Layer 2 SYN/RST/FIN flood protection-MAC blacklisting
06/13/2023
16 People found this article helpful
188,432 Views
Description
The SYN/RST/FIN Blacklisting feature is a list that contains devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.
Resolution
With SYN/RST/FIN/TCP Flood blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.
- Navigate to Network|Firewall|Flood protection|TCP|Layer 2 SYN/RST/FIN/TCP Flood Protection- MAC Blacklisting
![Image](https://sonicwall.rightanswers.com/portal/app/portlets/results/onsitehypermedia/090230610932017.png?linkToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzb25pY3dhbGwiLCJleHAiOjE3NTM0OTkyMTAsImlhdCI6MTcyMTk2MzIxMH0.8TBZzMeLzg9AcvWKWkLmQeGNRiuDmeiTcBAqkRUEsSM)
The SYN/RST/FIN Blacklisting region contains the following options:
- The threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec) – The maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
- Enable SYN/RST/FIN flood blacklisting on all interfaces – This checkbox enables the blacklisting feature on all interfaces on the firewall.
- Never blacklist WAN machines – This checkbox ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it cleared may interrupt traffic to and from the firewall’s WAN ports.
- Always allow SonicWall management traffic – This checkbox causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device.
Related Articles
Categories
Was This Article Helpful?
YES
NO