SRX Services Gateway
Highlighted
SRX Services Gateway

Policy Session Limit

‎01-27-2010 07:14 PM

Hi All,

 

I'm in the process of moving from a pair of SSG 520s to a pair of SRX 240s.

 

I am trying to find a way to do the following in JunOS:

set policy id 4 from "Untrust" to "Public"  "Any-IPv4" "Any-IPv4" "ANY" permit count sess-limit per-src-ip 1000

 

Basically I want to setup a session limit for certain policies.

 

Any ideas?

7 REPLIES 7
Highlighted
SRX Services Gateway
Solution
Accepted by topic author mwdmeyer
‎08-26-2015 01:27 AM

Re: Policy Session Limit

‎01-28-2010 12:38 PM

Hello there,

AFAIR, there is no direct match for this ScreenOS feature in SRX but you can mimic this behaviour with following approach:

1/ write a policy with appropriate match criteria and action=permit. Let's call it policy #100

2/ write another policy with same match criteria and action=discard. Let's call it policy #200

3/ write a SLAX script which periodically reads "show security policies policy-name <name> detail" and takes session count from there

4/ should the count exceed the rising threshold, the SLAX script reorders  policies in such way that policy #200 appears before policy #100.

5/ should the number of policies drop below falling threshold, script reorders policies back.

The only thing which is missing is session accounting per src IP but you can always write a separate policy per /32 src prefix.

Good luck!

Rgds

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Policy Session Limit

‎02-02-2010 07:16 PM

Thanks Alex, sounds pretty complex for doing a simple session limit!

Highlighted
SRX Services Gateway

Re: Policy Session Limit

‎02-08-2010 04:05 AM

Hi there,

UTM also can limit sessions "per UTM policy per src IP" but you may need a license

UTM sessions-per-client configuration:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-cli-refere...

SRX licensing

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guid...

UTM features licensing

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-s...

 

Rgds

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Policy Session Limit

‎02-09-2010 10:43 AM
Highlighted
SRX Services Gateway

Re: Policy Session Limit

‎02-09-2010 11:46 AM

Hello there,

"set security screen ids-option <name> limit-session" can be used to limit sessions per src.IP/dst.IP inside a zone/per zone.

The OP asked for session limit per policy which AFAIK has no direct match in SRX.

Rgds

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: Policy Session Limit

‎11-18-2011 07:37 AM

hi any example for slax script for policy session limit?

Highlighted
SRX Services Gateway

Re: Policy Session Limit

‎07-07-2014 06:10 AM

Hi,

 

do you know if there is anything more up to date, or the Junos Scripts should be still used?

 

I need to limit the number of specific application sessions.

 

Thanks, M.

MV.
Feedback