[174377] in North American Network Operators' Group
Per policy session cap on Juniper SRX
daemon@ATHENA.MIT.EDU (Anurag Bhatia)
Sat Sep 6 15:55:34 2014
X-Original-To: nanog@nanog.org
From: Anurag Bhatia <me@anuragbhatia.com>
Date: Sun, 7 Sep 2014 01:24:46 +0530
To: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hello everyone!
I have a Juniper SRX firewall and in recent times I did had issues because
one or other user doing an attack outside. Usually it is compromised client
machines which create a lot of firewall sessions in outside direction.
I was thinking of two specific things as fix for this:
1. Can I somehow put a cap per security policy so that all available
sessions aren't chewed by clients?
2. We have very few clients who actually use firewall in outbound, rest
all in inbound. This I wish to skip firewall in outbound but in my test I
found it behaves strange. I tried with machine having inbound traffic via
firewall. They ping and port 80 also worked but SSH just hung up as soon as
I started. I see SRX can be used in unidirectional setup but somehow it
fails in my case.
Any suggestions/advice/ sample configs?
Thanks in advance!
--
Anurag Bhatia
anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter
<https://twitter.com/anurag_bhatia>
Skype: anuragbhatia.com
PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
