Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Can the "Source IP Based Session Limit" Screen Option on the firewall be configured for specific source IP addresses?

0

0

Article ID: KB9950 KB Last Updated: 13 Apr 2016Version: 5.0
Summary:

"Source IP Based Session Limit" is set on the firewall; can exceptions to be given to a specific block of addresses?

Symptoms:

The "Source IP Based Session Limit" Screen Option on the firewall limits the number of sessions from any single IP address.
Can this Screen Option be configured for specific source IP addresses?

Solution:

"Per-policy session-limit establishment from source-IPs" is supported in ScreenOS 6.1 and greater. 

Example configuration:

set policy id 1 from "Trust" to "Untrust" 192.168.1.0/24 10.10.1.1/32 "ANY" permit sess-limit per-src-ip 500
set policy id 1

With this configuration, every host in 192.168.1.0/24 can initiate a maximum of 500 sessions to destination 10.10.1.1/32.

The following example shows zone based screening configuration.To enable zone screen based on any source IP address, two commands need to be specified in the configuration:

set zone <zone> screen limit-session source-ip-based
set zone <zone> screen limit-session source-ip-based <session_limit>


Example:

set zone untrust screen limit-session source-ip-based
set zone untrust screen limit-session source-ip-based 512       */512 is the session limit of any single IP/*


The following information from 'get zone untrust screen' indicates the feature is enabled:
Src IP-based session limiting on
Source-IP-based threshold: 512


Note:  Applying these commands may not delete sessions in the session table as they have been up. The commands will take effect on new sessions establishment and will sustain the maximum sessions per the configuration.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search