Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
81828384858687888990
84
[Firewall] connection-limit apply policy 0
Verification
After the configuration, use the display connection-limit policy to display the information about the
connection limit policy. The output in the example is as follows:
[Firewall] display connection-limit policy 0
Connection-limit policy 0, refcount 1, 3 limits
limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100
per-source
limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000
limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000
Troubleshooting connection limiting
Connection limit rules with overlapping segments
Symptom
On the Firewall, create a connection limit policy and configure a rule to limit connections from
192.168.0.100 with the upper connection limit being 10, and a second rule to limit connections from
hosts on segment 192.168.0.0/24 with the upper connection limit being 100.
[Firewall-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any
protocol ip max-connections 10 per-source
[Firewall-connection-limit-policy-0] limit 1 source ip 192.168.0.100 32 destination ip
any protocol ip max-connections 100 per-source
In actual operation, with the configuration, the host 192.168.0.100 can only initiate up to 10 connections
to the external network.
Analysis
Both rules limit 0 and limit 1 contain the IP address 192.168.0.100, and the rule with a smaller ID is
matched first. Rule 0 is used for connections from 192.168.0.100.
Solution
Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is
matched first.
Connection limit rules with overlapping protocol types
Symptom
Internal server 192.168.0.100 provides both web and FTP services for external users. On the Firewall,
create a connection limit policy and configure two connection limit rules, one limiting TCP connections to
the server with the upper limit being 100 and the second limiting HTTP connections to the server with the
upper limit being 1000.
[Firewall-connection-limit-policy-0] limit 0 source ip any destination ip 192.168.0.100
protocol tcp max-connections 100
[Firewall-connection-limit-policy-0] limit 1 source ip any destination ip 192.168.0.100
protocol http max-connections 10000
With the configuration, 100 HTTP connections to the server can be established at most.