- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Port Security Configuration
- 07-User Profile Configuration
- 08-Password Control Configuration
- 09-Public Key Configuration
- 10-PKI Configuration
- 11-SSH Configuration
- 12-SSL Configuration
- 13-SSL VPN Configuration
- 14-TCP Attack Protection Configuration
- 15-ARP Attack Protection Configuration
- 16-IPsec Configuration
- 17-ALG Configuration
- 18-Firewall Configuration
- 19-Session Management Configuration
- 20-Web Filtering Configuration
- 21-User Isolation Configuration
- 22-Source IP Address Verification Configuration
- 23-FIPS Configuration
- 24-Protocol Packet Rate Limit Configuration
- 25-Attack detection and protection configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
19-Session Management Configuration | 108.88 KB |
Setting session aging time for different protocol states
Configuring session aging time for different application layer protocols
Enabling checksum verification
Specifying persistent sessions
Specifying the operating mode for session management
Setting session logging thresholds
Displaying and maintaining session management
Managing sessions
Support for session management depends on your device model. For more information, see About the H3C Access Controllers Configuration Guides.
Overview
Session management is a common feature designed to implement session-based services such as NAT and ASPF. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet.
Session management allows multiple features to process the same service packet. Session management can be applied for the following purposes:
· Fast match between packets and sessions.
· Management of transport layer protocol states.
· Identification of application layer protocols.
· Session aging based on protocol state or application layer protocol type.
· Persistent sessions.
· Checksum verification for transport layer protocol packets.
· Special packet match for the application layer protocols requiring port negotiation.
· Resolution of ICMP error control packets and session match based on resolution results.
How session management works
Session management tracks the connection status by inspecting the transport layer protocol (TCP or UDP) information, performing unified status maintenance and management of all connections.
In actual applications, session management works together with ASPF to dynamically determine whether a packet can pass the firewall and enter the internal network according to connection status, thus preventing intrusion.
The session management function only tracks connection status. It does not block potential attack packets.
Session management functions
Session management enables the device to provide the following functions:
· Supporting session creation, session status update and timeout time setting based on protocol state for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets.
· Supporting port mapping for application layer protocols and allowing application layer protocols to use customized ports and adopt different session timeout time.
· Supporting checksum verification for TCP, UDP, and ICMP packets.
In case of checksum verification failure, the system will not match sessions or create sessions. Instead, other services based on session management will process the packets.
· Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets.
Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.
· Supporting persistent sessions, which are kept alive for a long period of time.
· Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.
Session management task list
Task |
Remarks |
Optional. |
|
Configuring session aging time for different application layer protocols |
Optional. |
Optional. |
|
Optional. |
|
Optional. |
These tasks are mutually independent and can be configured in any order.
Setting session aging time for different protocol states
If the application layer protocol of a session supports session aging time configuration, the session takes the session aging time set based on the application layer protocol type as its aging time when it is in the READY/ESTABLISH state. For more information about the configuration, see "Configuring session aging time for different application layer protocols."
If a session entry is not matched with any packets in a specified period of time, the entry will be aged out.
|
IMPORTANT: For a large amount of sessions (more than 800000), do not specify too short aging time. Otherwise, the console might be slow in response. |
To set the session aging times based on protocol state:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the aging time for sessions of a specified protocol and in a specified state. |
session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value |
This aging time setting is effective on only the sessions that are being established. The default values are as follows: · accelerate—10 seconds. · fin—30 seconds. · icmp-closed—30 seconds. · icmp-open—60 seconds. · rawip-open—30 seconds. · rawip-ready—60 seconds. · syn—15 seconds. · tcp-est—3600 seconds. · udp-open—30 seconds. · udp-ready—60 seconds. |
Configuring session aging time for different application layer protocols
For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times according to the types of the application layer protocols to which the sessions belong.
|
IMPORTANT: For a large amount of sessions (more than 800000), do not specify too short aging time. Otherwise, the console might be slow in response. |
To set session aging times based on application layer protocol type:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the aging time for sessions of an application layer protocol. |
application aging-time { dns | ftp | msn | qq | sip } time-value |
Aging times set in this command applies to only the sessions in the READY/ESTABLISH state. The default values are as follows: · dns—60 seconds. · ftp—3600 seconds. · msn—3600 seconds. · qq—60 seconds. · sip—300 seconds. |
Enabling checksum verification
To make sure session tracking is not affected by packets with checksum errors, you can enable checksum verification for protocol packets. With checksum verification enabled, the session management feature processes only packets with correct checksums, and packets with incorrect checksums will be processed by other services based on the session management.
|
IMPORTANT: Checksum verification might degrade the device performance. Enable it with caution. |
To enable checksum verification for protocol packets:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable checksum verification. |
session checksum { all | { icmp | tcp | udp } * } |
Disabled by default. |
Specifying persistent sessions
You can set the sessions that match the permit statements in a specific basic or advanced ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions. A lifelong session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.
For more information about the configuration of basic and advance ACLs, see ACL and QoS Configuration Guide.
To specify persistent sessions:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify persistent sessions. |
session persist acl acl-number [ aging-time time-value ] |
By default, no persistent sessions are specified. If you configure this command multiple times, the last configuration takes effect. |
Specifying the operating mode for session management
By default, session management operates in bidirectional mode, and it can process only bidirectional sessions. You can set the operating mode to hybrid mode for processing both bidirectional sessions and unidirectional sessions. In a unidirectional session, packets in a specific direction can pass the device.
In the hybrid mode, some features cannot function correctly, and system security is adversely affected. For example, in hybrid mode, ASPF cannot drop a non-SYN packet that is the first packet over a TCP connection. If unidirectional sessions exist, set the operating mode to hybrid.
To specify the operating mode for session management:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify an operating mode for session management. |
· Set the hybrid mode: · Set the bidirectional mode: |
By default, bidirectional mode is used. |
Configuring session logging
Session logs provide information about user access, IP address translation, and network traffic for security auditing. These logs are sent in flow log format to the log server or the information center.
Enabling session logging
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Enable session logging. |
session log enable [ acl acl-number ] { inbound | outbound } |
By default, session logging is disabled. |
Setting session logging thresholds
The device supports time-based or traffic-based logging:
· Time-based logging—The device outputs session logs at an interval.
· Traffic-based logging—The device outputs a session log when the traffic amount of a session reaches a threshold. The traffic-based thresholds can be byte-based and packet-based. If you set both thresholds, the last configuration takes effect.
If you set both time-based and traffic-based logging, the device outputs a session log when either threshold is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.
To set session logging thresholds:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. (Optional.) Set the time-based logging. |
session log time-active time-value |
The defaut value is 0, which means that the device does not output time-based session logs. |
3. (Optional.) Set a traffic-based logging type. |
· Set the packet-based threshold: · Set the byte-based threshold: |
The defaut value is 0, which means that the device does not output traffic-based session logs. |
Displaying and maintaining session management
Task |
Command |
Remarks |
Display the session aging times for application layer protocols. |
display application aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
Display the session aging times in different protocol states. |
display session aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
Display information about sessions. |
display session table [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ count | verbose ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
Display statistics about sessions. |
display session statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
Display session relationship table information. |
display session relation-table [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
Clear sessions. |
reset session [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] |
Available in user view. |
Clear session statistics. |
reset session statistics |
Available in user view. |