07-Security Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C Access Controllers Configuration Guides(E3703P61 R2509P61 R3709P61 R2609P61 R3509P61)-6W10207-Security Configuration Guide
19-Session Management Configuration
Title Size Download
19-Session Management Configuration 108.88 KB

Managing sessions

Support for session management depends on your device model. For more information, see About the H3C Access Controllers Configuration Guides.

Overview

Session management is a common feature designed to implement session-based services such as NAT and ASPF. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet.

Session management allows multiple features to process the same service packet. Session management can be applied for the following purposes:

·     Fast match between packets and sessions.

·     Management of transport layer protocol states.

·     Identification of application layer protocols.

·     Session aging based on protocol state or application layer protocol type.

·     Persistent sessions.

·     Checksum verification for transport layer protocol packets.

·     Special packet match for the application layer protocols requiring port negotiation.

·     Resolution of ICMP error control packets and session match based on resolution results.

How session management works

Session management tracks the connection status by inspecting the transport layer protocol (TCP or UDP) information, performing unified status maintenance and management of all connections.

In actual applications, session management works together with ASPF to dynamically determine whether a packet can pass the firewall and enter the internal network according to connection status, thus preventing intrusion.

The session management function only tracks connection status. It does not block potential attack packets.

Session management functions

Session management enables the device to provide the following functions:

·     Supporting session creation, session status update and timeout time setting based on protocol state for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets.

·     Supporting port mapping for application layer protocols and allowing application layer protocols to use customized ports and adopt different session timeout time.

·     Supporting checksum verification for TCP, UDP, and ICMP packets.

In case of checksum verification failure, the system will not match sessions or create sessions. Instead, other services based on session management will process the packets.

·     Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets.

Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.

·     Supporting persistent sessions, which are kept alive for a long period of time.

·     Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.

Session management task list

 

Task

Remarks

Setting session aging time for different protocol states

Optional.

Configuring session aging time for different application layer protocols

Optional.

Enabling checksum verification

Optional.

Specifying persistent sessions

Optional.

Specifying the operating mode for session management

Optional.

 

These tasks are mutually independent and can be configured in any order.

Setting session aging time for different protocol states

If the application layer protocol of a session supports session aging time configuration, the session takes the session aging time set based on the application layer protocol type as its aging time when it is in the READY/ESTABLISH state. For more information about the configuration, see "Configuring session aging time for different application layer protocols."

If a session entry is not matched with any packets in a specified period of time, the entry will be aged out.

 

IMPORTANT

IMPORTANT:

For a large amount of sessions (more than 800000), do not specify too short aging time. Otherwise, the console might be slow in response.

 

To set the session aging times based on protocol state:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the aging time for sessions of a specified protocol and in a specified state.

session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value

This aging time setting is effective on only the sessions that are being established.

The default values are as follows:

·     accelerate—10 seconds.

·     fin—30 seconds.

·     icmp-closed—30 seconds.

·     icmp-open—60 seconds.

·     rawip-open—30 seconds.

·     rawip-ready—60 seconds.

·     syn—15 seconds.

·     tcp-est—3600 seconds.

·     udp-open—30 seconds.

·     udp-ready—60 seconds.

 

Configuring session aging time for different application layer protocols

For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times according to the types of the application layer protocols to which the sessions belong.

 

IMPORTANT

IMPORTANT:

For a large amount of sessions (more than 800000), do not specify too short aging time. Otherwise, the console might be slow in response.

 

To set session aging times based on application layer protocol type:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the aging time for sessions of an application layer protocol.

application aging-time { dns | ftp | msn | qq | sip } time-value

Aging times set in this command applies to only the sessions in the READY/ESTABLISH state.

The default values are as follows:

·     dns—60 seconds.

·     ftp—3600 seconds.

·     msn—3600 seconds.

·     qq—60 seconds.

·     sip300 seconds.

 

Enabling checksum verification

To make sure session tracking is not affected by packets with checksum errors, you can enable checksum verification for protocol packets. With checksum verification enabled, the session management feature processes only packets with correct checksums, and packets with incorrect checksums will be processed by other services based on the session management.

 

IMPORTANT:

Checksum verification might degrade the device performance. Enable it with caution.

 

To enable checksum verification for protocol packets:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable checksum verification.

session checksum { all | { icmp | tcp | udp } * }

Disabled by default.

 

Specifying persistent sessions

You can set the sessions that match the permit statements in a specific basic or advanced ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions. A lifelong session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.

For more information about the configuration of basic and advance ACLs, see ACL and QoS Configuration Guide.

To specify persistent sessions:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify persistent sessions.

session persist acl acl-number [ aging-time time-value ]

By default, no persistent sessions are specified.

If you configure this command multiple times, the last configuration takes effect.

 

Specifying the operating mode for session management

By default, session management operates in bidirectional mode, and it can process only bidirectional sessions. You can set the operating mode to hybrid mode for processing both bidirectional sessions and unidirectional sessions. In a unidirectional session, packets in a specific direction can pass the device.

In the hybrid mode, some features cannot function correctly, and system security is adversely affected. For example, in hybrid mode, ASPF cannot drop a non-SYN packet that is the first packet over a TCP connection. If unidirectional sessions exist, set the operating mode to hybrid.

To specify the operating mode for session management:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify an operating mode for session management.

·     Set the hybrid mode:
session mode hybrid

·     Set the bidirectional mode:
undo session mode

By default, bidirectional mode is used.

 

Configuring session logging

Session logs provide information about user access, IP address translation, and network traffic for security auditing. These logs are sent in flow log format to the log server or the information center.

Enabling session logging

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Enable session logging.

session log enable [ acl acl-number ] { inbound | outbound }

By default, session logging is disabled.

 

Setting session logging thresholds

The device supports time-based or traffic-based logging:

·     Time-based logging—The device outputs session logs at an interval.

·     Traffic-based logging—The device outputs a session log when the traffic amount of a session reaches a threshold. The traffic-based thresholds can be byte-based and packet-based. If you set both thresholds, the last configuration takes effect.

If you set both time-based and traffic-based logging, the device outputs a session log when either threshold is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.

To set session logging thresholds:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Set the time-based logging.

session log time-active time-value

The defaut value is 0, which means that the device does not output time-based session logs.

3.     (Optional.) Set a traffic-based logging type.

·     Set the packet-based threshold:
session log packets-active packets-value

·     Set the byte-based threshold:
session log bytes-active bytes-value

The defaut value is 0, which means that the device does not output traffic-based session logs.

 

Displaying and maintaining session management

Task

Command

Remarks

Display the session aging times for application layer protocols.

display application aging-time [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display the session aging times in different protocol states.

display session aging-time [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display information about sessions.

display session table [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ count | verbose ] [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display statistics about sessions.

display session statistics [ | { begin | exclude | include } regular-expression ]

Available in any view.

Display session relationship table information.

display session relation-table [ | { begin | exclude | include } regular-expression ]

Available in any view.

Clear sessions.

reset session [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port  source-port ] [ destination-port destination-port ]

Available in user view.

Clear session statistics.

reset session statistics

Available in user view.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网