SonicOS 7.1 Firewall

Technical Documentation>  Advanced>  TCP>  Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting
Table of Contents

Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting

This tab is available only in Policy mode under Network > Firewall > Flood Protection > TCP > Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting.

The SYN/RST/FIN Blacklisting feature lists devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.

Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.

  • Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces – Enables the blacklisting feature on all interfaces on the firewall. This option is not selected by default. When it is selected, the following options become available.
  • Never blacklist WAN machines – Ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it cleared may interrupt traffic to and from the firewall’s WAN ports. This option is not selected by default.
  • Always allow SonicWall management traffic – Causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device. This option is not selected by default.
  • Threshold for SYN/RST/FIN flood blacklisting – Specifies the maximum number of SYN, RST, FIN, and TCP packets allowed per second. The minimum is 10, the maximum is 800000, and default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
  • Click Accept.