cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

Connection limit for particular access rule

One of our Major Account customer (Stock Exchange) would like to configure the connection limit for specific source, Destination and Service. (the same way where Cisco ASA can set the connection limit for particular access-list) 

Can we achieve this if yes, who can we do that?

0 Kudos
12 Replies
Danny
Pearl

Re: Connection limit for particular access rule

Use Check Point Qos and define your required limit.

0 Kudos
Employee+
Employee+

Re: Connection limit for particular access rule

There is so many limitation if we use the QOS blade. Do was have any other way where we can set this or use any way to configure embryonic connection limit.

0 Kudos
Employee+
Employee+

Re: Connection limit for particular access rule

Customer was using Cisco ASA and refreshed it with 5800-NGTP and now they want to the same function as per below below cisco link

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Connection Limits and Tim... 

Without  QOS who can we handle this. Also who we handle the embryonic connections and can we set the limit and timeout for those.

0 Kudos
Danny
Pearl

Re: Connection limit for particular access rule

Session Timeouts can be configured within service objects:

0 Kudos
Employee+
Employee+

Re: Connection limit for particular access rule

Thanks Danny, but this will not helpful in this scenario,  

0 Kudos
Vladimir
Pearl

Re: Connection limit for particular access rule

...and Danny Jung‌'s suggestion for regular session timeouts.

0 Kudos

Re: Connection limit for particular access rule

Maybe a rate limiting rule with fw samp?

sk112454

LIMIT1-NAME LIMIT1-VALUE LIMIT2-NAME LIMIT2-VALUE ...

Specifies quota limits and their values:

  • concurrent-conns - Maximum number of concurrent active connections that match this rule.
  • concurrent-conns-ratio - Maximum ratio of the concurrent-conns value to the total number of active connections through the Security Gateway, expressed in parts per 65536.
  • pkt-rate - Maximum number of packets per second that match this rule.
  • pkt-rate-ratio - Maximum ratio of the pkt-rate value to the rate of all connections through the Security Gateway, expressed in parts per 65536.
  • byte-rate - Maximum total number of bytes per second in packets that match this rule.
  • byte-rate-ratio - Maximum ratio of the byte-rate value to the bytes per second rate of all connections through the Security Gateway, expressed in parts per 65536.
  • new-conn-rate - Maximum number of connections per second that match the rule.
  • new-conn-rate-ratio - Maximum ratio of the new-conn-rate value to the rate of all connections per second through the Security Gateway, expressed in parts per 65536.
Multiple quota limits must be separated by spaces.

[Expert@HostName:0]# fw [-d] samp add [-S <SAM_Server>] [-t <Timeout>] {-a <d|r|n|b|q|i>} [-l <r|a>] [-n <name>] [-c <comment>] [-o <originator>] {ip <IP filter arguments>|quota <Quota filter arguments>}

untested

fw samp add -n 10_conns ip -s 192.168.0.0 -m 255.255.0.0 -d 10.1.1.1 -m 255.255.255.255 quota concurrent-conns 10

Vladimir
Pearl

Re: Connection limit for particular access rule

Well, SAMP will create whole new set of rules that have to be correlated to the security policy.

It would be nice if in addition to the bandwidth limits already available for any rule, the limits for concurrent connections are introduced. 

0 Kudos
Employee+
Employee+

Re: Connection limit for particular access rule

Is there any roadmap to provide this configuration via smart Console in near future?

0 Kudos
Danny
Pearl

Re: Connection limit for particular access rule

I don't think so. The nearest roadmap is the one for R80.20 which doesn't list SAM policies.

0 Kudos
Admin
Admin

Re: Connection limit for particular access rule

The options for doing this today are pretty well detailed in this thread.

If you're looking for a different way to do it, then it would have to be handled as an RFE through Solution Center.

0 Kudos
Ali_Korkmaz
Nickel

Re: Connection limit for particular access rule

Hello Mahipal Singh‌,

You can use samp rule as below for this your requirement.

example;

fw samp add -a d -l r quota service 17/123 source any destination any concurrent-conns 100000 flush true

Example of Rate Limiting HTTP Connections:
This rule limits connections on TCP port 80 to the server at 192.168.3.4. The limit is 20 new connections per
second, per client, and the rule times out after 1 hour (3600 seconds):
fw samp add -a d -l r -t 3600 quota service 6/80 destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

If a majority of the DoS traffic is coming from a specific region, add the source option to the rule. For
example, this rule applies only to hosts from Botland, with country code QQ (an imaginary country):
fw samp add -a d -l r -t 3600 quota service 6/80 source cc:QQ destination cidr:192.168.3.4/32 new-conn-rate 20 track source flush true

Example of a rule with ASN:
This rule drops all packets (-a d) with the source IP address in the IPv4 address block
(
cidr:192.0.2.0/24), from the autonomous system number 64500 (asn:AS64500😞
fw samp -a d quota source asn:AS64500,cidr:192.0.2.0/24 service any pkt-rate 0
flush true

Good Luck,

Ali