This article provides information about modifying the destination IP session limit to suit the needs of your environment and platform.
When the destination IP limit is reached, the following messages are seen:
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:1222, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:2287, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:1640, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:2936, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
By default, the destination-IP-based threshold is set to 128.
This is as per design of the screening functionality. By default, the firewall allows only a certain number of sessions. This protection provides defense against infected/compromised/attacker machines from overtaking the session pool.
To know the session limit set on the firewall, use the following command:
Firewall-> get zone <zone name> screen | inc Destination-IP
Result= Destination-IP-based Threshold: 128
To make changes to the session limit for a zone, use the following command:
Firewall-> set zone <zone name> screen limit-session destination-ip-based "<number>"
Note: "number
" here is equal to concurrent sessions. This value might need adjustment to suit the needs of your network environment and the platform.
Note: It is recommended to carefully determine the optimum session limit according to network environment to avoid false triggers and also to provide security to the customer network from attacks.