Sonicwall and TCP ZeroWindow

08/30/2021 2 People found this article helpful 31,967 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

This article will describe the Sonicwall firewall behavior when it observes the TCP zero window alert in any TCP communication.

TCP Zero Window: When a TCP receiver's buffer begins to fill, it can reduce its receive window. If it fills, it can reduce the window to zero, which tells the TCP sender to stop sending. This is called "closing the window". Typically this indicates that the network is delivering traffic faster than the receiver can process it.

When the receiver closes its receive window, it usually means that it is receiving data faster than it can send it on the peer flow. This is normal in situations where, for example, the server-side network is faster than the client-side network, and there is a large transfer from the server to the client. 

For the client-server TCP communication, zerowindow can be normal behavior and the receiver should update the TCP window automatically based on its flow.

However, Sonicwall firewall can treat this as Denial of Service attack and may reset the TCP stream if it sees the TCP zero window in the communication as shown below :

Resolution

This can be avoided by disabling a feature in the internal settings option of the Sonicwall as shown below  :

Step 1: Login into Sonicwall UI.

Step2:  Enter the interal settings option by changing the browser address to:

 https://<ip_address>/diag.html for gen6 devices

 https://<ip_Address>/sonicui/7/m/mgmt/settings/diag for gen7 devices

Step 3: Disable the option 'Protect against TCP State Manipulation DoS' and click accept

Related Articles

• DNS Resolution of Wildcard FQDN Address Objects
• All associated wildcard FQDN IP addresses do not display in the web browser
• How to Re-Install The Junk Store

Categories

• Firewalls > NSa Series
• Firewalls > TZ Series
• Firewalls > NSv Series