Changing Syn Flood Settings - Watchguard Firebox X1000 User Manual

Chapter 11: Intrusion Detection and Prevention
protection feature will self-activate. Once active, further
connection attempts from the external side of the Firebox
must be verified before being allowed to reach your serv-
ers. Connections that cannot be verified are not allowed
through, thus protecting your server from having a full
backlog.
The SYN Flood protection feature will self-deactivate when
it senses the attack is over.
From Policy Manager:
1 On the toolbar, click the Default Packet Handling icon.
You can also, from Policy Manager, select Setup = > Intrusion
Prevention = > Default Packet Handling.
The Default Packet Handling dialog box appears.
2 Select the checkbox marked Block SYN Flood Attacks.

Changing SYN flood settings

Active SYN flood defenses can occasionally prevent legiti-
mate connection attempts from being completed. If you
find that too many legitimate connection attempts fail
when your SYN flood defense is active, you can change
SYN flood settings to minimize this problem.
You can set the maximum number of incomplete TCP con-
nections the Firebox allows before the SYN flood defense is
activated. The default setting of 60 means that when the
number of TCP connections waiting to be validated climbs
to 61 or above, SYN flood defense is activated. Conversely,
when the number of connections waiting for validation
drops to 59 or less, SYN flood defense is deactivated. You
might need to adjust this setting to custom-fit the SYN Flood
protection feature for your network. Every time the fea-
ture self-activates, a log message will be recorded stating
SYN Validation: activated . When the feature self-
deactivates, the log message SYN Validation: deacti-
vated will be recorded. If these messages occur frequently
when your server is not under attack, the Maximum
Incomplete Connections setting may be too low. If the SYN
Flood protection feature is not preventing attacks from
182 WatchGuard Firebox System