Connection Rate Limit

Throttling of access from certain source IPs to recurring ports

Beta function with version: 12.6.2

New:

Note on change of the rate limit

notempty

This article refers to a Resellerpreview

-

notempty

Connection Rate Limit is a beta function that is still under development.
If the rate limit is set too low, unexpected effects may occur, e.g. services may be restricted.

notempty

The function is still in the testing phase and will be further expanded.
The function can initially only be configured via the CLI

The function aims to protect against attacks.
SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

Connection Rate Limit

From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
The following conditions apply:

Only incoming connections for which a default route exists are monitored
The connections from an IP address to a port of the UTM are counted within one minute
When activated, 5 connections / connection attempts per minute are permitted.
The connections are then limited:
- The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
- With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
- 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
Blocking an IP address only affects access to the port that has been used too often.

Other ports can still be accessed.

The function is activated by default for new installations on 20 UDP connections / minute on all ports
For Updates the function must be manually activated

extc-Variable	Default-Value	Description
CONNECTION_RATE_LIMIT_TCP	0	Number of permitted TCP connections of an IP address per port 0 = Function deactivated, no blocking is performed
CONNECTION_RATE_LIMIT_TCP_PORTS		Ports to be monitored. Empty by default=all ports would be monitored (if activated). Individual ports are separated by spaces: [ 1194 1195 ]
CONNECTION_RATE_LIMIT_UDP	20 / 0 Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated.	Number of permitted UDP connections of an IP address per port
CONNECTION_RATE_LIMIT_UDP_PORTS		Ports to be monitored. Empty by default=all ports are monitored (only for new installations!). Individual ports are separated by spaces: [ 1194 1195 ]

Configuration with CLI commands

CLI command	Function
extc value get application securepoint_firewall Alternatively as root user: spcli extc value get application securepoint_firewall \| grep RATE	Lists all variables of the securepoint_firewall application. The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit. application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule	Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute If the value is to be changed, it must first be set to 0 and a rule update carried out. A new value can then be entered.
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule	Deactivates the monitoring of TCP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule	Restricts the monitoring of TCP connections to ports 443 and 11115 There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule	A NULL value removes the restriction to certain ports There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule	Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute Default setting for new installations from v12.6.2: 20 For update installations the value is 0, so the function is deactivated. If the value is to be changed, it must first be set to 0 and a rule update carried out. A new value can then be entered.
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule	Deactivates the monitoring of UDP connections
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule	Restricts the monitoring of UDP connections to ports 1194 and 1195. (Example for 2 created SSL-VPN tunnels). There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule	A NULL value removes the restriction to certain ports There must be spaces before and after the square brackets [ ]!
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule notempty Finally, the CLI command system update rule must be entered so that the values in the rules are applied.	For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.