This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Is it possible to limit concurrent session per source IP?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Is it possible to limit concurrent session per source IP?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-22-2010 06:44 AM
Hello,
I have a PAN-2050 installed in vitual wire reaching max concurrent session (262143) and discarding sessions in peak hours unable to create new sessions. I would like to know if it is possible to configure or create a rule to limit the max concurrent session per source IP. Or maybe per appication.
I couldn´t find information abour that in Admin or Command Guide. Does anybody have experience with similar issue?
Thanks.
17 REPLIES 17
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-31-2011 04:15 AM
Hi,
"..based on Source IP..." ??
How can I create a policy to rate limit a DoS attack if I don't know the SrcIP?
I thought it could be DstIP based, to control and differentiate better the victivm of attacks, leaving "ANY" as SrcIP.
Is it correct, isn't it?
Thanks
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-31-2011 04:22 AM
Hi,
The policy will be based on the check on the number of connections per source IP. So you do not need to know the source IP but you can say each source IP cannot have more then x amount of connections.
What you also can check is the sessions that are active. If you reach the limit of session you might want to decrease the timeout on DNS for example. This can lead to a fewer number of active connections.
Marcel
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-31-2011 05:15 AM
Uhm,
and what about if I need to have different rates for different services, for example 1000 max sessions toward a WEB server and 2000 max sessions toward a DNS server?
And also, If I have 200 different SrcIPs wich make 10 sessions per second each toward the same DstIP I have a total of 2.000 sessions per second but only 10 sessions per second from each SrcIP...so It's not useful to limit by SrcIP, imho.
Does 4.0 achieve this?
So, Can I do DoS policy based on SrcIP, DstIP and application and rate limit all this component?
Thanks
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-31-2011 05:24 AM
You can build different rules based on the destination address but limit the connections per src-ip. It would be a rule based configuration like you have at the moment for the security rules, nat rules etc.
Related Content
- Where to see graphs of peak bandwidth usage? in Next-Generation Firewall Discussions
- Global Protect Virtual adapter not installed on ARM64 win 11 device in GlobalProtect Discussions
- FW stops forwarding files to WF 500 in Next-Generation Firewall Discussions
- Sending monitoring information from firewall to Panorama in Panorama Discussions
- Not updating low traffic session status with hw offload enabled in Next-Generation Firewall Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks