fwaccel synatk config

Description

The "fwaccel synatk config" and "fwaccel6 synatk config" commands show the current Accelerated SYN Defender configuration.

Syntax for IPv4

fwaccel synatk config

Syntax for IPv6

fwaccel6 synatk config

Example

[Expert@MyGW:0]# fwaccel synatk config 
enabled 0 
enforce 1 
global_high_threshold 10000 
periodic_updates 1 
cookie_resolution_shift 6 
min_frag_sz 80 
high_threshold 5000 
low_threshold 1000 
score_alpha 100 
monitor_log_interval (msec) 60000 
grace_timeout (msec) 30000 
min_time_in_active (msec) 60000 
[Expert@MyGW:0]#

Description of Configuration Parameters

Parameter

Description

enabled

Shows if the Accelerated SYN Defender is enabled or disabled.

  • Valid values: 0 (disabled), 1 (enabled)

  • Default: 0

enforce

When the Accelerated SYN Defender is enabled, shows it enforces the protection.

Valid values:

  • 0 - The Accelerated SYN Defender is in Monitor (Detect only) mode on all interfaces.

  • 1 - The Accelerated SYN Defender is engaged only on external interfaces when the number of half-open TCP connections exceeds the threshold.

  • 2 - The Accelerated SYN Defender is engaged on both external and internal interfaces when the number of half-open TCP connections exceeds the threshold.

global_high_threshold

Global high attack threshold number.

See the fwaccel synatk -t <Threshold> command.

periodic_updates

For internal Check Point use only.

  • Valid values: 0 (disabled), 1 (enabled)

  • Default: 1

cookie_resolution_shift

For internal Check Point use only.

  • Valid values: 1-7

  • Default: 6

min_frag_sz

During the TCP SYN Flood attack, the Accelerated SYN Defender prevents TCP fragments smaller than this minimal size value.

  • Valid values: 80 and greater

  • Default: 80

high_threshold

High attack threshold number.

See the fwaccel synatk -t <Threshold> command.

low_threshold

Low attack threshold number.

See the fwaccel synatk -t <Threshold> command.

score_alpha

For internal Check Point use only.

  • Valid values: 1-127

  • Default: 100

monitor_log_interval (msec)

Interval, in milliseconds, between successive warning logs in the Monitor (Detect only) mode.

  • Valid values: 1000 and greater

  • Default: 60000

grace_timeout (msec)

Maximal time, in milliseconds, to stay in the Grace state (which is a transitional state between Ready and Active ).

In the Grace state, the Accelerated SYN Defender stops challenging Clients for TCP SYN Cookie, but continues to validate TCP SYN Cookies it receives from Clients.

  • Valid values: 10000 and greater

  • Default: 30000

min_time_in_active (msec)

Minimal time, in milliseconds, to stay in the Active mode.

In the Active mode, the Accelerated SYN Defender is actively challenging TPC SYN packets with SYN Cookies.

  • Valid values: 10000 and greater

  • Default: 60000