-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Connection Limiting (v2) feature using Access Rules in SonicOS Enhanced
03/26/2020 
15 People found this article helpful
487,532 Views
Description
The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWall. Until now Connection Limiting provided global control of the number of connections for each IP address and was configured in the Access Rules by declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.
Resolution
Connection Limiting, version 2 is a major enhancement and is designed to granulate this kind of control so that the SonicWall administrator can configure connection limitation more flexibly. Connection Limiting v2 uses Firewall Access Rules to allow the administrator to choose which IP address, which Service, and which traffic direction when configuring connection limiting.
Conection Limiting is configured under Firewall | Access Rules. Select the desired direction of traffic (LAN to WAN, DMZ to LAN, WAN to LAN etc ). To enforce connection limit either edit an existing rule or create a new rule and click on the Advanced tab.
For eg. if the rule is from LAN to WAN, the option Enable connection limit for each Source IP Address would mean the source IP address of hosts on the LAN. Threshold is the maximum number of connections permissible by each host on the LAN.
Likewise, Enable connection limit for each Destination IP Address would mean the destination IP addresses of hosts on the WAN side of the SonicWall. Threshold is the maximum number of connections permissible to that destination IP address.
The option Number of connections allowed (% of maximum connections) is the % of the maximum number of connection applicable to that device.
The following table delineates the connection-cache size of currently available SonicWall devices running SonicOS Enhanced with Unified Threat Management (UTM) security services enabled or disabled (numbers are subject to change):
| SonicWall Security Appliance | Full UTM | No UTM |
| NSA 240 | 12,500 | 25,000 |
| NSA 240 (Expaned License) | 17,500 | 35,000 |
| NSA 2400 | 32,000 | 48,000 |
| NSA 3500 | 65,535 | 131,071 |
| NSA 4500 | 131,072 | 524,288 |
| NSA 5000 | 131,072 | 600,000 |
| NSA E5500 | 153,600 | 600,000 |
| NSA E6500 | 204,900 | 750,000 |
| NSA E7500 | 500,000 | 1,000,000 |
Background:
Coupled with IPS, Connection Limiting can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted |Untrusted traffic (i.e. LAN-|WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.
In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.
Finally, connection limiting can be used to protect publicly available servers (e.g. Web servers) by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO