05-11-2021 01:41 AM
Hi All,
Cisco firepower running asa image can limit current session or not ?
limit by policy/ip/protocol ?
I try to find document but i not found.
Please help me.
05-11-2021 02:16 AM - edited 05-11-2021 02:21 AM
Yes you can do that. And as always there are multiple options. Start with looking into VPN-Filters as they are likely to fit your needs:
05-11-2021 02:20 AM
@Karsten Iwen thank you your answer . can you share document to me ? for VPN-Filters you mean can limit session on VPN session ?
05-11-2021 03:52 AM - edited 05-11-2021 04:10 AM
There are examples in the config-guide. The VPN-Filter is an ACL that gets attached to a group-policy. Only traffic permitted in the ACL is allowed for the VPN-client.
Here is an example where the sales group is only allowed DNS to .53 and HTTPS to .80:
access-list VPN-FILTER-SALES extended permit udp any host 10.10.10.53 eq domain access-list VPN-FILTER-SALES extended permit tcp any host 10.10.10.80 eq https ! group-policy VPN-SALES internal group-policy VPN-SALES attributes vpn-filter value VPN-FILTER-SALES
05-11-2021 06:48 AM
I'm still confuse . How this configuration can limit concurrent session by policy/ip/protocol ?
My understand the current session can limit of number of current session. . If my understand not correct . Please let me know .
05-11-2021 07:02 AM
Perhaps I did not get what you exactly want. The VPN-filter limits which IP/protocol/ports can be used in that VPN-Session. Can you describe in more detail what you want to achieve?
05-11-2021 09:47 PM
I mean firepower can limit concurrent session or not . Refer from datasheet example. Firepower 4110 can handle Concurrent firewall connections 10million but If We need to limit concurrent by policy/ip/protocol not ACL configuration . Firepower can do it and if can do
firepower can alert or send alarm while concurrent session reach limit sessions ?
Thank you for help
05-11-2021 11:43 PM
Ok, now I understand what you want. Yes, this can also be done. But the config is based on the modular policy framework (MPF) and it will be quite some work to implement it for different IPs and/or protocols:
For the alarms, you would typically write some log-checking rules on your syslog server.
05-12-2021 12:05 AM - edited 05-12-2021 12:06 AM
Thank you for your answer .
I try to understand from your URL . My understand is The limit concurrent session can do under policy map/global policy . and configure with acl together . and set maximum connection following command set connection conn-max under policy-map but the value can configure 0 and 2000000 , So if Firepower can handle session more than 2milion the value can change more than 2milion or not ?
Please advise me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide