Fortinet black logo

Handbook

Configuring a TCP SYN flood protection policy

Configuring a TCP SYN flood protection policy

TCP SYN flood protection is a global setting to protect all virtual server traffic from SYN flood attack. After the SYN Cookie option is enabled, each virtual server will monitor SYN rate. If the average SYN rate in 10 seconds exceeds Maximum Half-Open Sockets, it will perform SYN Cookie on all subsequent new connections (SYN packets) of this virtual server until the rate drops to below Maximum Half-Open Sockets.

Before you begin:

  • You must have Read-Write permission for Security settings.

To configure a TCP SYN Flood Protection policy:

  1. Go to DoS Protection > Networking> TCP SYN Flood Protection.
  2. Click Edit to display the configuration editor.
  3. Complete the configuration.

    SYN Cookie

    Enable/disable syn flood protection.

    Maximum Half-Open Sockets

    If the average half-open connection rate in 10 seconds for each VS exceeds this setting, it will enable SYN Cookie for all new following TCP connections for this virtual server. If the average rate drops to below this, it will disable SYN Cookie for this virtual server.

  4. Save the configuration.

Configuring a TCP SYN flood protection policy

TCP SYN flood protection is a global setting to protect all virtual server traffic from SYN flood attack. After the SYN Cookie option is enabled, each virtual server will monitor SYN rate. If the average SYN rate in 10 seconds exceeds Maximum Half-Open Sockets, it will perform SYN Cookie on all subsequent new connections (SYN packets) of this virtual server until the rate drops to below Maximum Half-Open Sockets.

Before you begin:

  • You must have Read-Write permission for Security settings.

To configure a TCP SYN Flood Protection policy:

  1. Go to DoS Protection > Networking> TCP SYN Flood Protection.
  2. Click Edit to display the configuration editor.
  3. Complete the configuration.

    SYN Cookie

    Enable/disable syn flood protection.

    Maximum Half-Open Sockets

    If the average half-open connection rate in 10 seconds for each VS exceeds this setting, it will enable SYN Cookie for all new following TCP connections for this virtual server. If the average rate drops to below this, it will disable SYN Cookie for this virtual server.

  4. Save the configuration.