- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Connection Limiting (v2) feature using Access Rules in SonicOS Enhanced
03/26/2020 
13 People found this article helpful
98,011 Views
Description
The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWall. Until now Connection Limiting provided global control of the number of connections for each IP address and was configured in the Access Rules by declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.
Resolution
Connection Limiting, version 2 is a major enhancement and is designed to granulate this kind of control so that the SonicWall administrator can configure connection limitation more flexibly. Connection Limiting v2 uses Firewall Access Rules to allow the administrator to choose which IP address, which Service, and which traffic direction when configuring connection limiting.
Conection Limiting is configured under Firewall | Access Rules. Select the desired direction of traffic (LAN to WAN, DMZ to LAN, WAN to LAN etc ). To enforce connection limit either edit an existing rule or create a new rule and click on the Advanced tab.
For eg. if the rule is from LAN to WAN, the option Enable connection limit for each Source IP Address would mean the source IP address of hosts on the LAN. Threshold is the maximum number of connections permissible by each host on the LAN.
Likewise, Enable connection limit for each Destination IP Address would mean the destination IP addresses of hosts on the WAN side of the SonicWall. Threshold is the maximum number of connections permissible to that destination IP address.
The option Number of connections allowed (% of maximum connections) is the % of the maximum number of connection applicable to that device.
The following table delineates the connection-cache size of currently available SonicWall devices running SonicOS Enhanced with Unified Threat Management (UTM) security services enabled or disabled (numbers are subject to change):
| SonicWall Security Appliance | Full UTM | No UTM |
| NSA 240 | 12,500 | 25,000 |
| NSA 240 (Expaned License) | 17,500 | 35,000 |
| NSA 2400 | 32,000 | 48,000 |
| NSA 3500 | 65,535 | 131,071 |
| NSA 4500 | 131,072 | 524,288 |
| NSA 5000 | 131,072 | 600,000 |
| NSA E5500 | 153,600 | 600,000 |
| NSA E6500 | 204,900 | 750,000 |
| NSA E7500 | 500,000 | 1,000,000 |
Background:
Coupled with IPS, Connection Limiting can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted |Untrusted traffic (i.e. LAN-|WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.
In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.
Finally, connection limiting can be used to protect publicly available servers (e.g. Web servers) by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.
Related Articles
- How to remove 2FA for admin using CLI
- 2FA authentication error using TOTP "Please try again later"
- Methods to add Address Objects
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO