This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan
Collaborator
‎2022-10-20 06:30 AM
Jump to solution

setting threshold limits for SYN Attack defence

Hi,

R81.10 latest JHF.

I would like to setup SYN Attack defence. 

I read the KBs and guides and I see you need to set threshold limits, as it can be different from one environment to another and should be set carefully.

How do I know what values to use?

Where can I see average and peak numbers for these values?

 

Thanks

Labels
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2022-10-24 04:07 AM
In response to Jonathan
Jump to solution

I see here 132 half opened out of 26k established, which is VERY good. Why would you think the default SYNAttack settings are too strict?

View solution in original post

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2022-10-21 01:07 AM
Jump to solution

I would start with defaults and then see if they are okay for your specific needs, then adjust if required

0 Kudos
Jonathan
Collaborator
‎2022-10-24 12:52 AM
In response to _Val_
Jump to solution

Hi Val,

That's what I'm afraid of, that the defaults values are not suitable for our environment and that the SynAtk mechanism will kick in unnecessarily and block traffic.

I want to check see details about current or avarage connection requests and half-open TCP connections so I know if it's within the default threshold limits.

I tried CPVIEW but I'm not sure what to make out of this data:

 CPVIEW01.JPGCPVIEW02.JPG

Thanks

0 Kudos
_Val_
Admin
Admin
‎2022-10-24 04:07 AM
In response to Jonathan
Jump to solution

I see here 132 half opened out of 26k established, which is VERY good. Why would you think the default SYNAttack settings are too strict?

0 Kudos
Jonathan
Collaborator
‎2022-10-25 12:26 AM
In response to _Val_
Jump to solution

First, I wan't sure that Handshake Connections is the same as Half-Open connections, so thatnks for clearing that up.

Second, this screenshot represent the current state. Where can I see weekly or monthly avarage or peaks?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-26 09:11 AM
In response to Jonathan
Jump to solution

You can export the data from cpview (it's a sqlite DB, as I recall) and import it into whatever tool you'd like to create graphs/averages.
cpview only shows current state (or state at the chosen timestamp).

0 Kudos
Jonathan
Collaborator
‎2022-10-30 03:53 AM
In response to PhoneBoy
Jump to solution

Thanks, I ended up just scrolling using '+' and '-' keys on the specific dates I know we have peak traffic 🙂

Next time...

0 Kudos
Jonathan
Collaborator
‎2022-10-26 03:13 AM
Jump to solution

Update - 

I used CPVIEW -t to browse a month of history and saw the values don't change drastically.

I also understood that the Critical Performance hit rating isn't accurate on R81.10 (https://community.checkpoint.com/t5/Security-Gateways/Why-is-syn-attack-protection-disabled-on-the-i...)

I enabled the Synatk protection with default values on external interface only and so far so good.

Thanks for the help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events