos protection on our gateways, I can see the syn attack protection, but it is set to disabled by default.

Is there a reason for this? should we enable it? what are most people doing with this setting?


0 Kudos
2 Replies

In R80.20 SYN Attack moved from IPS to SXL. This is the only change. The same DDoS Best Practices remain [ described in sk112241], just with the new SYN Attack configuration [sk120476]. See the Performance Tuning Administration Guide for your version - Chapter SecureXL - Section Accelerated SYN Defender

Use this sk120476: Important changes in IPS "SYN Attack" (SYN Defender) protection for new versions hight R80.20 or sk112241: Best Practices - DDoS attacks on Check Point Security Gateway for older versions.

0 Kudos

To expand on Gunter's answer, signatures/protections with a Performance Impact rating of Critical are never enabled by default or via automatic profile-based action, they must be manually enabled by the administrator.  In R80.10 and earlier enabling this protection would cause almost all traffic traversing the gateway into the F2F path which frankly made it unusable in most scenarios.  Even though SYN Attack enforcement is now performed by sim/SecureXL in R80.20 and no longer has this nasty effect, the protection is still sporting the "Critical" performance impact in the SmartConsole.  It *probably* should be changed to "Low" now that R80.10 and earlier is no longer supported.

Bottom line is as long as all your gateways are running at least R80.20 enabling this SYN Attack protection should not cause a major performance impact regardless of the Critical rating currently shown in the SmartConsole.

Gateway Performance Optimization R81.20 Course
now available at


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events