Use SmartDefense SYN Gateway for TCP packet out of state

[ChrisA]

We're seeing thousands of "TCP packet out of state" errors in the firewalls (Nokia IP710, ipso 3.9 b45, ChkPt R60 HFA02). This is nothing new, but within the last month we've installed new proxy servers which are crashing left and right, running out of buffers. The "TCP packet out of state" errors might be totally unrelated, but because the vast majority of these errors are occurring for proxy traffic, someone asked if perhaps the firewall is having problems keeping up with the traffic to/from this new proxy, resulting in the 'out of state' errors and subsequently, the buffer overloads on the proxy. Or, alternatively, the 'out of state' errors always occurred, but the new proxy server can't handle this traffic like the old proxy. In either case, I've been asked if SYNdefender can be used to deal with the 'out of state' errors so that the traffic to/from the proxy is handled more cleanly.

We currently have "Override modules' SYNDefender configuration" checked, but nothing else.

Would SYN Gateway or Passive SYN Gateway help us, and if so, which one is the better choice?

I'd really appreciate feedback on this thread. The more, the better. I tried turning flows off on the Nokia, and it made no difference. I'll be trying the "cphaconf set_ccp broadcast" next Sunday to see if that helps. I'm also researching the effect of "Synchronize connections on cluster" option in various services. I would be extremely grateful for any info. Thank you!