The policy flow limit, designed to limit SYN flood attacks, controls the rate of flows per host. Flows exceeding the rate are blocked from passing through the unit.
The limits are set to default values of 10,000 flows per minute on client hosts and 100,000 flows per minute on servers.
On a proxy server, it is possible that the default limit for client at 10,000 flows would be exceeded since each connection is initiated by the proxy server. PacketWise sees this as a DoS attack and will limit the flows from the client.
There are two ways to change the default flowlimit setting. (Note: This solution assumes the topology is Proxy--in--PacketShaper--out--WAN)
Increase the number of client flows per minute. In the CLI, use this command:
policy flowlimit none|
For example, if you want to increase the client limit to 20,000:
policy flowlimit outbound/default 20000 100000
Remove the policy flowlimit.
policy flowlimit outbound/default none
For more information on the policy flowlimit command, see PacketGuide.