Showing results for 
Search instead for 
Did you mean: 


Firepower can limit current session or not

Hi All, 

Cisco firepower running asa image can limit current session or not ?

limit by policy/ip/protocol ?

I try to find document but i not found. 


Please help me.

Karsten Iwen
VIP Mentor

Yes you can do that. And as always there are multiple options. Start with looking into VPN-Filters as they are likely to fit your needs:

@Karsten Iwen  thank you your answer . can you share document to me ? for VPN-Filters you mean can limit session on VPN session ?

There are examples in the config-guide. The VPN-Filter is an ACL that gets attached to a group-policy. Only traffic permitted in the ACL is allowed for the VPN-client.

Here is an example where the sales group is only allowed DNS to .53 and HTTPS to .80:

access-list VPN-FILTER-SALES extended permit udp any host eq domain
access-list VPN-FILTER-SALES extended permit tcp any host eq https
group-policy VPN-SALES internal
group-policy VPN-SALES attributes
  vpn-filter value VPN-FILTER-SALES


I'm still confuse . How this configuration can limit concurrent session by policy/ip/protocol ?

My understand the current session can limit of number of current session. . If my understand not correct . Please let  me know . 


Perhaps I did not get what you exactly want. The VPN-filter limits which IP/protocol/ports can be used in that VPN-Session. Can you describe in more detail what you want to achieve?

@Karsten Iwen 

I mean firepower can limit concurrent session or not . Refer from datasheet example. Firepower 4110 can handle Concurrent firewall connections 10million  but If We need to limit concurrent by policy/ip/protocol not ACL configuration . Firepower can do it and if can do 

firepower can alert or send alarm while concurrent session reach limit sessions ?


Thank you for help

Ok, now I understand what you want. Yes, this can also be done. But the config is based on the modular policy framework (MPF) and it will be quite some work to implement it for different IPs and/or protocols:

For the alarms, you would typically write some log-checking rules on your syslog server.

Thank you for your answer .

I try to understand from your URL . My understand is The limit concurrent session can do under policy map/global policy . and configure with acl together . and set maximum connection following command  set connection conn-max under policy-map but the value can configure 0 and 2000000 , So if Firepower can handle session more than 2milion the value can change more than 2milion or not ? 


Please advise me. 

Content for Community-Ad