Cisco firepower running asa image can limit current session or not ?
limit by policy/ip/protocol ?
I try to find document but i not found.
Please help me.
Yes you can do that. And as always there are multiple options. Start with looking into VPN-Filters as they are likely to fit your needs:
There are examples in the config-guide. The VPN-Filter is an ACL that gets attached to a group-policy. Only traffic permitted in the ACL is allowed for the VPN-client.
Here is an example where the sales group is only allowed DNS to .53 and HTTPS to .80:
access-list VPN-FILTER-SALES extended permit udp any host 10.10.10.53 eq domain access-list VPN-FILTER-SALES extended permit tcp any host 10.10.10.80 eq https ! group-policy VPN-SALES internal group-policy VPN-SALES attributes vpn-filter value VPN-FILTER-SALES
I'm still confuse . How this configuration can limit concurrent session by policy/ip/protocol ?
My understand the current session can limit of number of current session. . If my understand not correct . Please let me know .
Perhaps I did not get what you exactly want. The VPN-filter limits which IP/protocol/ports can be used in that VPN-Session. Can you describe in more detail what you want to achieve?
I mean firepower can limit concurrent session or not . Refer from datasheet example. Firepower 4110 can handle Concurrent firewall connections 10million but If We need to limit concurrent by policy/ip/protocol not ACL configuration . Firepower can do it and if can do
firepower can alert or send alarm while concurrent session reach limit sessions ?
Thank you for help
Ok, now I understand what you want. Yes, this can also be done. But the config is based on the modular policy framework (MPF) and it will be quite some work to implement it for different IPs and/or protocols:
For the alarms, you would typically write some log-checking rules on your syslog server.
Thank you for your answer .
I try to understand from your URL . My understand is The limit concurrent session can do under policy map/global policy . and configure with acl together . and set maximum connection following command set connection conn-max under policy-map but the value can configure 0 and 2000000 , So if Firepower can handle session more than 2milion the value can change more than 2milion or not ?
Please advise me.