Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hubert
New Contributor

Created on ‎01-07-2015 02:27 AM

max connections per host

Hi,

I have FortiGate 3140B v4.0 (MR2 patch 13). Is there a way to configure a rule which can control number of tcp connections per source IP (something similar to Cisco ASA policy - per-client-max)?

 

Thank you

Hubert

 

19389
0 Kudos
1 Solution
emnoc
Esteemed Contributor III

Created on ‎01-07-2015 03:21 AM

yes,

 

you define a traffic shaper per-ip and and assign it within the policy

 

e.g

 

config firewall shaper per-ip-shaper     edit "MAX200"         set max-concurrent-session 200     next end

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
5703
0 Kudos
8 REPLIES 8
emnoc
Esteemed Contributor III

Created on ‎01-07-2015 03:21 AM

yes,

 

you define a traffic shaper per-ip and and assign it within the policy

 

e.g

 

config firewall shaper per-ip-shaper     edit "MAX200"         set max-concurrent-session 200     next end

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5704
0 Kudos
hubert
New Contributor
In response to emnoc

Created on ‎01-07-2015 06:43 AM

Many thanks Ken

5650
0 Kudos
Dave_Hall
Honored Contributor
In response to hubert

Created on ‎01-07-2015 06:51 AM

Just want to point out that you may need to play around with the values you set for max number of sessions; it's not uncommon (depending on a person's web browsing habits) to have over 200 sessions open.  (I'd be more concern about individuals having over 200 sessions open to different dest addresses and different ports.) 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
5650
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎01-07-2015 07:17 AM

And to add you can be specific in the src_addr by specifiying the host or "all/any" during your testing. I've only seen the need to limited the max concurrent sessions when you have poor performing app. I worked in the financial sector for over 10 years, and it was common to have poor applications  that needed sessions limits 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5651
0 Kudos
hubert
New Contributor
In response to emnoc

Created on ‎01-07-2015 08:02 AM

I need this rule to protect an application server (server farm) against internal malicious connections, in my case the limit max=500 should be fine, someone above it should be treated as suspicious host

 

thanks

Hubert

5651
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎01-07-2015 10:08 AM

Personally

 

I think your using the wrong approach. A well written IPS signature would probably do better.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5651
0 Kudos
hubert
New Contributor
In response to emnoc

Created on ‎01-07-2015 12:21 PM

You're right. I also prefer to engage proper devices/modules for particular tasks but in my case IPS is disabled:

 

Intrusion ProtectionUnreachable 

 

 

5651
0 Kudos
FortiAdam
Contributor II

Created on ‎01-07-2015 03:00 PM

Have you considered using DOS policy?  It won't necessarily show up in your GUI depending on which hardware you are running but you should be able to config it via the CLI.  You can filter traffic on different critieria such as "tcp_src_session".  I don't believe DOS policy would rely on having an active FortiGuard license.  Good Luck!

5651
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.