Cisco ASA 5506-X Configuration Manual page 261

Chapter 11 Connection Settings
Ensure that you set the embryonic connection limit lower than the TCP SYN backlog queue on the server
Note
that you want to protect. Otherwise, valid clients can no longer access the server during a SYN attack.
To determine reasonable values for embryonic limits, carefully analyze the capacity of the server, the
network, and server usage.
The end-to-end process for protecting a server from a SYN flood attack involves setting connection
limits, enabling TCP Intercept statistics, and then monitoring the results.
Before You Begin
Ensure that you set the embryonic connection limit lower than the TCP SYN backlog queue on the
•
server that you want to protect. Otherwise, valid clients can no longer access the server during a
SYN attack. To determine reasonable values for embryonic limits, carefully analyze the capacity of
the server, the network, and server usage.
Depending on the number of CPU cores on your ASA model, the maximum concurrent and
•
embryonic connections can exceed the configured numbers due to the way each core manages
connections. In the worst case scenario, the ASA allows up to n-1 extra connections and embryonic
connections, where n is the number of cores. For example, if your model has 4 cores, if you
configure 6 concurrent connections and 4 embryonic connections, you could have an additional 3 of
each type. To determine the number of cores for your model, enter the show cpu core command.
Procedure
Create an L3/L4 class map to identify the servers you are protecting. Use an access-list match.
Step 1
class-map name
match parameter
Example:
hostname(config)# access-list servers extended permit tcp any host 10.1.1.5 eq http
hostname(config)# access-list servers extended permit tcp any host 10.1.1.6 eq http
hostname(config)# class-map protected-servers
hostname(config-cmap)# match access-list servers
Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class
Step 2
map.
policy-map name
class name
Example:
hostname(config)# policy-map global_policy
hostname(config-pmap)# class protected-servers
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name. For the class map, specify the
class you created earlier in this procedure.
Set the embryonic connection limits.
Step 3
set connection embryonic-conn-max n—The maximum number of simultaneous embryonic
•
connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections.
Configure Connection Settings
Cisco ASA Series Firewall CLI Configuration Guide
11-5