Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security dos tcp-synflood-protection

TCP SYN flood protection is a global setting to protect all virtual server traffic from SYN flood attack. After the SYN Cookie option is enabled, each virtual server will monitor SYN rate. If the average SYN rate in 10 seconds exceeds Maximum Half-Open Sockets, it will perform SYN Cookie on all subsequent new connections (SYN packets) of this virtual server until the rate drops to below Maximum Half-Open Sockets.

Syntax

config security dos tcp-synflood-protection

Set syncookie enable | disable

set max-half-open <integer>

set max-stale-timeout <integer>

end

CLI Parameter

Description

syncookie

Enable/disable syn flood protection

Max-half-open

If average halfopen connection rate in 10 seconds for each VS exceeds this setting, it will enable syncookie for all new following TCP connections for this VS. If the average rate drops to bellow it, it will disable syncookie then for this VS.

Example

config security dos tcp-synflood

set syncookie enable

Set max-half-open 1024

end

config security dos tcp-synflood-protection

TCP SYN flood protection is a global setting to protect all virtual server traffic from SYN flood attack. After the SYN Cookie option is enabled, each virtual server will monitor SYN rate. If the average SYN rate in 10 seconds exceeds Maximum Half-Open Sockets, it will perform SYN Cookie on all subsequent new connections (SYN packets) of this virtual server until the rate drops to below Maximum Half-Open Sockets.

Syntax

config security dos tcp-synflood-protection

Set syncookie enable | disable

set max-half-open <integer>

set max-stale-timeout <integer>

end

CLI Parameter

Description

syncookie

Enable/disable syn flood protection

Max-half-open

If average halfopen connection rate in 10 seconds for each VS exceeds this setting, it will enable syncookie for all new following TCP connections for this VS. If the average rate drops to bellow it, it will disable syncookie then for this VS.

Example

config security dos tcp-synflood

set syncookie enable

Set max-half-open 1024

end