For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andrej_Krnac's avatar
Andrej_Krnac
Icon for Nimbostratus rankNimbostratus
Jul 26, 2019

How to limit number concurent sessions per user IP on F5

Dear Gents,   I would like to ask about idea how is possible restrict number TCP concurrent sessions per a user source IP. Moreover I am interested if is possible to create static list (just 10 I...
BIG-IP
security
Andrej_Krnac's avatar
Andrej_Krnac
Icon for Nimbostratus rankNimbostratus
Jul 26, 2019

Dario many thanks for nice references but my concern is a bit more complex. I would like to restrict number of TCP connection just for dedicated 5 IP addresses on LAN network. I am looking for information how to create some static list of IP@ or define those host for which I just want enforce maximum number of TCP sessions. Other IP outside of list would be unrestricted. Any idea how to define such static IP list?

Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Jul 26, 2019

This is very simple to get it.

 

You can set a condition to not execute the additional code if the source IP doesn't match a data-group called "my_ip_dg".

when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        return
    }
}
 
when CLIENT_CLOSED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        return
    }
}

If you have the chance, I recommend you to implement your connection limit using table variables. Here an example.

https://devcentral.f5.com/s/articles/advanced-irules-tables-20451

 

KR,

Dario.