This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2022-03-17 03:25 AM

Why is syn attack protection disabled on the inspection profiles by default ?

Hi All

I looking at what we can do for basic ddos protection on our gateways, I can see the syn attack protection, but it is set to disabled by default.

Is there a reason for this? should we enable it? what are most people doing with this setting?

Cheers

0 Kudos
2 Replies
G_W_Albrecht
Legend
Legend
‎2022-03-17 03:59 AM

In R80.20 SYN Attack moved from IPS to SXL. This is the only change. The same DDoS Best Practices remain [ described in sk112241], just with the new SYN Attack configuration [sk120476]. See the Performance Tuning Administration Guide for your version - Chapter SecureXL - Section Accelerated SYN Defender

Use this sk120476: Important changes in IPS "SYN Attack" (SYN Defender) protection for new versions hight R80.20 or sk112241: Best Practices - DDoS attacks on Check Point Security Gateway for older versions.

CCSE CCTE SMB Specialist
0 Kudos
Timothy_Hall
Champion
Champion
‎2022-03-17 09:20 AM

To expand on Gunter's answer, signatures/protections with a Performance Impact rating of Critical are never enabled by default or via automatic profile-based action, they must be manually enabled by the administrator.  In R80.10 and earlier enabling this protection would cause almost all traffic traversing the gateway into the F2F path which frankly made it unusable in most scenarios.  Even though SYN Attack enforcement is now performed by sim/SecureXL in R80.20 and no longer has this nasty effect, the protection is still sporting the "Critical" performance impact in the SmartConsole.  It *probably* should be changed to "Low" now that R80.10 and earlier is no longer supported.

Bottom line is as long as all your gateways are running at least R80.20 enabling this SYN Attack protection should not cause a major performance impact regardless of the Critical rating currently shown in the SmartConsole.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com