SNAT - Per user session count limit

Author
80211WiGuy
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/11 13:48:13
  • Status: offline
2018/10/11 13:58:32 (permalink)
0

SNAT - Per user session count limit

Hello,
I'm trying to impose some NAT table safeguards to prevent abuse from malicious or infected clients on a large public facing WiFi network (INSIDE, private address space).  This includes udp and tcp timeouts which ensure sessions are closed in a timely manner if a client drops off the network non-gracefully(no fin or reset packets sent to close connections).
Something we do on our older Cisco based platform is set a per user (per inside IP) limit on the maximum number of sessions any single inside IP can establish through the NAT.  This prevents scanning behaviour and other malicious activities from exhausting the NAT table for the firewall/public IP pool, which we've experienced before.  Is it possible to impose this kind of safeguard in FortiOS?
#1

1 Reply Related Threads

    emnoc
    Expert Member
    • Total Posts : 5020
    • Scores: 308
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SNAT - Per user session count limit 2018/10/11 20:30:41 (permalink)
    0

     
    This prevents scanning behaviour and other malicious activities from exhausting the NAT table for the firewall/public IP pool, which we've experienced before.  Is it possible to impose this kind of safeguard in FortiOS?
     

     
     
    You have many choices but for the above quote. You should limit the  services that you allow in the firewall policy if your  intentions is to  prevent port scanning
     
    For max session, you should be able to control in a TSpolicy
    { yes this  a older  thread but the principles should still be the same }
     
    https://forum.fortinet.com/tm.aspx?m=118848

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    Jump to:
    © 2018 APG vNext Commercial Version 5.5