Forum Discussion

Andrej_Krnac's avatar
Andrej_Krnac
Icon for Nimbostratus rankNimbostratus
Jul 26, 2019

How to limit number concurent sessions per user IP on F5

Dear Gents,   I would like to ask about idea how is possible restrict number TCP concurrent sessions per a user source IP. Moreover I am interested if is possible to create static list (just 10 I...
BIG-IP
security
Andrej_Krnac's avatar
Andrej_Krnac
Icon for Nimbostratus rankNimbostratus
Jul 26, 2019

Dario many thanks for nice references but my concern is a bit more complex. I would like to restrict number of TCP connection just for dedicated 5 IP addresses on LAN network. I am looking for information how to create some static list of IP@ or define those host for which I just want enforce maximum number of TCP sessions. Other IP outside of list would be unrestricted. Any idea how to define such static IP list?

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Jul 26, 2019

    This is very simple to get it.

     

    You can set a condition to not execute the additional code if the source IP doesn't match a data-group called "my_ip_dg".

    when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        return
    }
}
 
when CLIENT_CLOSED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        return
    }
}

    If you have the chance, I recommend you to implement your connection limit using table variables. Here an example.

    https://devcentral.f5.com/s/articles/advanced-irules-tables-20451

     

    KR,

    Dario.