Answeredmax connections per host

Author
hubert
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/06 10:47:29
  • Status: offline
2015/01/07 02:27:41 (permalink)
0

max connections per host

Hi,
I have FortiGate 3140B v4.0 (MR2 patch 13). Is there a way to configure a rule which can control number of tcp connections per source IP (something similar to Cisco ASA policy - per-client-max)?
 
Thank you
Hubert
 
#1
emnoc
Expert Member
  • Total Posts : 5062
  • Scores: 307
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: max connections per host 2015/01/07 03:21:05 (permalink) ☼ Best Answerby hubert 2015/01/07 03:29:25
5 (2)
yes,
 
you define a traffic shaper per-ip and and assign it within the policy
 
e.g
 

config firewall shaper per-ip-shaper
    edit "MAX200"
        set max-concurrent-session 200
    next
end

 
Ken

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
hubert
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/06 10:47:29
  • Status: offline
Re: max connections per host 2015/01/07 06:43:19 (permalink)
0
Many thanks Ken
#3
Dave Hall
Expert Member
  • Total Posts : 1274
  • Scores: 120
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: max connections per host 2015/01/07 06:51:40 (permalink)
0
Just want to point out that you may need to play around with the values you set for max number of sessions; it's not uncommon (depending on a person's web browsing habits) to have over 200 sessions open.  (I'd be more concern about individuals having over 200 sessions open to different dest addresses and different ports.) 

NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
#4
emnoc
Expert Member
  • Total Posts : 5062
  • Scores: 307
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: max connections per host 2015/01/07 07:17:36 (permalink)
0
And to add you can be specific in the src_addr by specifiying the host or "all/any" during your testing. I've only seen the need to limited the max concurrent sessions when you have poor performing app. I worked in the financial sector for over 10 years, and it was common to have poor applications  that needed sessions limits 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
hubert
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/06 10:47:29
  • Status: offline
Re: max connections per host 2015/01/07 08:02:12 (permalink)
0
I need this rule to protect an application server (server farm) against internal malicious connections, in my case the limit max=500 should be fine, someone above it should be treated as suspicious host
 
thanks
Hubert
#6
emnoc
Expert Member
  • Total Posts : 5062
  • Scores: 307
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: max connections per host 2015/01/07 10:08:11 (permalink)
0
Personally
 
I think your using the wrong approach. A well written IPS signature would probably do better.
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#7
hubert
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/06 10:47:29
  • Status: offline
Re: max connections per host 2015/01/07 12:21:26 (permalink)
0
You're right. I also prefer to engage proper devices/modules for particular tasks but in my case IPS is disabled:
 
Intrusion ProtectionUnreachable  
 
#8
FortiAdam
Silver Member
  • Total Posts : 103
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/21 07:32:57
  • Status: offline
Re: max connections per host 2015/01/07 15:00:24 (permalink)
0
Have you considered using DOS policy?  It won't necessarily show up in your GUI depending on which hardware you are running but you should be able to config it via the CLI.  You can filter traffic on different critieria such as "tcp_src_session".  I don't believe DOS policy would rely on having an active FortiGuard license.  Good Luck!
#9
Jump to:
© 2018 APG vNext Commercial Version 5.5