This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mahipal_Singh
Employee
Employee
‎2018-09-20 03:44 AM

Connection limit for particular access rule

One of our Major Account customer (Stock Exchange) would like to configure the connection limit for specific source, Destination and Service. (the same way where Cisco ASA can set the connection limit for particular access-list) 

Can we achieve this if yes, who can we do that?

0 Kudos
12 Replies
Danny
Champion
Champion
‎2018-09-20 03:47 AM

Use Check Point Qos and define your required limit.

0 Kudos
Mahipal_Singh
Employee
Employee
‎2018-09-20 03:53 AM
In response to Danny

There is so many limitation if we use the QOS blade. Do was have any other way where we can set this or use any way to configure embryonic connection limit.

0 Kudos
Mahipal_Singh
Employee
Employee
‎2018-09-20 04:13 AM

Customer was using Cisco ASA and refreshed it with 5800-NGTP and now they want to the same function as per below below cisco link

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Connection Limits and Tim... 

Without  QOS who can we handle this. Also who we handle the embryonic connections and can we set the limit and timeout for those.

0 Kudos
Danny
Champion
Champion
‎2018-09-20 04:26 AM
In response to Mahipal_Singh

Session Timeouts can be configured within service objects:

0 Kudos
Mahipal_Singh
Employee
Employee
‎2018-09-20 04:58 AM
In response to Danny

Thanks Danny, but this will not helpful in this scenario,  

0 Kudos
Vladimir
Champion
Champion
‎2018-09-20 12:47 PM

...and Danny Jung‌'s suggestion for regular session timeouts.

0 Kudos
Whatcha_McCallu
Employee
Employee
‎2018-09-20 02:19 PM

Maybe a rate limiting rule with fw samp?

sk112454

LIMIT1-NAME LIMIT1-VALUE LIMIT2-NAME LIMIT2-VALUE ...

Specifies quota limits and their values:

  • concurrent-conns - Maximum number of concurrent active connections that match this rule.
  • concurrent-conns-ratio - Maximum ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536.
  • pkt-rate - Maximum number of packets per second that match this rule.
  • pkt-rate-ratio - Maximum ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536.
  • byte-rate - Maximum total number of bytes per second in packets that match this rule.
  • byte-rate-ratio - Maximum ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536.
  • new-conn-rate - Maximum number of connections per second that match the rule.
  • new-conn-rate-ratio - Maximum ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536.
Multiple quota limits must be separated by spaces.

[Expert@HostName:0]# fw [-d] samp add [-S <SAM_Server>] [-t <Timeout>] {-a <d|r|n|b|q|i>} [-l <r|a>] [-n <name>] [-c <comment>] [-o <originator>] {ip <IP filter arguments>|quota <Quota filter arguments>}

untested

fw samp add -n 10_conns ip -s 192.168.0.0 -m 255.255.0.0 -d 10.1.1.1 -m 255.255.255.255 quota concurrent-conns 10

Vladimir
Champion
Champion
‎2018-09-20 02:42 PM

Well, SAMP will create whole new set of rules that have to be correlated to the security policy.

It would be nice if in addition to the bandwidth limits already available for any rule, the limits for concurrent connections are introduced. 

0 Kudos
Mahipal_Singh
Employee
Employee
‎2018-09-20 11:00 PM

Is there any roadmap to provide this configuration via smart Console in near future?

0 Kudos
Danny
Champion
Champion
‎2018-09-20 11:13 PM
In response to Mahipal_Singh

I don't think so. The nearest roadmap is the one for R80.20 which doesn't list SAM policies.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-21 09:20 AM

The options for doing this today are pretty well detailed in this thread.

If you're looking for a different way to do it, then it would have to be handled as an RFE through Solution Center.

0 Kudos
Ali_Korkmaz
Contributor
‎2018-09-21 01:06 PM

Hello Mahipal Singh‌,

You can use samp rule as below for this your requirement.

example;

fw samp add -a d -l r quota service 17/123 source any destination any concurrent-conns 100000 flush true

Example of Rate Limiting HTTP Connections:
This rule limits connections on TCP port 80 to the server at 192.168.3.4. The limit is 20 new connections per
second, per client, and the rule times out after 1 hour (3600 seconds):
fw samp add -a d -l r -t 3600 quota service 6/80 destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

If a majority of the DoS traffic is coming from a specific region, add the source option to the rule. For
example, this rule applies only to hosts from Botland, with country code QQ (an imaginary country):
fw samp add -a d -l r -t 3600 quota service 6/80 source cc:QQ destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

Example of a rule with ASN:
This rule drops all packets (-a d) with the source IP address in the IPv4 address block
(cidr:192.0.2.0/24), from the autonomous system number 64500 (asn:AS64500😞
fw samp -a d quota source asn:AS64500,cidr:192.0.2.0/24 service any pkt-rate 0
flush true

Good Luck,

Ali

Labels