Configure SYN rate limits
You can configure SYN rate limits to reduce the risk of SYN flood attacks against the Engine, IPS engine, Layer 2 Engine, Master Engine, or Virtual Engine.
SYN rate limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN rate limits defined for the Secure SD-WAN Engine are reached, the Secure SD-WAN Engine drops new TCP connections.
The global SYN rate limits that you define in the Secure SD-WAN Engine properties are applied as default settings on all interfaces. You can also define SYN rate limits that override the global settings in each interface’s properties.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click an Secure SD-WAN Engine, then select Edit <element type>.
- Browse to .
- Configure the settings.
- Click Save and Refresh to transfer the configuration changes.
Engine Editor > Advanced Settings > SYN Rate Limits
Use this branch to change global SYN rate limits. SYN rate limits reduce the risk of SYN flood attacks.
Option | Definition |
---|---|
SYN Rate Limits | Limits for SYN packets sent to the Secure SD-WAN Engine.
|
Allowed SYNs per Second | (When SYN Rate Limits is Custom) The number of allowed SYN packets per second. |
Burst Size | (When SYN Rate Limits is Custom) The number of allowed SYNs before the Secure SD-WAN Engine starts limiting the SYN rate.CAUTION: We recommend setting the Burst Size value to
at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value
for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
|