https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401612#M1080706 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766">@Karsten Iwen</a>&nbsp;</P><P>I mean firepower can limit concurrent session or not . Refer from datasheet example. Firepower 4110 can handle&nbsp;<STRONG>Concurrent firewall connections 10million&nbsp;</STRONG> but If We need to limit concurrent by policy/ip/protocol not ACL configuration . Firepower can do it and if can do&nbsp;</P><P>firepower can alert or send alarm while concurrent session reach limit sessions ?</P><P>&nbsp;</P><P>Thank you for help</P> Wed, 12 May 2021 04:47:16 GMT jewfcb001 2021-05-12T04:47:16Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400905#M1080676 <P>Hi All,&nbsp;</P><P>Cisco firepower running asa image&nbsp;can limit current session or not ?</P><P>limit by policy/ip/protocol ?</P><P>I try to find document but i not found.&nbsp;</P><P>&nbsp;</P><P>Please help me.</P> Tue, 11 May 2021 08:41:32 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400905#M1080676 jewfcb001 2021-05-11T08:41:32Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400944#M1080677 <P>Yes you can do that. And as always there are multiple options. Start with looking into VPN-Filters as they are likely to fit your needs:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/vpn/asdm-712-vpn-config/vpn-asdm-setup.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/vpn/asdm-712-vpn-config/vpn-asdm-setup.html</A></P> Tue, 11 May 2021 09:21:29 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400944#M1080677 Karsten Iwen 2021-05-11T09:21:29Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400945#M1080678 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766">@Karsten Iwen</a>&nbsp; thank you your answer . can you share document to me ? for VPN-Filters you mean can limit session on VPN session ?</P> Tue, 11 May 2021 09:20:54 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400945#M1080678 jewfcb001 2021-05-11T09:20:54Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400996#M1080682 <P>There are examples in the config-guide. The VPN-Filter is an ACL that gets attached to a group-policy. Only traffic permitted in the ACL is allowed for the VPN-client.</P> <P>Here is an example where the sales group is only allowed DNS to .53 and HTTPS to .80:</P> <PRE>access-list VPN-FILTER-SALES extended permit udp any host 10.10.10.53 eq domain access-list VPN-FILTER-SALES extended permit tcp any host 10.10.10.80 eq https ! group-policy VPN-SALES internal group-policy VPN-SALES attributes vpn-filter value VPN-FILTER-SALES </PRE> <P>&nbsp;</P> Tue, 11 May 2021 11:10:49 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4400996#M1080682 Karsten Iwen 2021-05-11T11:10:49Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401143#M1080686 <P>I'm still confuse . How this configuration can limit concurrent session by policy/ip/protocol ?</P><P>My understand the current session can limit of number of current session. . If my understand not correct . Please let&nbsp; me know .&nbsp;</P><P>&nbsp;</P> Tue, 11 May 2021 13:48:02 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401143#M1080686 jewfcb001 2021-05-11T13:48:02Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401153#M1080687 <P>Perhaps I did not get what you exactly want. The VPN-filter limits which IP/protocol/ports can be used in that VPN-Session. Can you describe in more detail what you want to achieve?</P> Tue, 11 May 2021 14:02:52 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401153#M1080687 Karsten Iwen 2021-05-11T14:02:52Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401612#M1080706 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766">@Karsten Iwen</a>&nbsp;</P><P>I mean firepower can limit concurrent session or not . Refer from datasheet example. Firepower 4110 can handle&nbsp;<STRONG>Concurrent firewall connections 10million&nbsp;</STRONG> but If We need to limit concurrent by policy/ip/protocol not ACL configuration . Firepower can do it and if can do&nbsp;</P><P>firepower can alert or send alarm while concurrent session reach limit sessions ?</P><P>&nbsp;</P><P>Thank you for help</P> Wed, 12 May 2021 04:47:16 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401612#M1080706 jewfcb001 2021-05-12T04:47:16Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401664#M1080707 <P>Ok, now I understand what you want. Yes, this can also be done. But the config is based on the modular policy framework (MPF) and it will be quite some work to implement it for different IPs and/or protocols:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/firewall/asa-914-firewall-config/conns-connlimits.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/firewall/asa-914-firewall-config/conns-connlimits.html</A></P> <P>For the alarms, you would typically write some log-checking rules on your syslog server.</P> Wed, 12 May 2021 06:43:15 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401664#M1080707 Karsten Iwen 2021-05-12T06:43:15Z https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401682#M1080708 <P>Thank you for your answer .</P><P>I try to understand from your URL . My understand is The limit concurrent session can do under policy map/global policy . and configure with acl together . and set maximum connection following command&nbsp;&nbsp;set connection conn-max&nbsp;under policy-map but the value can configure&nbsp;0 and 2000000 , So if Firepower can handle session more than 2milion the value can change more than 2milion or not ?&nbsp;</P><P>&nbsp;</P><P>Please advise me.&nbsp;</P> Wed, 12 May 2021 07:06:34 GMT https://community.cisco.com/t5/network-security/firepower-can-limit-current-session-or-not/m-p/4401682#M1080708 jewfcb001 2021-05-12T07:06:34Z