Configuring a TCP SYN Flood Protection policy

TCP SYN flood protection is a global feature designed to safeguard all virtual server traffic from SYN flood attacks. When the SYN Cookie option is enabled, each virtual server monitors the SYN packet rate. If the average SYN rate over a 10-second period exceeds the configured Maximum Half-Open Sockets, SYN cookies are applied to all subsequent new connections (SYN packets) for that virtual server. SYN cookies remain enabled until the SYN rate drops below the threshold defined by Maximum Half-Open Sockets.

Before you begin:

• You must have Read-Write permission for Security settings.

To configure a TCP SYN Flood Protection policy:

1. Navigate to Network Security> Networking.
   The configuration page displays the IP Fragmentation Protection tab.
2. Click the TCP SYN Flood Protection tab.
   

3. Configure the following settings:

   Setting	Description
   SYN Cookie	Enables or disables SYN flood protection using SYN cookies. When enabled, this feature helps mitigate SYN flood attacks by sending SYN cookies instead of maintaining half-open connections in the connection table.
   Maximum Half-Open Sockets	Specifies the threshold for the average number of half-open TCP connections per virtual server (VS) within a 10-second window. If the average exceeds this threshold, SYN cookies are enabled for all new TCP connections to the VS. Once the average connection rate drops below this threshold, SYN cookies are disabled for the VS.
   Exception Name	Specify the DoS Exception configuration object. See Configuring DoS Exceptions. During periods of high SYN packet rates, FortiADC enables SYN Cookie protection to mitigate SYN flood attacks. If the source IP of a new connection matches the configured exception rule, SYN Cookie is not enforced and the connection proceeds normally.

4. Save the configuration.