cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tonyssbear
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 3

IPS || Connection Limit Policy || Cannot Quarantine host

Jump to solution

Hi All,

 

I am setting a Connection Limit Policy

But there are no alert and cannot quarantine

 

Testing Lab

traffic Generate by JMeter to a HSF web server 

 

What I do

1. create Connection Limiting Policy

2. Assign to interface/sub-interface

3. Change Quarantine action to Block all zone

3.JPG4.JPG5.JPG6.JPG7.JPG8.JPG

May it be any sample to setup connection limit?

Can We use connection limiting to quarantine Host?

It was a connection Limit rule alert, but it gone after more traffic over time, is it normal?

 

Regrads

Tony

1 Solution

Accepted Solutions
tonyssbear
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: IPS || Connection Limit Policy || Cannot Quarantine host

Jump to solution

Hi Jfa1,

 

Thanks 

As a final, I  turn off XFF on inspection policy and it work

 

Regards

Tony

View solution in original post

2 Replies
Jfa1
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 2 of 3

Re: IPS || Connection Limit Policy || Cannot Quarantine host

Jump to solution

Hello Tony,

It appears the policy is working, just not working with quarantine.

Do you have quarantine enabled on the sensor?  Go to Devices/Devices subtab/select sensor in dropdown/Setup/Quarantine/Port Settings. 

Here is a reference describing how the alert works.  This alert is configurable in the IPS policy.  You can set the Threshold and the Interval.  This will affect how often the alert is triggered:

https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-A8C54572-3BF...

I would urge caution using blocking and quarantine when you first put this in production.  Try the alert only response first to check which endpoints are alerting to make sure you do not affect desired traffic.

Hope this helps.  If you feel the policy is not working as expected, please open a ticket with NSP Support.

 

tonyssbear
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: IPS || Connection Limit Policy || Cannot Quarantine host

Jump to solution

Hi Jfa1,

 

Thanks 

As a final, I  turn off XFF on inspection policy and it work

 

Regards

Tony

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community