Layer 2 SYN/RST/FIN flood protection-MAC blacklisting

Description

The SYN/RST/FIN Blacklisting feature is a list that contains devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.

 

Resolution

With SYN/RST/FIN/TCP Flood blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.

  • Navigate to Network|Firewall|Flood protection|TCP|Layer 2 SYN/RST/FIN/TCP Flood Protection- MAC BlacklistingImage

The SYN/RST/FIN Blacklisting region contains the following options:

  • The threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec) – The maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
  • Enable SYN/RST/FIN flood blacklisting on all interfaces – This checkbox enables the blacklisting feature on all interfaces on the firewall.
  • Never blacklist WAN machines – This checkbox ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended, as leaving it cleared may interrupt traffic to and from the firewall’s WAN ports.
  • Always allow SonicWall management traffic – This checkbox causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device.

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community