-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How To Change TCP Minimum Segment Size MSS Under Flood Protection
11/22/2021 
28 People found this article helpful
488,831 Views
Description
When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets.
To provide more control over the options sent to WAN clients when in SYN Proxy mode, users can configure the Minimum Segment Size MSS.
Resolution
RESOLUTION FOR SONICOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.x and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
1. Login to the SonicWall management GUI.
2. Navigate to Network|Firewall|Flood Protection
3. Enable Limit MSS sent to WAN clients (when connections are proxied) this will allow you to enter the maximum Minimum Segment Size value. The default value is 1460.
Note: When using Proxy WAN client connections, remember to set these options conservatively since it only affect connections when a SYN Flood takes place.
RESOLUTION FOR SONICOS 6.X
1. Login to the SonicWall management GUI.
2. Navigate to Firewall Settings | Flood Protection page.
3. Enable Limit MSS sent to WAN clients (when connections are proxied) this will allow you to enter the maximum Minimum Segment Size value. The default value is 1460.
Note: When using Proxy WAN client connections, remember to set these options conservatively since it only affect connections when a SYN Flood takes place.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO