Policy Session Limit

last person joined: 2 days ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Policy Session Limit

Jump to Best Answer

1. Policy Session Limit

0 Recommend
Erdem
Posted 01-27-2010 19:15

Reply Reply Privately
Hi All,

I'm in the process of moving from a pair of SSG 520s to a pair of SRX 240s.

I am trying to find a way to do the following in JunOS:
set policy id 4 from "Untrust" to "Public" "Any-IPv4" "Any-IPv4" "ANY" permit count sess-limit per-src-ip 1000

Basically I want to setup a session limit for certain policies.

Any ideas?
2. RE: Policy Session Limit
Best Answer

0 Recommend
aarseniev
Posted 01-28-2010 12:39

Reply Reply Privately
Hello there,
AFAIR, there is no direct match for this ScreenOS feature in SRX but you can mimic this behaviour with following approach:
1/ write a policy with appropriate match criteria and action=permit. Let's call it policy #100
2/ write another policy with same match criteria and action=discard. Let's call it policy #200
3/ write a SLAX script which periodically reads "show security policies policy-name <name> detail" and takes session count from there
4/ should the count exceed the rising threshold, the SLAX script reorders policies in such way that policy #200 appears before policy #100.
5/ should the number of policies drop below falling threshold, script reorders policies back.
The only thing which is missing is session accounting per src IP but you can always write a separate policy per /32 src prefix.
Good luck!
Rgds
Alex
3. RE: Policy Session Limit

0 Recommend
Erdem
Posted 02-02-2010 19:17

Reply Reply Privately
Thanks Alex, sounds pretty complex for doing a simple session limit!
4. RE: Policy Session Limit

0 Recommend
aarseniev
Posted 02-08-2010 04:06

Reply Reply Privately
Hi there,
UTM also can limit sessions "per UTM policy per src IP" but you may need a license
UTM sessions-per-client configuration:
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-cli-reference/utm-security-sessions-per-client-statement.html
SRX licensing
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guide/jd0e37790.html#software-feature-license-desc-section
UTM features licensing
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/jd0e60238.html

Rgds
Alex
5. RE: Policy Session Limit

0 Recommend
Erdem
Posted 02-09-2010 10:43

Reply Reply Privately
Have you looked into the screen limit-session option?
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-15533.html#id-15533
6. RE: Policy Session Limit

0 Recommend
aarseniev
Posted 02-09-2010 11:46

Reply Reply Privately
Hello there,
"set security screen ids-option <name> limit-session" can be used to limit sessions per src.IP/dst.IP inside a zone/per zone.
The OP asked for session limit per policy which AFAIK has no direct match in SRX.
Rgds
Alex
7. RE: Policy Session Limit

0 Recommend
Erdem
Posted 11-18-2011 07:37

Reply Reply Privately
hi any example for slax script for policy session limit?
8. RE: Policy Session Limit

0 Recommend
Erdem
Posted 07-07-2014 06:10

Reply Reply Privately
Hi,

do you know if there is anything more up to date, or the Junos Scripts should be still used?

I need to limit the number of specific application sessions.

Thanks, M.

SRX

Policy Session Limit

Erdem01-27-2010 19:15

aarseniev01-28-2010 12:39Best Answer

Erdem02-02-2010 19:17

aarseniev02-08-2010 04:06

Erdem02-09-2010 10:43

aarseniev02-09-2010 11:46

Erdem11-18-2011 07:37

Erdem07-07-2014 06:10

1. Policy Session Limit

2. RE: Policy Session Limit Best Answer

3. RE: Policy Session Limit

4. RE: Policy Session Limit

5. RE: Policy Session Limit

6. RE: Policy Session Limit

7. RE: Policy Session Limit

8. RE: Policy Session Limit

2. RE: Policy Session Limit
Best Answer