Login
- Table of Contents
-
- 04-Policies
- 01-Security policy
- 02-Security policy redundancy analysis
- 03-Security policy hit analysis
- 04-Security policy optimization
- 05-Policy-based NAT
- 06-Interface NAT
- 07-AFT
- 08-QoS
- 09-Bandwidth management
- 10-Application audit
- 11-Application proxy
- 12-IP reputation
- 13-Domain reputation
- 14-Blacklist
- 15-Connection limit
- 16-Server connection detection
- 17-Access rate limit
- 18-DLP
- 19-Server load balancing
- 20-Outbound link load balancing
- 21-Inbound link load balancing
- 22-Transparent DNS proxy
- 23-NetShare control
- 24-Zero trust policy
- 25-Trusted application proxies
- 26-Trusted API proxies
- 27-NAT66
- 28-uRPF
- 29-Load balancing common configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Connection limit | 32.86 KB |
Connection limit
This help contains the following topics:
Introduction
The connection limit feature enables the device to collect statistics and limit the number of established connections. It helps protect internal network resources and better allocate system resources.
Connection limit policies
The device supports both IPv4 and IPv6 connection limit policies. You can apply a configured connection limit policy globally or to an interface to limit the number of user connections.
The connection limit policy applied to an interface takes effect only on the specified connections on the interface. The connection limit policy applied globally takes effect on all the specified connections on the device.
Different connection limit policies can be applied to individual interfaces as well as globally on the device. In this case, the device matches connections against these policies in the order of the policy on the inbound interface, the global policy, and the policy on the outbound interface. New connections are limited as long as the number of connections reaches the smallest upper connection limit defined by these policies.
Connection limit rules
To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria. The following criteria are available:
· Connection limits—Limit the number of matching connections. When the number of matching connections reaches the upper limit, the device accepts or rejects new connections depending on the action you configured. If the action is to reject new connections, the device does not accept new connections until the number of connections drops below the lower limit due to connection aging. The device will send logs when the number of connections exceeds the upper limit. The device will send logs when the number of connections drops below the lower limit only if the action is to reject new connections.
· Connection establishment rate limit—Limits the number of connections established per second. When the connection establishment rate reaches the upper limit, the device accepts or rejects new connections depending on the action you configured and records logs.
Connections that do not match any limit rules are not limited.
In each connection limit rule, an ACL is used to define the connection range. Only the user connections that match the ACL are limited. In addition, the rule also uses the following filtering methods to further limit the connections:
· Source IP—Limits user connections by source IP address.
· Destination IP—Limits user connections by destination IP address.
· Service port—Limits user connections by service (transport layer protocol and service port).
You can select more than one filtering method, and the selected methods take effect at the same time. For example, if you specify both Destination IP and Service port, the user connections using the same service and destined to the same IP address are limited. If you do not specify any filtering methods in a limit rule, all user connections in the range are limited.
When a connection limit policy is applied, the device compares connections with all limit rules in the policy in ascending order of rule IDs. As a best practice, specify a smaller range and more filtering methods in a rule with a smaller ID.
Restrictions and guidelines
· For devices supporting service modules, the connections are limited on a per-service module basis.
· A connection limit policy takes effect only on new connections. It does not take effect on existing connections.
· On an IRF fabric where session synchronization is enabled, connection limit policies applied to a subordinate device do not take effect on sessions switched from the master device.
· An ACL can only be used once in a connection limit policy and can be used in multiple connection limit policies.
· A connection limit policy cannot be applied to a loopback interface.
Configure connection limit
Configure connection limit as shown in Figure 1.
Figure 1 Connection limit configuration procedure
The upper limit must be greater than the number of CPU cores on the device. As a best practice, set the upper limit to a value greater than 32.
