Configure SYN rate limits

You can configure SYN rate limits to reduce the risk of SYN flood attacks against the Engine, IPS engine, Layer 2 Engine, Master Engine, or Virtual Engine.

SYN rate limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN rate limits defined for the Secure SD-WAN Engine are reached, the Secure SD-WAN Engine drops new TCP connections.

The global SYN rate limits that you define in the Secure SD-WAN Engine properties are applied as default settings on all interfaces. You can also define SYN rate limits that override the global settings in each interface’s properties.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an Secure SD-WAN Engine, then select Edit <element type>.
  2. Browse to Advanced Settings > SYN Rate Limits.
  3. Configure the settings.
  4. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > SYN Rate Limits

Use this branch to change global SYN rate limits. SYN rate limits reduce the risk of SYN flood attacks.

Option Definition
SYN Rate Limits Limits for SYN packets sent to the Secure SD-WAN Engine.
  • None — SYN rate limits are disabled.
  • Automatic — The Secure SD-WAN Engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the Secure SD-WAN Engine capacity and memory size.
  • Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second

(When SYN Rate Limits is Custom)

The number of allowed SYN packets per second.
Burst Size

(When SYN Rate Limits is Custom)

The number of allowed SYNs before the Secure SD-WAN Engine starts limiting the SYN rate.
CAUTION:
We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.