Navigating The Sra Management Interface; How Does Rate Limiting For Custom Rules Work - Dell SonicWall SRA 4200 Administrator's Manual

If a rule chain has already been generated from a URL profile in the past, then the rule chain
will be overwritten only if the Overwrite existing Rule Chains for URL Profiles check box is
selected. When you click the Generate Rules button, the rules are generated from the URL
profiles. If a URL profile has been modified, those changes are incorporated.

How Does Rate Limiting for Custom Rules Work?

The administrator can configure rate limiting when adding or editing a rule chain from the Web
Application Firewall > Rules page. When rate limiting is enabled for a rule chain, the action for
the rule chain is triggered only when the number of matches within a configured time period is
above the configured threshold.
This type of protection is useful in preventing Brute Force and Dictionary attacks. An example
rule chain with a Rule Chain ID of 15002 is available in the management interface for
administrators to use as reference.
The associated fields are exposed when the Enable Hit Counters check box is selected at the
bottom of the New Rule Chain or Edit Rule Chain screen.
Once a rule chain is matched, Web Application Firewall keeps an internal counter to track how
many times the rule chain is matched. The Max Allowed Hits field contains the number of
matches that must occur before the rule chain action is triggered. If the rule chain is not
matched for the number of seconds configured in the Reset Hit Counter Period field, then the
counter is reset to zero.
Rate limiting can be enforced per remote IP address or per user session or both. The Track
Per Remote Address check box enables rate limiting based on the attacker's remote IP
address.
The Track Per Session check box enables rate limiting based on the attacker's browser
session. This method sets a cookie for each browser session. Tracking by user session is not
as effective as tracking by remote IP if the attacker initiates a new user session for each attack.
The Track Per Remote Address option uses the remote address as seen by the SRA
appliance. In the case where the attack uses multiple clients from behind a firewall that is
configured with NAT, the different clients effectively send packets with the same source IP
address and will be counted together.

Navigating the SRA Management Interface

The following sections describe how to navigate the SRA management interface:
•
•
•
"Management Interface Introduction" section on page 72
"Navigating the Management Interface" section on page 73
"Navigation Bar" section on page 77
SRA Overview | 71