Firewall > TCP Settings
443
SonicOS Enhanced 4.0 Administrator Guide
To provide more control over the options sent to WAN clients when in SYN Proxy mode, you
can configure the following two objects:
SACK (Selective Acknowledgment) – This parameter controls whether or not Selective ACK is
enabled. With SACK enabled, a packet or series of packets can be dropped, and the received
informs the sender which data has been received and where holes may exist in the data.
MSS (Minimum Segment Size) – This sets the threshold for the size of TCP segments,
preventing a segment that is too large to be sent to the targeted server. For example, if the
server is an IPsec gateway, it may need to limit the MSS it received to provide space for IPsec
headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server
when it responds to the SYN manufactured packet during the proxy sequence. Being able to
control the size of a segment, enables you to control the manufactured MSS value sent to WAN
clients.
The SYN Proxy Threshold region contains the following options:
All LAN/DMZ servers support the TCP SACK option – This checkbox enables Selective ACK
where a packet can be dropped and the receiving device indicates which packets it received.
Enable this checkbox only when you know that all servers covered by the firewall accessed
from the WAN support the SACK option.
Limit MSS sent to WAN clients (when connections are proxied) – Enables you to enter the
maximum Minimum Segment Size value. If you specify an override value for the default of 1460,
this indicates that a segment of that size or smaller will be sent to the client in the SYN/ACK
cookie. Setting this value too low can decrease performance when the SYN Proxy is always
enabled. Setting this value too high can break connections if the server responds with a smaller
MSS value.
Maximum TCP MSS sent to WAN clients. The value of the MSS. The default is 1460.
Note When using Proxy WAN client connections, remember to set these options conservatively
since they only affect connections when a SYN Flood takes place. This ensures that
legitimate connections can proceed during an attack.
Working with SYN/RST/FIN Blacklisting
The SYN/RST/FIN Blacklisting feature is a list that contains devices that exceeded the SYN,
RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted
devices early in the packet evaluation process, enabling the firewall to handle greater amounts
of these packets, providing a defense against attacks originating on local networks while also
providing second-tier protection for WAN networks.
Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With
blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the
watchlist and places them on the blacklist. Conversely, when the firewall removes a device from
the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed
on the blacklist will be removed from it approximately three seconds after the flood emanating
from that device has ended.
The SYN/RST/FIN Blacklisting region contains the following options:
Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec) – The maximum number of SYN,
RST, and FIN packets allowed per second. The default is 1,000. This value should be larger
than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local
attacks or severe attacks from a WAN network.
Enable SYN/RST/FIN flood blacklisting on all interfaces – This checkbox enables the
blacklisting feature on all interfaces on the firewall.