Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mahipal_Singh
Employee
Employee

Connection limit for particular access rule

One of our Major Account customer (Stock Exchange) would like to configure the connection limit for specific source, Destination and Service. (the same way where Cisco ASA can set the connection limit for particular access-list) 

Can we achieve this if yes, who can we do that?

0 Kudos
12 Replies
Danny
Champion
Champion

Use Check Point Qos and define your required limit.

0 Kudos
Mahipal_Singh
Employee
Employee

There is so many limitation if we use the QOS blade. Do was have any other way where we can set this or use any way to configure embryonic connection limit.

0 Kudos
Mahipal_Singh
Employee
Employee

Customer was using Cisco ASA and refreshed it with 5800-NGTP and now they want to the same function as per below below cisco link

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Connection Limits and Tim... 

Without  QOS who can we handle this. Also who we handle the embryonic connections and can we set the limit and timeout for those.

0 Kudos
Danny
Champion
Champion

Session Timeouts can be configured within service objects:

0 Kudos
Mahipal_Singh
Employee
Employee

Thanks Danny, but this will not helpful in this scenario,  

0 Kudos
Vladimir
Champion
Champion

...and Danny Jung‌'s suggestion for regular session timeouts.

0 Kudos
Whatcha_McCallu
Employee
Employee

Maybe a rate limiting rule with fw samp?

sk112454

LIMIT1-NAME LIMIT1-VALUE LIMIT2-NAME LIMIT2-VALUE ...

Specifies quota limits and their values:

  • concurrent-conns - Maximum number of concurrent active connections that match this rule.
  • concurrent-conns-ratio - Maximum ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536.
  • pkt-rate - Maximum number of packets per second that match this rule.
  • pkt-rate-ratio - Maximum ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536.
  • byte-rate - Maximum total number of bytes per second in packets that match this rule.
  • byte-rate-ratio - Maximum ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536.
  • new-conn-rate - Maximum number of connections per second that match the rule.
  • new-conn-rate-ratio - Maximum ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536.
Multiple quota limits must be separated by spaces.

[Expert@HostName:0]# fw [-d] samp add [-S <SAM_Server>] [-t <Timeout>] {-a <d|r|n|b|q|i>} [-l <r|a>] [-n <name>] [-c <comment>] [-o <originator>] {ip <IP filter arguments>|quota <Quota filter arguments>}

untested

fw samp add -n 10_conns ip -s 192.168.0.0 -m 255.255.0.0 -d 10.1.1.1 -m 255.255.255.255 quota concurrent-conns 10

Vladimir
Champion
Champion

Well, SAMP will create whole new set of rules that have to be correlated to the security policy.

It would be nice if in addition to the bandwidth limits already available for any rule, the limits for concurrent connections are introduced. 

0 Kudos
Mahipal_Singh
Employee
Employee

Is there any roadmap to provide this configuration via smart Console in near future?

0 Kudos
Danny
Champion
Champion

I don't think so. The nearest roadmap is the one for R80.20 which doesn't list SAM policies.

0 Kudos
PhoneBoy
Admin
Admin

The options for doing this today are pretty well detailed in this thread.

If you're looking for a different way to do it, then it would have to be handled as an RFE through Solution Center.

0 Kudos
Ali_Korkmaz
Contributor

Hello Mahipal Singh‌,

You can use samp rule as below for this your requirement.

example;

fw samp add -a d -l r quota service 17/123 source any destination any concurrent-conns 100000 flush true

Example of Rate Limiting HTTP Connections:
This rule limits connections on TCP port 80 to the server at 192.168.3.4. The limit is 20 new connections per
second, per client, and the rule times out after 1 hour (3600 seconds):
fw samp add -a d -l r -t 3600 quota service 6/80 destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

If a majority of the DoS traffic is coming from a specific region, add the source option to the rule. For
example, this rule applies only to hosts from Botland, with country code QQ (an imaginary country):
fw samp add -a d -l r -t 3600 quota service 6/80 source cc:QQ destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

Example of a rule with ASN:
This rule drops all packets (-a d) with the source IP address in the IPv4 address block
(
cidr:192.0.2.0/24), from the autonomous system number 64500 (asn:AS64500😞
fw samp -a d quota source asn:AS64500,cidr:192.0.2.0/24 service any pkt-rate 0
flush true

Good Luck,

Ali