TCP Half Open Connection Limit - TCP SYN flood attacks are prevented by limiting the number of active, not-fully-established TCP flows which are allowed by the firewall. |
1-1,000,000 |
Firewall - None Edge Gateway - 1,000,000 |
Set this text box to limit the number of active TCP half open connections. If this text box is empty, this limit is disabled on ESX nodes and set to the default on value of Edge Gateways. |
UDP Active Flow Limit -UDP flood attacks are prevented by limiting the number of active UDP flows which are allowed by the firewall. Once the set UDP flow limit is reached, subsequent UDP packets which can establish a new flow are dropped. |
1-1,000,000 |
Firewall - None Edge Gateway - 1,000,000 |
Set this text box to limit the number of active UDP connections. If this text box is empty, this limit is disabled on ESX nodes and set to the default on value of Edge Gateways. |
ICMP Active Flow Limit - ICMP flood attacks are prevented by limiting the number of active ICMP flows which are allowed by the firewall. After the set flow limit is reached, subsequent ICMP packets which can establish a new flow are dropped. |
1-1,000,000 |
Firewall - None Edge Gateway - 10,000 |
Set this text box to limit the number of active ICMP open connections. If this text box is empty, this limit is disabled on ESX nodes and set to the default on value of Edge Gateways. |
Other Active Connection Limit |
1-1,000,000 |
Firewall - None Edge Gateway - 10,000 |
Set this text box to limit the number of active connections other than ICMP, TCP, and UDP half open connections. If this text box is empty, this limit is disabled on ESX nodes, and set to the default on value of Edge Gateways. |
SYN Cache - Syn cache is used when a TCP half open connection limit has also been configured. The number of active half-open connections are enforced by maintaining a syncache of the not-fully-established TCP sessions. This cache maintains the flow entries which are in SYN_SENT and SYN_RECEIVED states. Each syncache entry will be promoted to a full TCP state entry after an ACK is received from the initiator, completing the three-way handshake. |
|
Only available for firewall profiles. |
Toggle on and off. Enabling SYN cache is effective only when a TCP half open connection limit is configured. |
RST Spoofing - Generates spoofed RST to server when purging half-open states from SYN cache. Allows server to clean up states associated with SYN flood (half open). |
|
Only available for firewall profiles. |
Toggle on and off. SYN Cache must be selected for this option to be available |