We've got a security server running Retina that recently ran away and opened up tens of thousands of connections through our Pix 515E to devices it's supposed to scan. This caused memory on the PIX to run low, caused dropped connections on other sessions running through the pix, and generally made life unhappy. Quick solution was to unplug the server from the net, run a clear xlate, and put in a new access list with a line "deny ip host <server ip> any" in it to prevent it from reaching out again.
What I'm wondering is:
Is there a way to limit the number of TCP connections that particular host can initiate through the firewall?
Is there a way to clear ONLY the connections that host has opened, rather than the "clear xlate" command which kills ALL the sessions running through the firewall? The SA's and DBA's get annoyed when all their SSH sessions drop.
PIX OS is 6.3.5(125)