In our Support Campus, we often hear complaints about slow connections or connection drops on our firewalls. Often, this is caused by a simple security measurement implemented into the default configuration called "Session Limit". This tutorial will show you how to get rid of this and set this up to your likings for USG FLEX / ATP and in Nebula Control Center.
1. What is Session Control?
Session control refers to a network security feature that allows you to manage and control network sessions in a firewall. It provides granular control over network connections by defining rules and policies to regulate session initiation, termination, and behavior.
2. Why is Session Control Used?
Session control is used to enhance network security and optimize network performance. By controlling and managing network sessions, you can prevent unauthorized access, mitigate security risks, and prioritize network resources. It enables you to set policies to control session timeouts, limit the number of concurrent sessions, and define session behavior based on specific criteria. It can also somewhat prevent botnet attacks coming from inside the firewall. If you see that there is a server that is used a lot and it hits the session limit, it might be normal. However, an Android phone that's hitting the session limit in the network is very suspicious and might be investigated further.
3. Configure Session Control in Stand-Alone Mode
Step 1: Access the Zyxel firewall's web-based management interface by entering the device's IP address in a web browser.
Step 2: Enter your administrator credentials to log in.
Step 3: Navigate to "Configuration -> Security Policy -> Session Control" and then enable session limit (on by default). The default sessions per host is 1000 and 0 is unlimited:
Here you can also configure a specific limit for specific users / IP addresses in your network instead of setting a global setting for session limit.
Step 4: Click "Apply" to apply the settings.
4. Configure Session Control in Nebula CC
Step 1: Log in to your Nebula Control Center (NCC) account at https://nebula.zyxel.com.
Step 2: Navigate to the Firewall/Security Gateway on the organization and site where you want to configure session control.
Step 4: Navigate to Site-wide -> Configure -> Firewall -> Security Policy
Step 5: Select the desired "Session per host", where 1000 sessions are default and 0 is unlimited
Step 6: Define the session control settings according to your requirements. You can set parameters such as UDP session time out.
Step 7: Click "Save" to save the session control settings.
KB-00057