This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Wednesday
Jump to solution

Limiting number of connections per user/IP address during specific timeframe

Hey guys,

I really hope someone can confirm for me if something like this is even possible with Check Point firewall, because so far, what I had tested in the lab and found in guides/support sitee, does not sadly suffice.

Customer would want to do something like this -> say they wish to ONLY allow 100 connections per hour to speficic user / IP address to connect to whatever internally.

Something like below with Fortinet:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Limit-connections-to-a-specific-destinatio...

 

They did open TAC case for this and engineer responded and gave all of below, but none of these options would actually let them configure it in a way they want.

Thoughts?

Tx as always.

TAC response:

 

Rate Limiting Rules


Network Quota


Penalty Box


DoS-All Signature Profile


Connection Limits on HTTP/S


Here is an example of how to configure Network Quota in SmartConsole:

Go to Manage & Settings.
Click on Blades.
In the General section, click on Inspection Settings.
In the left tree, click on General.
Search for Network Quota.
Right-click on Network Quota and click on Edit.
Select the relevant IPS profile and click on the Edit (pencil) button.
In the left tree, click on General Properties and select Override with Action - select Drop.
In the left tree, click on Advanced - set the desired timeout and add the specific host/application object.
Click OK to close the "Network Quota" properties window.
Click on the Close button to close the "Network Quota" properties window with IPS profiles.
Close the "Inspection Settings" window.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Wednesday
In response to the_rock
Jump to solution

That would make the request an RFE. 🙂

View solution in original post

14 Replies
PhoneBoy
Admin
Admin
Wednesday
Jump to solution

I don't see where the Fortinet does the "per hour" bit based on the screenshots in that community post.
Rate limiting rules (using quota) is probably the way to go here, depending on their exact requirements: https://support.checkpoint.com/results/sk/sk112454 

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to PhoneBoy
Jump to solution

Thanks as always @PhoneBoy . I included a video of it, its not in the post, you are correct, but, below is how you would do it. Yes, that link was also sent by TAC, but thats not sadly what customer wants to do, they would ONLY want to do this via the rule, thats it.

Andy

 

(view in My Videos)

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to the_rock
Jump to solution

So they want to create a connection limit that applies only to a specific Access Policy rule?
We do have "limit" objects, but they only restrict bandwidth usage, not number of concurrent connections.

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to PhoneBoy
Jump to solution

Thats right. We did see that option last week, but as you said, its only bandwidth, not number of connections.

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to the_rock
Jump to solution

That would make the request an RFE. 🙂

the_rock
Legend
Legend
Wednesday
In response to PhoneBoy
Jump to solution

K, fair enough. Thats all I wanted to confirm...THANK YOU! 🙂

Andy

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to the_rock
Jump to solution

For fun, I asked @CheckMatesAI the question.
Except I fed it the wrong message ID and got:

You're welcome, Andy! If you have any more questions or need further assistance regarding limiting connections per user/IP address or any other Check Point features, feel free to ask. Have a great day! 😊

When I fed it the correct message ID, I got a recommendation to use Network Quota, similar to what TAC told you.

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to PhoneBoy
Jump to solution

I know haha, I asked same question to copilot AI last week and its exactly the answer I got 🙂

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to PhoneBoy
Jump to solution

Just asked again and its more less the same 🙂

Andy

Answer:

Yes, you can limit the number of connections per user or IP address in Check Point Quantum Management. This can be achieved using the IPS 'Network Quota' protection feature, which allows you to set a limit on the number of connections from a specific IP address. Here's how you can configure it:

  1. Access SmartConsole:

    • Navigate to the "MANAGE & SETTINGS" app.
    • Click on "Blades" and then "Inspection Settings".

  2. Configure Network Quota:

    • In the left tree, click on "General".
    • Search for "Network Quota" and right-click to edit.
    • Select the relevant IPS profile and click on the Edit (pencil) button.
    • In "General Properties", select "Override with Action" and choose "Drop".
    • In "Advanced", set the desired timeout and add specific host/application objects as exceptions if needed.

  3. Install Policy:

    • After configuring, install the Network Security policy on the Security Gateway.

This setup will block new connections from a source IP address once the configured limit is exceeded. Be cautious to avoid blocking legitimate IP addresses. For more detailed instructions, you can refer to the Check Point documentation.

If you need further assistance or have specific requirements, feel free to ask!

0 Kudos
Timothy_Hall
Legend Legend
Legend
Wednesday
In response to the_rock
Jump to solution

Sigh, the IPS Network Quota signature should NEVER be activated unless you want all traffic to go slowpath through the gateway and also have zero Accept templates.  Other than that it is just dandy.

The right way to limit the number of connections by IP (example: src 192.168.1.1 for 5000 concurrent connections) without completely killing SecureXL is to use the fwaccel dos rate command like this: 

fwaccel dos rate add source cidr:192.168.1.1/32 concurrent-conns 5000

fwaccel dos config set --enable-rate-limit  (assuming it is not already enabled)

fwaccel dos config set --enable-internal  (only needed if 192.168.1.1 is located on a non-External interface, otherwise rate limit will only be enforced on external hosts)

I don't think you can set these limits to only apply during a certain time of day, but it would be possible to script something that runs out of cron and adds the rule during the timeframe it is needed, then removes it once that timeframe ends.  Another way to accomplish that would be to add the rule with a timeout using the -t <Timeout in seconds> option for the rule.  So if you wanted this rule in effect from 8am to 5pm every day, you could invoke a script in cron that runs at 8am, installs the rule and sets it to automatically timeout at 5pm (32400 seconds later) like this:

fwaccel dos rate add -t 32400 source cidr:192.168.1.2/32 concurrent-conns 5000

There is no way to directly set a concurrent connection limit for a certain Access Control rule, at least that I'm aware of.  You could configure the source/dest/service in a dos rate rule to precisely match an Access Control rule you want to do this for, which would mimic that effect.

Guess I don't need to worry about copilot publishing the fourth edition of the Max Power book all by itself anytime soon...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend
yesterday
In response to Timothy_Hall
Jump to solution

Thanks as always Tim! Yes, I also gathered from all I found online and on support site that fwaccel dos rate is way to go, BUT, again, as you said, there is no option to limit timeframe, which is super important here, which you can do on Fortigate as per my video.

By the way, I also found a post from someone else stating that when they added fwaccel dos rule with 10K connections, it had really bad effect on ram usage, which customer cant allow, so its definitely non starter

I will talk to them today, but Im almost positive they will decide to implement this on one of their Fortigate firewalls and not touch CP 6400 cluster.

Thanks a lot.

Andy

0 Kudos
the_rock
Legend
Legend
yesterday
Jump to solution

@PhoneBoy and @Timothy_Hall 

First of all, I want to thank you, as always, for your great insights. Second, I really need your opinion on something else TAC sent to customer. I cant personally see an option with below option to add source IP and also no option to add recurring timeframe.

Thoughts?

***************************

Example:

To limit the rate of new connections to 5 connections per second to the destination IP 192.168.1.100:

fw sam_policy add -a d -l r -t 3600 quota service any destination 192.168.1.100 new-conn-rate 5 flush true

This command will drop and log packets for all connections that exceed the rate of 5 new connections per second to the destination IP 192.168.1.100 and will expire after 3600 seconds.

************************************

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to the_rock
Jump to solution

If this is something that should occur at a specific time, set it up as a cron job. 😉

0 Kudos
the_rock
Legend
Legend
yesterday
In response to PhoneBoy
Jump to solution

I know, its just trying to make it via rule 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events