|
1
|
Select the global icon, a group, or a SonicWALL appliance.
At unit level, the TCP Settings screen is available only for SonicWALL firewall appliances with SonicOS Enhanced firmware version 3.0 and higher. |
|
2
|
Expand the Firewall tree and click Flood Protection. The TCP Settings page displays.
|
|
3
|
Select Enforce strict TCP compliance with RFC 793 and RFC 1122 to force VoIP traffic to comply with RFC 793 (TCP) and RFC 1122 (Internet Hosts, including Link and IP layers) standards.
|
|
4
|
Select Enable TCP Checksum Validation to drop any packets with invalid TCP checksums.
|
|
5
|
Enter a value for the Default TCP Connection Timeout. This is the default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection is cleared by SonicWALL.
|
|
6
|
Specify the Maximum Segment Lifetime to set the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection.
|
|
7
|
Configure the Layer 3 SYN Flood Protection options. Select the desired level of protection against half-opened TCP sessions and high-frequency SYN packet transmissions:
|
|
•
|
Watch and Report Possible SYN Floods—This option enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification. This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high risk environment.
|
|
•
|
Proxy WAN Client Connections When Attack is Suspected—This option enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources.
|
|
•
|
Always Proxy WAN Client Connections—This option sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. Note that this is an extreme security measure and directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high risk environment.
|
|
8
|
Configure the SYN Attack Threshold. The appliance gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold in the Suggested value calculated from gathered statistics field. Enter the desired threshold for the number of incomplete connection attempts per second before the device drops packets in the Attack Threshold field.
|
|
•
|
All LAN/DMZ servers support the TCP SACK option—This check box enables Selective ACK where a packet can be dropped and the receiving device indicates which packets it received. Enable this check box only when you know that all servers covered by the SonicWALL firewall appliance accessed from the WAN support the SACK option.
|
|
•
|
Limit MSS sent to WAN clients (when connections are proxied)—Enables you to enter the maximum Minimum Segment Size value. If you specify an override value for the default of 1460, this indicates that a segment of that size or smaller is sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value.
|
|
•
|
Maximum TCP MSS sent to WAN clients—The value of the MSS. The default is 1460.
|
|
10
|
Configure the Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting options to configure how the appliance deals with devices that exceeded the SYN, RST, and FIN Blacklist attack threshold:
|
|
•
|
Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec)—The maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
|
|
•
|
Enable SYN/RST/FIN flood blacklisting on all interfaces—This check box enables the blacklisting feature on all interfaces on the SonicWALL firewall appliance.
|
|
•
|
Never blacklist WAN machines—This check box ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked might interrupt traffic to and from the SonicWALL firewall appliance’s WAN ports.
|
|
•
|
Always allow SonicWall management traffic—This check box causes IP traffic from a blacklisted device targeting the SonicWALL firewall appliance’s WAN IP addresses to not be filtered. This allows management traffic, and routing protocols to maintain connectivity through a blacklisted device.
|
|
•
|
Enable UDP Flood Protection – Enables UDP Flood Protection.
|
|
•
|
UDP Flood Attack Threshold (UDP Packets / Sec) – The rate of UDP packets per second sent to a host, range or subnet that triggers UDP Flood Protection.
|
|
•
|
UDP Flood Attack Blocking Time (Sec) – After the appliance detects the rate of UDP packets exceeding the attack threshold for this duration of time, UDP Flood Protection is activated, and the appliance begins dropping subsequent UDP packets.
|
|
•
|
UDP Flood Attack Protected Destination List – The destination address object or address group that is protected from the UDP Flood Attack.
|
|
•
|
Enable ICMP Flood Protection – Enables ICMP Flood Protection.
|
|
•
|
ICMP Flood Attack Threshold (ICMP Packets / Sec) – The rate of ICMP packets per second sent to a host, range or subnet that triggers ICMP Flood Protection.
|
|
•
|
ICMP Flood Attack Blocking Time (Sec) – After the appliance detects the rate of ICMP packets exceeding the attack threshold for this duration of time, ICMP Flood Protection is activated, and the appliance begins dropping subsequent ICMP packets.
|
|
•
|
ICMP Flood Attack Protected Destination List – The destination address object or address group that is protected from the ICMP Flood Attack.
|