SNAT - Per user session count limit

Forum|Forum|7 years ago
October 11, 2018
1 reply
4085 views

Hello,

I'm trying to impose some NAT table safeguards to prevent abuse from malicious or infected clients on a large public facing WiFi network (INSIDE, private address space). This includes udp and tcp timeouts which ensure sessions are closed in a timely manner if a client drops off the network non-gracefully(no fin or reset packets sent to close connections).

Something we do on our older Cisco based platform is set a per user (per inside IP) limit on the maximum number of sessions any single inside IP can establish through the NAT. This prevents scanning behaviour and other malicious activities from exhausting the NAT table for the firewall/public IP pool, which we've experienced before. Is it possible to impose this kind of safeguard in FortiOS?

emnoc

New Member

This prevents scanning behaviour and other malicious activities from exhausting the NAT table for the firewall/public IP pool, which we've experienced before. Is it possible to impose this kind of safeguard in FortiOS?

You have many choices but for the above quote. You should limit the services that you allow in the firewall policy if your intentions is to prevent port scanning

For max session, you should be able to control in a TSpolicy

{ yes this a older thread but the principles should still be the same }

[link]https://forum.fortinet.com/tm.aspx?m=118848[/link]

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded