Welcome to our NEW support portal! We are now SonicWall, with a dedicated support site. Learn more.

SonicOS 6.1 - Administration Guide

Introduction Dashboard
Enabling the SonicOS Visualization Dashboard Monitoring Multi-Core Statistics Monitoring Real-Time Statistics Viewing Top 10 Real-Time Statistics Monitoring Data Flow Viewing Network Data with AppFlow Reports Using Threat Reports Monitoring Users Monitoring Network Traffic Bandwidth Monitoring Active Connections Monitoring Packets and Packet Mirror Managing Log Event Messages
System
Viewing Status Information Managing Dell SonicWALL Licenses Configuring Administration Settings Administering SNMP Managing Certificates Configuring Time Settings Setting Schedules Managing Dell SonicWALL Security Appliance Firmware Using the Packet Monitor Using Diagnostic Tools Restarting the System
Network
Configuring Interfaces Setting Up Failover and Load Balancing Configuring Network Zones Configuring DNS Settings Configuring Address Objects Configuring Network Service Groups and Service Objects Configuring Route Advertisements and Route Policies Configuring NAT Policies Managing ARP Traffic Configuring MAC-IP Anti-Spoof Setting Up the DHCP Server Using IP Helper Setting Up Web Proxy Forwarding Configuring Dynamic DNS Configuring Network Monitor
SonicPoint
Managing SonicPoints Viewing Station Status SonicPoint Intrusion Detection Services Configuring Virtual Access Points Configuring RF Monitoring Using RF Analysis Controlling SonicPoint Bandwidth
Firewall
Configuring Firewall Access Rules Understanding Application Control Policies Configuring App Rules Configuring Global Application Control Policies Configuring Match Objects Configuring Action Objects Configuring Address Objects Configuring Service Objects Configuring Email Address Objects Verifying App Control Configuration Understanding App Control Use Cases
Firewall Settings
Configuring Advanced Firewall Settings Configuring Bandwidth Management Configuring Flood Protection Configuring Firewall Multicast Settings Managing Quality of Service Configuring SSL Control
DPI-SSL VoIP Anti-Spam
About Anti-Spam Viewing Anti-Spam Status Enabling and Activating Anti-Spam Viewing Anti-Spam Statistics Configuring the RBL Filter Specifying Relay Domains Managing the Junk Summary Configuring the Junk Box View Configuring Junk Box Settings Configuring User-Visible Settings Configuring Corporate Allowed and Blocked Lists Managing Users Configuring the LDAP Server Configuring Anti-Spam Logging Downloading Anti-Spam Desktop Buttons
VPN SSL VPN Virtual Assist User Management
Managing Users and Authentication Settings
User Management Overview Users > Status Users > Settings Users > Local Users Users > Local Groups
Managing Guest Services and Guest Accounts
High Availability
Setting Up High Availability
High Availability Overview High Availability > Status High Availability > Settings High Availability > Advanced High Availability > Monitoring
Security Services
Managing SonicWALL Security Services Configuring Content Filtering Service Activating SonicWALL Client Anti-Virus Managing SonicWALL Gateway Anti-Virus Service Activating Intrusion Prevention Service Activating Anti-Spyware Service Configuring SonicWALL Real-Time Blacklist Configuring Geo-IP and Botnet Filters
WAN Acceleration AppFlow Log Wizards Appendices

ICMP Flood Protection

ICMP Flood Protection functions identically to UDP Flood Protection, except it monitors for ICMP Flood Attacks. The only difference is that there are no DNS queries that are allowed to bypass ICMP Flood Protection.

1
Go to the ICMP Flood Protection section of the Firewall Settings > Flood Protection page.
Enable ICMP Flood Protection – Select the checkbox to enable ICMP Flood Protection. When enabled, the firewall starts to drop ICMP packets to the destination specified in ICMP Flood Attack Protected Destination List if the number of ICMP packets from one or more sources exceeds the configured threshold. This option is disabled by default.
ICMP Flood Attack Threshold (ICMP Packets / Sec) – In this field, specify the maximum number of ICMP packets, per second, that can be sent to a host, range, or subnet before triggering ICMP Flood Protection. The minimum number is 10 packets per second, the maximum is 100000, and the default is 200.
ICMP Flood Attack Blocking Time (Sec) – After the appliance detects the rate of ICMP packets exceeding the attack threshold for this duration of time, ICMP Flood Protection is activated, and the appliance will begin dropping subsequent ICMP packets. The minimum is 1 second, the maximum is 120 seconds, and the default is 2 seconds.
ICMP Flood Attack Protected Destination List – Select the destination address object or address group to be protected from ICMP Flood Attack from the drop-down menu. Select Any (the default) to apply the Attack Threshold to the sum of UDP packets passing through the firewall.

Was this topic helpful?

[Select Rating]



Control Plane Flood Protection

1
Go to the Control Plane Flood Protection section of the Firewall Settings > Flood Protection page.
Enable Control Plane Flood Protection – Select this checkbox to enable Control Plane Flood Protection. This option is disabled by default.
When this option is enabled, if the Control Plane (Core 0) exceeds the threshold specified in Control Plane Flood Protection threshold (CPU %), the firewall forwards only control traffic destined to the firewall to the System Control Plane core. To give precedence to legitimate control traffic, excess data traffic is dropped. This restriction prevents too much data traffic from reaching the Control Plane core, which can cause slow system response and potential network connection drops. The percentage configured for control traffic is guaranteed.
Control Plane Flood Protection Threshold (CPU %) – In this field, specify the threshold, as a percentage of CPU, for activating Control Plane Flood Protection. The minimum percentage is 5% of CPU, the maximum is 95% of CPU, and the default is 75% of CPU.
IMPORTANT: Adjust the Control Plane Flood Protection Threshold from its optimized default value only when control-plane packet drops are observed.

Was this topic helpful?

[Select Rating]



Traffic Statistics

The Firewall Settings > Flood Protection page provides the following traffic statistics:

The TCP Traffic Statistics table provides statistics about such information as connections, floods in progress, blacklisted machines, blacklisted packets:

Connections Opened – Incremented when a TCP connection initiator sends a SYN, or a TCP connection responder receives a SYN.
Connections Closed – Incremented when a TCP connection is closed when both the initiator and the responder have sent a FIN and received an ACK.
Connections Refused – Incremented when a RST is encountered and the responder is in a SYN_RCVD state.
Connections Aborted – Incremented when a RST is encountered and the responder is in some state other than SYN_RCVD.
Connection Handshake Errors – Incremented when the connection failed during handshake.
Connection Handshake Timeout – Incremented when the connection failed when the handshake timed out before connection could be established.
Total TCP Packets – Incremented with every processed TCP packet.
Validated Packets Passed – Incremented when a:
Malformed Packets Dropped - Incremented when the:
Invalid Flag Packets Dropped - Incremented when a:
Invalid Sequence Packets Dropped – Incremented when a packet within an established connection is received where the sequence number is:
Max Incomplete WAN Connections / sec – Incremented when an incomplete WAN TCP connection occurs.
Average Incomplete WAN Connections / sec – Calculated from the Max Incomplete WAN Connections / sec and used to determine the Suggested value calculated from gathered statistics for the SYN flood threshold.
SYN Floods In Progress – Incremented when a SYN flood attack has been detected when the number of individual forwarding devices that are currently exceeding the SYN Flood Attack Threshold.
RST Floods In Progress – Incremented when a RST flood attack has been detected when the number of individual forwarding devices that are currently exceeding the RST Flood Attack Threshold.
FIN Floods In Progress – Incremented when a FIN flood attack has been detected when the number of individual forwarding devices that are currently exceeding the FIN Flood Attack Threshold.
Total SYN, RST or FIN Floods Detected – Displays the total number of SYN, RST, and FIN floods detected.
TCP Connection SNY-Proxy State (WAN Only) – Indicates whether Always proxy WAN client connections is selected for SYN Flood Protection Mode: OFF (not selected) or ON (selected).
Current SYN-blacklisted Machines – Incremented when a SYN-blacklisted machine is detected.
Current RST-blacklisted Machines – Incremented when a RST-blacklisted machine is detected.
Current FIN-blacklisted Machines – Incremented when a FIN-blacklisted machine is detected.
Current SYN-blacklisting Events – Incremented when a SYN-blacklisted event is detected and rejected when the total number of events in which a forwarding device has exceeded the SYN blacklisting threshold.
Current RST-blacklisting Events – Incremented when a RST-blacklisted event is detected and rejected when the total number of events in which a forwarding device has exceeded the RST blacklisting threshold.
Current FIN-blacklisting Events – Incremented when a FIN-blacklisted event is detected and rejected when the total number of events in which a forwarding device has exceeded the FIN blacklisting threshold.
Total SYN Blacklist Packets Rejected – Incremented when a SYN-blacklisted packet is detected and dropped because of SYN Blacklist detection.
Total RST Blacklist Packets Rejected – Incremented when a RST-blacklisted packet is detected and dropped because of RST Blacklist detection.
Total FIN Blacklist Packets Rejected – Incremented when a FIN-blacklisted packet is detected and dropped because of FIN Blacklist detection.
Invalid SYN Flood Cookies Received – Incremented when a packet is received with an invalid SYN Cookie (while SYN Flood protection is enabled).
WAN DDOS Filter State – Displays the state of the WAN DDOS Filter: Active or Inactive.
WAN DDOS Filter – Packets Rejected – Incremented when a packet is rejected when the WAN DDOS Filter is active.
WAN DDOS Filter – Packets Leaked – Incremented when a packet is leaked when the WAN DDOS Filter is active.
WAN DDOS Filter – Allow List Count – Incremented when a packet is allowed when the WAN DDOS Filter is active.

Was this topic helpful?

[Select Rating]



UDP Traffic Statistics

The UDP Traffic Statistics table provides these statistics:

Connections Opened – Incremented when a UDP connection initiator sends a SYN, or a UDP connection responder receives a SYN.
Connections Closed – Incremented when a UDP connection is closed when both the initiator and the responder have sent a FIN and received an ACK.
Total UDP Packets – Incremented with every processed UDP packet.
Validated Packets Passed – Incremented when a UDP packet passes checksum validation (while UDP checksum validation is enabled).
Malformed Packets Dropped - Incremented when the UDP:
UDP Floods In Progress – The number of individual forwarding devices that are currently exceeding the UDP Flood Attack Threshold.
Total UDP Floods Detected – The total number of events in which a forwarding device has exceeded the UDP Flood Attack Threshold.
Total UDP Flood Packets Rejected – The total number of packets dropped because of UDP Flood Attack detection.

The ICMP Traffic Statistics table provides these statistics:

Connections Opened – Incremented when a ICMP connection initiator sends a SYN, or a ICMP connection responder receives a SYN.
Connections Closed – Incremented when a ICMP connection is closed when both the initiator and the responder have sent a FIN and received an ACK.
Total ICMP Packets – Incremented with every processed ICMP packet.
Validated Packets Passed – Incremented when a ICMP packet passes checksum validation (while ICMP checksum validation is enabled).
Malformed Packets Dropped - Incremented when the ICMP:
ICMP Floods In Progress – The number of individual forwarding devices that are currently exceeding the ICMP Flood Attack Threshold.
Total ICMP Floods Detected – The total number of events in which a forwarding device has exceeded the ICMP Flood Attack Threshold.
Total ICMP Flood Packets Rejected – The total number of packets dropped because of ICMP Flood Attack detection.

 


Was this topic helpful?

[Select Rating]



Related Documents