SRX

last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Http connection rate limit per second

    Posted 01-23-2014 06:10

    Hello,

     

    I'm working on a cluster of 2 Juniper SRX3600 11.4R6.5 and I'm looking for a way to rate limit http connection per second for a particular client IP ( like IPTables Hashlimit ). There is a feature 'ip-connection-rate-limit' found under 'security idp rulebase-ddos', but I can't figure out how to make it work.*

    Have someone got a configuration example of how should this feature be used for limiting http traffic per IP.

    I know that the same thing can be achieved using Screen, but screen is per zone.

     

    Thanks and Regards.



  • 2.  RE: Http connection rate limit per second

    Posted 01-23-2014 06:50

    Hi,

     

    Have a read here for configuring a rule under the rulebase-ddos.

     

    http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/reference/configuration-statement/security-edit-rulebase-ddos.html



  • 3.  RE: Http connection rate limit per second

    Posted 01-29-2014 04:54

    Hi, thank you for your reply.

    I tried to apply the idp configuration as described in http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/reference/configuration-statement/security...

    But I'm still getting no idp logs neither in "idp status" !!

     

    Here is my configuration, am I missing something ?

     

    SRX3600> show configuration security idp

    idp-policy host-conn-limit {
        rulebase-ddos {
            rule rule1 {
                match {
                    from-zone untrust;
                    source-address any;
                    to-zone trust;
                    destination-address any;
                    application-ddos {
                        junos-http;
                    }
                }
                then {
                    action {
                        drop-connection;
                    }
                    ip-action {
                        ip-connection-rate-limit 100;
                        log;
                        timeout 10;
                        refresh-timeout;
                    }
                }
            }
        }
    }

    SRX3600> show configuration security policies from-zone untrust to-zone trust
    policy pol2idp {
        match {
            source-address any;
            destination-address any;
            application junos-http;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
        }
    }

    Regards.

     



  • 4.  RE: Http connection rate limit per second

    Posted 01-29-2014 05:00

    Is the host-conn-limit policy set as active?

     

    user@srx# show security idp active-policy

     



  • 5.  RE: Http connection rate limit per second
    Best Answer

    Posted 01-30-2014 07:50

    That's it ! This is what I was missing :

    # set security idp active-policy host-conn-limit

     

    and now the connection rate-limit feature is working.

    Thanks a lot for your help.

     

    Regards.