Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonathan
Collaborator
Jump to solution

setting threshold limits for SYN Attack defence

Hi,

R81.10 latest JHF.

I would like to setup SYN Attack defence. 

I read the KBs and guides and I see you need to set threshold limits, as it can be different from one environment to another and should be set carefully.

How do I know what values to use?

Where can I see average and peak numbers for these values?

 

Thanks

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

I see here 132 half opened out of 26k established, which is VERY good. Why would you think the default SYNAttack settings are too strict?

View solution in original post

0 Kudos
7 Replies
_Val_
Admin
Admin

I would start with defaults and then see if they are okay for your specific needs, then adjust if required

0 Kudos
Jonathan
Collaborator

Hi Val,

That's what I'm afraid of, that the defaults values are not suitable for our environment and that the SynAtk mechanism will kick in unnecessarily and block traffic.

I want to check see details about current or avarage connection requests and half-open TCP connections so I know if it's within the default threshold limits.

I tried CPVIEW but I'm not sure what to make out of this data:

 CPVIEW01.JPGCPVIEW02.JPG

Thanks

0 Kudos
_Val_
Admin
Admin

I see here 132 half opened out of 26k established, which is VERY good. Why would you think the default SYNAttack settings are too strict?

0 Kudos
Jonathan
Collaborator

First, I wan't sure that Handshake Connections is the same as Half-Open connections, so thatnks for clearing that up.

Second, this screenshot represent the current state. Where can I see weekly or monthly avarage or peaks?

0 Kudos
PhoneBoy
Admin
Admin

You can export the data from cpview (it's a sqlite DB, as I recall) and import it into whatever tool you'd like to create graphs/averages.
cpview only shows current state (or state at the chosen timestamp).

0 Kudos
Jonathan
Collaborator

Thanks, I ended up just scrolling using '+' and '-' keys on the specific dates I know we have peak traffic 🙂

Next time...

0 Kudos
Jonathan
Collaborator

Update - 

I used CPVIEW -t to browse a month of history and saw the values don't change drastically.

I also understood that the Critical Performance hit rating isn't accurate on R81.10 (https://community.checkpoint.com/t5/Security-Gateways/Why-is-syn-attack-protection-disabled-on-the-i...)

I enabled the Synatk protection with default values on external interface only and so far so good.

Thanks for the help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events