Rate-Limit Traffic to the Loopback Interface

Before you begin

You should rate-limit traffic going to the loopback interface IP address to prevent excessive load on the system. You can add a connection limit rule to the global service policy.

Procedure

Step 1

Create an extended access list identifying traffic to the loopback interface IP address(es).

  1. Choose Objects > Object Management and choose Access Control Lists > Extended from the table of contents.

  2. Click Add Extended Access List to create a new ACL.

  3. In the New Extended Access List Object dialog box, enter a name for the ACL (no spaces allowed), and click Add to create a new entry.

    Name ACL and Add Entry
    Name Entry and Add

  4. Configure the source (any) and destination addresses (loopback IP addresses) on the Network tab.

    Source and Destination Networks
    Source and Destination Networks
    Note

    Keep the default Action as Allow (match) and other settings as-is.

    • Source—Select any from the Available Networks list, and click Add to Source. You can also narrow this access list by specifying the source IP addresses instead of any.

    • Destination—Type an address in the edit box below the Destination Networks list and click Add. Repeat for each loopback interface.

  5. Click Add to add the entry to the ACL.

  6. Click Save to save the ACL.

    Save ACL
    Add ACL Object

Step 2

Choose Policies > Access Control > Access Control, and click Edit (edit icon) for the access control policy assigned to your device.

Step 3

Click Advanced Settings from the More drop-down arrow at the end of the packet flow line.

Advanced Settings
Advanced Settings

Step 4

Click Edit (edit icon) in the Threat Defense Service Policy group.

Threat Defense Service Policy

Step 5

Click Add Rule to create a new rule.

Add Rule
Add Rule

The service policy rule wizard opens to step you through the process of configuring the rule.

Step 6

In the Interface Object step, click Global to create a global rule, which applies to all interfaces, then click Next.

Global Policy
Global Policy

Step 7

In the Traffic Flow step, select the extended access list object you created in Step 1, and then click Next.

Choose Extended Access List
Choose Extended Access List

Step 8

In the Connection Setting step, set the Connections limits.

Set Connection Limits
Set Connection Limits

Set the Maximum TCP & UDP connections to the expected number of connections for the loopback interface, and the Maximum Embryonic connections to a lower number. For example, you can set it to 5/2, or 10/5, or 1024/512, depending on the expected loopback interface sessions you need.

Setting the embryonic connection limit enables TCP Intercept, which protects the system from a DoS attack perpetrated by flooding an interface with TCP SYN packets.

Step 9

Click Finish to save your changes.

Step 10

Click OK.

Step 11

Click Save on the Advanced Settings window.

Step 12

You can now deploy the changes to the affected devices.