fwaccel synatk config
In the R81.10.X releases, this command is available starting from the R81.10.00 version.
Description
The "fwaccel synatk config" and "fwaccel6 synatk config" commands show the current Accelerated SYN Defender configuration.
|
|
Important - In a Cluster, you must configure all the Cluster Members in the same way. |
Syntax for IPv4
|
|
Syntax for IPv6
|
|
Example
[Expert@MyGW]# fwaccel synatk config enabled 0 enforce 0 global_high_threshold 0 periodic_updates 0 cookie_resolution_shift 0 min_frag_sz 0 cookie_mss 0 high_threshold 0 low_threshold 0 score_alpha 0 monitor_log_interval (msec) 0 grace_timeout (msec) 0 min_time_in_active (msec) 0 [Expert@MyGW]# |
Description of Configuration Parameters
|
Parameter |
Description |
|---|---|
|
|
Shows if the Accelerated SYN Defender is enabled or disabled.
|
|
|
When the Accelerated SYN Defender is enabled, shows it enforces the protection. Valid values:
|
|
|
Global high attack threshold number. See the fwaccel synatk -t <Threshold> command. |
|
|
For internal Check Point use only.
|
|
|
For internal Check Point use only.
|
|
|
During the TCP SYN Flood attack, the Accelerated SYN Defender prevents TCP fragments smaller than this minimal size value.
|
|
|
High attack threshold number. See the fwaccel synatk -t <Threshold> command. |
|
|
Low attack threshold number. See the fwaccel synatk -t <Threshold> command. |
|
|
For internal Check Point use only.
|
|
|
Interval, in milliseconds, between successive warning logs in the Monitor (Detect only) mode.
|
|
|
Maximal time, in milliseconds, to stay in the Grace state (which is a transitional state between Ready and Active ). In the Grace state, the Accelerated SYN Defender stops challenging Clients for TCP SYN Cookie, but continues to validate TCP SYN Cookies it receives from Clients.
|
|
|
Minimal time, in milliseconds, to stay in the Active mode. In the Active mode, the Accelerated SYN Defender is actively challenging TPC SYN packets with SYN Cookies.
|