Clearing Sessions by Src IP address



  • Thanks to Karma, I was able to find out who was messing up with my SSG; now that I know his IP address I want to flush all the sessions he has established since they are still hanging there…That’s my question now. Of course, there power switch is always available, but it’s not an elegant way out… Already enabled screening at the bad guy zone limiting the number of sessions that can be established by the same src ip address (I hope to avoid further problems whith that)…

    Thanks in advance.



  • But yea, typically P2P applications cause lots of sessions that might hang upwards the Juniper device, seems like a weak aim? That’s the reason why I’ve invariably set the Screening options for Trust and Untrust (and also if in case neede, other) areas to ensure that not P2P user can take along the router. Later firmwares also offer limiting sessions by policy so that can be useful too.



  • I usually set it 777 for both Trust and Untrust 🙂 I haven’t heard that this had ever caused a problem for eg Skype.



  • @echo:

    But yea, typically P2P applications cause lots of sessions that may hang up the Juniper device, seems like a weak point? That’s why I’ve always set the Screening options for Trust and Untrust (and if neede, other) zones so that no P2P user can easily take down the router. Later firmwares also offer limiting sessions by policy so that can be useful as well.

    Could be a weak point though every hardware has its own limitations; if you exceed them, it will eventually crush… I guess enabling screening for untrusted zones is simply part of a well configured device, but also consider that a flooding attack could be an “inside job” (as it was in my case) i.e come from a “Trusted” zone… so I think its all about figuring out a rational session limit number to put in the screening configuration of every zone…



  • But yea, typically P2P applications cause lots of sessions that may hang up the Juniper device, seems like a weak point? That’s why I’ve always set the Screening options for Trust and Untrust (and if neede, other) zones so that no P2P user can easily take down the router. Later firmwares also offer limiting sessions by policy so that can be useful as well.



  • I checked this forum today… Well, on the command line, there is a command “clear session” after which just press TAB and you see options for clearing sessions by src-ip, dst-ip, src-port, dst-port and so on. But I think you’ve already figured it out.



  • @jmso84:

    Ok, kinda stupid question…. Just do:
    clear session src-ip [src ip address here]
    Found a nice doc on ScreenOS CLI….



  • @jmso84:

    Thanks to echo, I was able to find out who was messing up with my SSG; now that I know his IP address I want to flush all the sessions he has established since they are still hanging there…That’s my question now. Of course, there power switch is always available, but it’s not an elegant way out… Already enabled screening at the bad guy zone limiting the number of sessions that can be established by the same src ip address (I hope to avoid further problems whith that)…

    Thanks in advance.


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts