topic Re: Is it possible to limit concurrent session per source IP? in General Topics

Is it possible to limit concurrent session per source IP?

alberto_cobo — Wed, 22 Dec 2010 14:44:53 GMT

Hello,

I have a PAN-2050 installed in vitual wire reaching max concurrent session (262143) and discarding sessions in peak hours unable to create new sessions. I would like to know if it is possible to configure or create a rule to limit the max concurrent session per source IP. Or maybe per appication.

I couldn´t find information abour that in Admin or Command Guide. Does anybody have experience with similar issue?

Thanks.

Re: Is it possible to limit concurrent session per source IP?

skrall — Wed, 22 Dec 2010 23:25:46 GMT

This is not possible. You could use QOS to limit bandwidth but we have no way to limit users to a max number of sessions.

Steve Krall

Re: Is it possible to limit concurrent session per source IP?

kbrazil — Tue, 04 Jan 2011 21:18:10 GMT

I believe this feature is coming in the next major release (Q12011).

Cheers,

Kelly

Re: Is it possible to limit concurrent session per source IP?

jleung — Sat, 29 Jan 2011 11:22:34 GMT

Hi Alberto,

Next release you can configure DoS policy for your internal LAN, based on source IP to do session limit. Users who create more than the limit will not be able to create new session.

Rgds,

Jones

Re: Is it possible to limit concurrent session per source IP?

gafrol — Sat, 29 Jan 2011 11:29:19 GMT

Hello Jones,

are you talking about the upcoming PAN-OS 4 release ?

rgds

Roland

Re: Is it possible to limit concurrent session per source IP?

jleung — Sat, 29 Jan 2011 12:32:10 GMT

Yes it is in Nice.

Re: Is it possible to limit concurrent session per source IP?

migration — Mon, 31 Jan 2011 12:15:06 GMT

Hi,

"..based on Source IP..." ??

How can I create a policy to rate limit a DoS attack if I don't know the SrcIP?

I thought it could be DstIP based, to control and differentiate better the victivm of attacks, leaving "ANY" as SrcIP.

Is it correct, isn't it?

Thanks

Re: Is it possible to limit concurrent session per source IP?

mderksen — Mon, 31 Jan 2011 12:22:24 GMT

Hi,

The policy will be based on the check on the number of connections per source IP. So you do not need to know the source IP but you can say each source IP cannot have more then x amount of connections.

What you also can check is the sessions that are active. If you reach the limit of session you might want to decrease the timeout on DNS for example. This can lead to a fewer number of active connections.

Marcel

Re: Is it possible to limit concurrent session per source IP?

migration — Mon, 31 Jan 2011 13:15:44 GMT

Uhm,

and what about if I need to have different rates for different services, for example 1000 max sessions toward a WEB server and 2000 max sessions toward a DNS server?

And also, If I have 200 different SrcIPs wich make 10 sessions per second each toward the same DstIP I have a total of 2.000 sessions per second but only 10 sessions per second from each SrcIP...so It's not useful to limit by SrcIP, imho.

Does 4.0 achieve this?

So, Can I do DoS policy based on SrcIP, DstIP and application and rate limit all this component?

Thanks

Re: Is it possible to limit concurrent session per source IP?

mderksen — Mon, 31 Jan 2011 13:24:01 GMT

You can build different rules based on the destination address but limit the connections per src-ip. It would be a rule based configuration like you have at the moment for the security rules, nat rules etc.

Re: Is it possible to limit concurrent session per source IP?

migration — Mon, 31 Jan 2011 13:57:50 GMT

What a shame! 😞

Even Netfilter do DstIP/port based rate limiting.

Anyway, thanks for your fast response! 😉

Re: Is it possible to limit concurrent session per source IP?

gafrol — Mon, 31 Jan 2011 14:05:05 GMT

Hi iceman,

this is from the RN of the upcoming PAN-OS 4:

DoS Protection Rulebase – Complementing the existing Zone Protection Profiles, a new Denial
of Service rulebase and corresponding DoS Protection Profile have been added to provide more
granular and proactive protection from DoS attacks.

rgds Roland

Re: Is it possible to limit concurrent session per source IP?

kbrazil — Mon, 31 Jan 2011 14:56:20 GMT

iceman wrote:

What a shame! 😞

Even Netfilter do DstIP/port based rate limiting.

Anyway, thanks for your fast response! 😉

PAN-OS has had SRC/DST/port based rate limiting for quite some time now. The next release will also allow SRC/DST/port based session and flood control. In addition, this will be available for the aggregate of traffic identified in a rule or classified per single source, destination, or combination of both hitting a rule.

Cheers,

Kelly

Re: Is it possible to limit concurrent session per source IP?

migration — Mon, 31 Jan 2011 16:31:33 GMT

Great!

My goal is to identify and limit DoS Attack to my DNS Servers.

Today the Zone Protection Profile make me able to protect per dst zone, not per single Dst IP address.

Do you suggest me anything else to achieve this goal?

I'm looking forward to seeing 4.0 release for the new feature!

Thanks

Re: Is it possible to limit concurrent session per source IP?

alberto_cobo — Tue, 01 Feb 2011 10:44:21 GMT

Hi guys,

thanks everybody for your help. Finally I was talking with PaloAlto Spain representaves.They told me PAN 4.0 will be released february 20, and as you said, it will be possible to create a DoS policy to limit sessions per Src-IP, Dest-IP, and also by protocols TCP/UDP/ICMP . I hope this will solve my problem because 80% of my sessions are UDP.

What I couldn´t find is Relesae Notes of PAN 4.0. Does anybody knows where can I donwload it?

Thanks.

Re: Is it possible to limit concurrent session per source IP?

nrice — Tue, 01 Feb 2011 17:12:18 GMT

PANOS 4.0 release notes will be made available concurrently with the software release.

Re: Is it possible to limit concurrent session per source IP?

Retired Member — Tue, 08 Feb 2011 12:58:27 GMT

Hi all,

Would you know where can find the DOS Protect alarm log ?

I crated a DOS Policy in Nice beta & generate a lot of session to hit DOS Rule alarm threshold but can't found any alarm log...

regard,

Bruce

Re: Is it possible to limit concurrent session per source IP?

fredallee — Tue, 08 Feb 2011 18:05:00 GMT

The logs for DoS protection should show up in the threat logs.