Firewall > TCP Settings
439
SonicOS Enhanced 4.0 Administrator Guide
The TCP Settings section allows you to:
• Enable TCP Stateful Inspection – Enabling TCP stateful inspection requires that all TCP
connections rigidly adhere to the following TCP setup requirements:
–
TCP session establishment involves a three-way handshake between two hosts and
consists of the following:
• Initiator --> SYN --> Responder
• Initiator <-- SYN/ACK <-- Responder
• Initiator --> ACK --> Responder
• (Session established)
After the initial SYN, it is permissible for a Client to send a RST or a SYN, or for the Server
to send a SYN-ACK or a RST. Any other kind of TCP flags are generally considered invalid,
or potentially malicious. The 'Enable TCP Stateful Inspection' option enforces these
guidelines, and drops any traffic that violates them.
Note Some legitimate TCP/IP stack implementations do not abide by these rules, and require that
'Enable TCP Stateful Inspection' be disabled. For the sake of compatibility with these
implementations, the 'Enable TCP Stateful Inspection' option is disabled by default, but can
be enabled to heighten security, or if there is no concern of potential incompatibilities.
• Enable TCP Checksum Validation – If an invalid TCP checksum is calculated, the packet
will be dropped.
• Default TCP Connection Timeout – The default time assigned to Access Rules for TCP
traffic. If a TCP session is active for a period in excess of this setting, the TCP connection
will be cleared by the SonicWALL. The default value is 5 minutes, the minimum value is 1
minute, and the maximum value is 999 minutes. Note: Setting excessively long connection
time-outs will slow the reclamation of stale resources, and in extreme cases could lead to
exhaustion of the connection cache.
• Maximum Segment Lifetime (seconds) – Determines the number of seconds that any
TCP packet is valid before it expires. This setting is also used to determine the amount of
time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed
TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK
exchange has occurred to cleanly close the TCP connection.
–
Default value: 8 seconds
–
Minimum value: 1 second
–
Maximum value: 60 seconds
Working with SYN/RST/FIN Flood Protection
SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWALL from Denial of
Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available
resources by creating one of the following attack mechanisms:
• Sending TCP SYN packets, RST packets, or FIN packets with invalid or spoofed IP
addresses.
• Creating excessive numbers of half-opened TCP connections.