Limiting Sessions Per Policy From Source Ips - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide
464
DI and IDP are mutually exclusive. When you install the IDP license key on a security
device, DI is automatically disabled.
When configuring the firewall rule, consider the following:
Traffic that is denied by a firewall rule cannot be passed to IDP rules. To enable IDP in
a firewall rule, the action must be permit.
For firewall rules that pass traffic to the IDP rulebases, the Install On column must
include IDP-capable devices only.
To forward traffic to the IDP rulebases, enable IDP and select one of the following modes:
In inline mode, IDP is directly in the path of traffic on your network and can detect and
block attacks. For example, you can deploy the ISG2000 or ISG1000 with integrated
Firewall/VPN/IDP capabilities between the Internet and an enterprise LAN, WAN, or
special zones such as DMZ.
In inline tap mode, IDP can detect attacks and provide notification. IDP receives a copy
of a packet while the original packet is forwarded on the network. IDP examines the
copy of the packet and flags any potential problems. IDP's inspection of packets does
not affect the forwarding of the packet on the network.
You must deploy the ISG2000 or ISG1000 device inline. You cannot connect a device
that is in inline tap mode to an external TAP or SPAN port on a switch.
Selecting either mode enables IDP for the firewall rule, and configures the security device
to forward all permitted traffic to the IDP rulebases for further processing.

Limiting Sessions per Policy from Source IPs

With the session-limit option, you can restrict sessions from a particular Source IP address
to all your devices running ScreenOS 6.1 and later. In NSM, you can set the following
options from the Session Limit tab in the Configure Options window of the device.
Session limit per src-ip on policy
Session count
Alarm without drop packet
When the sessions reach the threshold limit, the system drops all subsequent sessions.
If you enable the "alarm without drop packet" option, the packet is not dropped, but an
alarm message is raised. If you do not set a source IP, the device lists the session counts
of all the source IP addresses in the policy.
In cross-vsys traffic, since there is one policy per vsys to permit traffic, each cross-vsys
session is permitted by two policies. However, the session limit policy is only for the
ingress vsys. You must configure the session limit in the ingress vsys policy to limit the
session count.
In a synchronized NSRP setup, the session limit policy also counts sessions in the slave
device, which does not impose any limit. When the slave becomes the master, a new
session is created only if the existing session count does not exceed the threshold. If the
Copyright © 2010, Juniper Networks, Inc.