Setting up some MPF protections for some of our Internet services. I am using MPF to create a class to match traffic out of an ACL, and then am applying some connection limits and parameters on the traffic specified in said ACL. See the relevant configuration:
description Webserver Protection Class used to protect Webservers from DOS attacks
match access-list webserver-protection
description Policy to control and protect Internet Services
set connection conn-max 300 embryonic-conn-max 20
access-list webserver-protection extended permit tcp any object-group web-servers-int object-group web
So the ACL just lists a group of destination hosts and services using object-groups. What I am trying to determine is with the above MPF configuration, are the conn-max limits I am imposing going to be set for each host listed in the ACL, or are the limits the total limits for all hosts in the ACL? So for example if I match 10.10.10.5, 10.10.10.6, 10.10.10.7 for WWW connections in the ACL, and impose a 300 conn-max in the MPF policy, does the conn-max apply to 10.10.10.5, 10.10.10.6, and 10.10.10.7 for WWW traffic individually such that each host has a conn-max of 300, or is the 300 conn-max setting a 300 connection total for all of the 10.10.10.5-7 hosts such that only 300 connections across 10.10.10.5-7 as a total are allowed. In other words, only 300 connections are allowed between 10.10.10.5-7 as a total. I think its the former but when I run the command sh service-policy interface OUTSIDE, it seems to show a total in the output so I want to clarify:
Set connection policy: conn-max 300 embryonic-conn-max 20
current conns 84, drop 0
In the output is it showing a total of all the hosts in the ACL and the number of connections that are open amongst all of them? Hopefully this makes sense what I am asking. Thanks in advance for any help here.
I gave up here and called TAC. It works the way I thought it did in the first scenario. Each host in the ACL can only accept the number of connections configured in the set connection part of the policy. Thanks.