topic Re: Connection limit for particular access rule in General Topics

Connection limit for particular access rule

Mahipal_Singh — Thu, 20 Sep 2018 10:44:50 GMT

One of our Major Account customer (Stock Exchange) would like to configure the connection limit for specific source, Destination and Service. (the same way where Cisco ASA can set the connection limit for particular access-list)

Can we achieve this if yes, who can we do that?

Re: Connection limit for particular access rule

Danny — Thu, 20 Sep 2018 10:47:45 GMT

Use Check Point Qos and define your required limit.

Re: Connection limit for particular access rule

Mahipal_Singh — Thu, 20 Sep 2018 10:53:59 GMT

There is so many limitation if we use the QOS blade. Do was have any other way where we can set this or use any way to configure embryonic connection limit.

Re: Connection limit for particular access rule

Mahipal_Singh — Thu, 20 Sep 2018 11:13:31 GMT

Customer was using Cisco ASA and refreshed it with 5800-NGTP and now they want to the same function as per below below cisco link

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Connection Limits and Timeouts [Cisco ASA 550…

Without QOS who can we handle this. Also who we handle the embryonic connections and can we set the limit and timeout for those.

Re: Connection limit for particular access rule

Danny — Thu, 20 Sep 2018 11:26:55 GMT

Session Timeouts can be configured within service objects:

Re: Connection limit for particular access rule

Mahipal_Singh — Thu, 20 Sep 2018 11:58:01 GMT

Thanks Danny, but this will not helpful in this scenario,

Re: Connection limit for particular access rule

Vladimir — Thu, 20 Sep 2018 19:47:47 GMT

...and Danny Jung‌'s suggestion for regular session timeouts.

Re: Connection limit for particular access rule

Whatcha_McCallu — Thu, 20 Sep 2018 21:19:24 GMT

Maybe a rate limiting rule with fw samp?

sk112454

LIMIT1-NAME LIMIT1-VALUE LIMIT2-NAME LIMIT2-VALUE ...

Specifies quota limits and their values:

concurrent-conns - Maximum number of concurrent active connections that match this rule.
concurrent-conns-ratio - Maximum ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536.
pkt-rate - Maximum number of packets per second that match this rule.
pkt-rate-ratio - Maximum ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536.
byte-rate - Maximum total number of bytes per second in packets that match this rule.
byte-rate-ratio - Maximum ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536.
new-conn-rate - Maximum number of connections per second that match the rule.
new-conn-rate-ratio - Maximum ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536.

Multiple quota limits must be separated by spaces.

[Expert@HostName:0]# fw [-d] samp add [-S <SAM_Server>] [-t <Timeout>] {-a <d|r|n|b|q|i>} [-l <r|a>] [-n <name>] [-c <comment>] [-o <originator>] {ip <IP filter arguments>|quota <Quota filter arguments>}

untested

fw samp add -n 10_conns ip -s 192.168.0.0 -m 255.255.0.0 -d 10.1.1.1 -m 255.255.255.255 quota concurrent-conns 10

Re: Connection limit for particular access rule

Vladimir — Thu, 20 Sep 2018 21:42:27 GMT

Well, SAMP will create whole new set of rules that have to be correlated to the security policy.

It would be nice if in addition to the bandwidth limits already available for any rule, the limits for concurrent connections are introduced.

Re: Connection limit for particular access rule

Mahipal_Singh — Fri, 21 Sep 2018 06:00:16 GMT

Is there any roadmap to provide this configuration via smart Console in near future?

Re: Connection limit for particular access rule

Danny — Fri, 21 Sep 2018 06:13:40 GMT

I don't think so. The nearest roadmap is the one for R80.20 which doesn't list SAM policies.

Re: Connection limit for particular access rule

PhoneBoy — Fri, 21 Sep 2018 16:20:47 GMT

The options for doing this today are pretty well detailed in this thread.

If you're looking for a different way to do it, then it would have to be handled as an RFE through Solution Center.

Re: Connection limit for particular access rule

Ali_Korkmaz — Fri, 21 Sep 2018 20:06:43 GMT

Hello Mahipal Singh‌,

You can use samp rule as below for this your requirement.

example;

fw samp add -a d -l r quota service 17/123 source any destination any concurrent-conns 100000 flush true

Example of Rate Limiting HTTP Connections:
This rule limits connections on TCP port 80 to the server at 192.168.3.4. The limit is 20 new connections per
second, per client, and the rule times out after 1 hour (3600 seconds):
fw samp add -a d -l r -t 3600 quota service 6/80 destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

If a majority of the DoS traffic is coming from a specific region, add the source option to the rule. For
example, this rule applies only to hosts from Botland, with country code QQ (an imaginary country):
fw samp add -a d -l r -t 3600 quota service 6/80 source cc:QQ destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

Example of a rule with ASN:
This rule drops all packets (-a d) with the source IP address in the IPv4 address block
(cidr:192.0.2.0/24), from the autonomous system number 64500 (asn:AS64500😞
fw samp -a d quota source asn:AS64500,cidr:192.0.2.0/24 service any pkt-rate 0
flush true

Good Luck,

Ali