Cisco Cisco Packet Data Interworking Function (PDIF) Guía Para Resolver Problemas
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
ACS Configuration Mode Commands
▀ firewall tcp-syn-flood-intercept
▄ Cisco ASR 5000 Series Command Line Interface Reference
OL-22947-02
firewall tcp-syn-flood-intercept
This command enables and configures the TCP intercept parameters to prevent TCP-SYN flooding attacks by
intercepting and validating TCP connection requests for DoS protection mechanism configured with the
intercepting and validating TCP connection requests for DoS protection mechanism configured with the
command.
Important:
In StarOS 8.1 and later releases, for Rulebase-based Stateful Firewall this command is available in
the ACS Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy
Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
Configuration Mode. In StarOS 8.3, this command is available in the ACS Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
Configures the default setting for TCP intercept parameters for SYN Flood DoS protection.
Specifies the maximum number of attempts for sending proxy SYN to the target. This keyword works in
conjunction with the
conjunction with the
keyword.
specifies the maximum number of attempts for sending proxy SYN to the target after the
timeout duration, and must be an integer from 1 through 5.
Default: 5
Default: 5
Specifies the TCP SYN flood intercept mode:
: Configures TCP SYN flood intercept feature in Intercept mode.
: Disables TCP SYN Flood Intercept feature.
: Configures TCP SYN Flood Intercept feature in watch mode. The Stateful Firewall passively
watches to see if TCP connections become established within a configurable interval. If connections
are not established within the timeout period, the Stateful Firewall clears the half-open connections
by sending RST to TCP client and server. The default watch-timeout for connection establishment is
30 seconds.
are not established within the timeout period, the Stateful Firewall clears the half-open connections
by sending RST to TCP client and server. The default watch-timeout for connection establishment is
30 seconds.
: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each
new connection request causes the oldest incomplete connection to be deleted. When operating in
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under
watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under