Configure SYN rate limits

You can configure SYN rate limits to reduce the risk of SYN flood attacks against the Engine, IPS engine, Layer 2 Engine, Master Engine, or Virtual Engine.

SYN rate limits are applied to TCP connections. Each TCP connection starts with a SYN packet. If the SYN rate limits defined for the Security Engine are reached, the Security Engine drops new TCP connections.

The global SYN rate limits that you define in the Security Engine properties are applied as default settings on all interfaces. You can also define SYN rate limits that override the global settings in each interface’s properties.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Engine Configuration.
Right-click a Security Engine, then select Edit <element type>.
Browse to Advanced Settings > SYN Rate Limits.
Configure the settings.
Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > SYN Rate Limits

Use this branch to change global SYN rate limits. SYN rate limits reduce the risk of SYN flood attacks.

Option	Definition
SYN Rate Limits	Limits for SYN packets sent to the Security Engine. None — SYN rate limits are disabled. Automatic — The Security Engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the Security Engine capacity and memory size. Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second	(When SYN Rate Limits is Custom) The number of allowed SYN packets per second.
Burst Size	(When SYN Rate Limits is Custom) The number of allowed SYNs before the Security Engine starts limiting the SYN rate. CAUTION: We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.