I'm in the process of moving from a pair of SSG 520s to a pair of SRX 240s.
I am trying to find a way to do the following in JunOS:
set policy id 4 from "Untrust" to "Public" "Any-IPv4" "Any-IPv4" "ANY" permit count sess-limit per-src-ip 1000
Basically I want to setup a session limit for certain policies.
Go to Solution.
AFAIR, there is no direct match for this ScreenOS feature in SRX but you can mimic this behaviour with following approach:
1/ write a policy with appropriate match criteria and action=permit. Let's call it policy #100
2/ write another policy with same match criteria and action=discard. Let's call it policy #200
3/ write a SLAX script which periodically reads "show security policies policy-name <name> detail" and takes session count from there
4/ should the count exceed the rising threshold, the SLAX script reorders policies in such way that policy #200 appears before policy #100.
5/ should the number of policies drop below falling threshold, script reorders policies back.
The only thing which is missing is session accounting per src IP but you can always write a separate policy per /32 src prefix.
Thanks Alex, sounds pretty complex for doing a simple session limit!
UTM also can limit sessions "per UTM policy per src IP" but you may need a license
UTM sessions-per-client configuration:
UTM features licensing
Have you looked into the screen limit-session option?
"set security screen ids-option <name> limit-session" can be used to limit sessions per src.IP/dst.IP inside a zone/per zone.
The OP asked for session limit per policy which AFAIK has no direct match in SRX.
hi any example for slax script for policy session limit?
do you know if there is anything more up to date, or the Junos Scripts should be still used?
I need to limit the number of specific application sessions.