Skip to main content
hubert
hubert
New Member
January 7, 2015
Solved

max connections per host

  • January 7, 2015
  • 4 replies
  • 23605 views

Hi,

I have FortiGate 3140B v4.0 (MR2 patch 13). Is there a way to configure a rule which can control number of tcp connections per source IP (something similar to Cisco ASA policy - per-client-max)?

 

Thank you

Hubert

 

    Best answer by emnoc

    yes,

     

    you define a traffic shaper per-ip and and assign it within the policy

     

    e.g

     

    config firewall shaper per-ip-shaper     edit "MAX200"         set max-concurrent-session 200     next end

     

    Ken

    4 replies

    emnoc
    emnocAnswer
    New Member
    January 7, 2015

    yes,

     

    you define a traffic shaper per-ip and and assign it within the policy

     

    e.g

     

    config firewall shaper per-ip-shaper     edit "MAX200"         set max-concurrent-session 200     next end

     

    Ken

    hubert
    hubertAuthor
    New Member
    January 7, 2015

    Many thanks Ken

    Dave_Hall
    Dave_Hall
    New Member
    January 7, 2015

    Just want to point out that you may need to play around with the values you set for max number of sessions; it's not uncommon (depending on a person's web browsing habits) to have over 200 sessions open.  (I'd be more concern about individuals having over 200 sessions open to different dest addresses and different ports.) 

    emnoc
    emnoc
    New Member
    January 7, 2015

    And to add you can be specific in the src_addr by specifiying the host or "all/any" during your testing. I've only seen the need to limited the max concurrent sessions when you have poor performing app. I worked in the financial sector for over 10 years, and it was common to have poor applications  that needed sessions limits 

    hubert
    hubertAuthor
    New Member
    January 7, 2015

    I need this rule to protect an application server (server farm) against internal malicious connections, in my case the limit max=500 should be fine, someone above it should be treated as suspicious host

     

    thanks

    Hubert

    emnoc
    emnoc
    New Member
    January 7, 2015

    Personally

     

    I think your using the wrong approach. A well written IPS signature would probably do better.

     

    Ken

     

    hubert
    hubertAuthor
    New Member
    January 7, 2015

    You're right. I also prefer to engage proper devices/modules for particular tasks but in my case IPS is disabled:

     

    Intrusion ProtectionUnreachable 

     

     

    FortiAdam
    FortiAdam
    New Member
    January 7, 2015

    Have you considered using DOS policy?  It won't necessarily show up in your GUI depending on which hardware you are running but you should be able to config it via the CLI.  You can filter traffic on different critieria such as "tcp_src_session".  I don't believe DOS policy would rely on having an active FortiGuard license.  Good Luck!

    Terms & ConditionsAccessibility statement