[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Setting Source-Based Session Limits

A source-based session limit can stem an attack that infects a server and then begins generating massive amounts of traffic from that server.

Before You Begin

For background information, read Understanding Session Table Flood Attacks.

In this example, you want to limit the amount of sessions that any one server in the DMZ and zone_a zones can initiate. Because the DMZ zone only contains Web servers, none of which should initiate traffic, you set the source-session limit at the lowest possible value: 1 session. On the other hand, the zone_a zone contains personal computers, servers, printers, and so on, many of which do initiate traffic. For the zone_a zone, you set the source-session limit maximum to 80 concurrent sessions.

You can use either J-Web or the CLI configuration editor to set the source-session limit. In this example you are setting the source-session limit maximum to 80 concurrent sessions.

This topic covers:

J-Web Configuration

To configure screens:

  1. Select Configure>CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Screen, click Configure.
  4. Next to Ids option, click Add new entry.
  5. In the Name box, type 1-limit-session.
  6. Next to Limit session, select the check box and click Configure.
  7. In the Source ip based box, type 1 and click OK.
  8. To configure another Source-ip-based 100 and 80, repeat Step 4 through Step 7 and click OK.
  9. To save and commit the configuration, click Commit.

To configure zones:

  1. Select Configure>CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure.
  4. Next to Security zone, click Add new entry.
  5. In the Name box, type dmz.
  6. In the Screen box, type 100-limit-session and click OK.
  7. Next to Security zone, click Add new entry.
  8. In the Name box, type zone_a.
  9. In the Screen box, type 100-limit-session and click OK.
  10. To save and commit the configuration, click Commit.

CLI Configuration

user@host# set security screen ids-option 1-limit-session limit-session source-ip-based 1
user@host# set security screen ids-option 100-limit-session limit-session source-ip-based 100
user@host# set security screen ids-option 80-limit-session limit-session source-ip-based 80
user@host# set security zones security-zone dmz screen 100-limit-session
user@host# set security zones security-zone zone_a screen 100-limit-session

Related Topics

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]