WatchGuard x1000 用户指南
Chapter 11: Intrusion Detection and Prevention
182
WatchGuard Firebox System
protection feature will self-activate. Once active, further
connection attempts from the external side of the Firebox
must be verified before being allowed to reach your serv-
ers. Connections that cannot be verified are not allowed
through, thus protecting your server from having a full
backlog.
connection attempts from the external side of the Firebox
must be verified before being allowed to reach your serv-
ers. Connections that cannot be verified are not allowed
through, thus protecting your server from having a full
backlog.
The SYN Flood protection feature will self-deactivate when
it senses the attack is over.
it senses the attack is over.
From Policy Manager:
1
On the toolbar, click the Default Packet Handling icon.
You can also, from Policy Manager, select Setup => Intrusion
Prevention => Default Packet Handling.
The Default Packet Handling dialog box appears.
2
Select the checkbox marked Block SYN Flood Attacks.
Changing SYN flood settings
Active SYN flood defenses can occasionally prevent legiti-
mate connection attempts from being completed. If you
find that too many legitimate connection attempts fail
when your SYN flood defense is active, you can change
SYN flood settings to minimize this problem.
mate connection attempts from being completed. If you
find that too many legitimate connection attempts fail
when your SYN flood defense is active, you can change
SYN flood settings to minimize this problem.
You can set the maximum number of incomplete TCP con-
nections the Firebox allows before the SYN flood defense is
activated. The default setting of 60 means that when the
number of TCP connections waiting to be validated climbs
to 61 or above, SYN flood defense is activated. Conversely,
when the number of connections waiting for validation
drops to 59 or less, SYN flood defense is deactivated. You
might need to adjust this setting to custom-fit the SYN
nections the Firebox allows before the SYN flood defense is
activated. The default setting of 60 means that when the
number of TCP connections waiting to be validated climbs
to 61 or above, SYN flood defense is activated. Conversely,
when the number of connections waiting for validation
drops to 59 or less, SYN flood defense is deactivated. You
might need to adjust this setting to custom-fit the SYN
Flood
protection feature for your network. Every time the fea-
ture self-activates, a log message will be recorded stating
SYN Validation: activated
ture self-activates, a log message will be recorded stating
SYN Validation: activated
. When the feature self-
deactivates, the log message SYN Validation: deacti-
vated
vated
will be recorded. If these messages occur frequently
when your server is not under attack, the Maximum
Incomplete Connections setting may be too low. If the SYN
Flood protection feature is not preventing attacks from
Incomplete Connections setting may be too low. If the SYN
Flood protection feature is not preventing attacks from