Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Packet filter configuration
- 03-Time range configuration
- 04-User profile configuration
- 05-Password control configuration
- 06-Keychain configuration
- 07-Public key management
- 08-PKI configuration
- 09-IPsec configuration
- 10-IKE configuration
- 11-IKEv2 configuration
- 12-SSH configuration
- 13-SSL configuration
- 14-SSL VPN configuration
- 15-Session management
- 16-Connection limit configuration
- 17-Attack detection and prevention configuration
- 18-IP-based attack prevention configuration
- 19-IP source guard configuration
- 20-ARP attack protection configuration
- 21-ND attack defense configuration
- 22-Protocol packet rate limit configuration
- 23-Security policy configuration
- 24-Object group configuration
- 25-ASPF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Session management | 102.37 KB |
Restrictions and guidelines: Session management configuration
Setting the session aging time for different protocol states
Setting the session aging time for different application layer protocols
Specifying persistent sessions
Enabling session statistics collection
Verifying and maintaining session management
Displaying the aging time for sessions
Displaying and clearing session entries
Displaying and clearing session statistics
Managing sessions
About session management
Session management is a common module, providing basic services for NAT and attack detection and protection to implement their session-based services.
Session management defines packet exchanges at transport layer as sessions. It updates session states and ages out sessions according to data flows from the initiators or responders. Session management allows multiple features to process the same service packet.
Session management operation
Session management tracks the session status by inspecting the transport layer protocol information. It performs unified status maintenance and management of all connections based on session tables and relation tables.
When a connection request passes through the device from a client to a server, the device creates a session entry. The entry can contain the request and response information, such as:
· Source IP address and port number.
· Destination IP address and port number.
· Transport layer protocol.
· Application layer protocol.
· Protocol state of the session.
A multichannel protocol requires that the client and the server negotiate a new connection based on an existing connection to implement an application. Session management enables the device to create a relation entry for each connection during the negotiation phase. The entry is used to associate the connection with the application. Relation entries will be removed after the associated connections are established.
If the destination IP address of a packet is a multicast IP address, the packet will be forwarded out of multiple ports. When a multicast connection request is received on an inbound interface, the device performs the following operations:
· Creates a multicast session entry on the inbound interface.
· Creates a corresponding multicast session entry for each outbound interface.
Unless otherwise stated, "session entry" in this chapter refers to both unicast and multicast session entries.
Session management only tracks connection status. It does not block potential attack packets.
Session management functions
Session management enables the device to provide the following functions:
· Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states.
· Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets.
Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.
· Supports persistent sessions, which are kept alive for a long period of time.
· Supports session management for the control channels and dynamic data channels of application layer protocols, for example, FTP.
Restrictions and guidelines: Session management configuration
For a TCP session in ESTABLISHED state, the priority order of the associated aging time is as follows:
· Aging time for persistent sessions.
· Aging time for sessions of application layer protocols.
· Aging time for sessions in different protocol states.
If the device has excessive sessions, do not set the aging time shorter than the default for a certain protocol state or an application layer protocol. Short aging time settings can make the device slow in response.
Setting the session aging time for different protocol states
About this task
If a session in a certain protocol state has no packet hit before the aging time expires, the device automatically removes the session.
Procedure
1. Enter system view.
system-view
2. Set the session aging time for different protocol states.
session aging-time state { fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-close | tcp-est | tcp-time-wait | udp-open | udp-ready } time-value
The default aging time for sessions in different protocol states is as follows:
¡ FIN_WAIT: 30 seconds.
¡ ICMP-REPLY: 30 seconds.
¡ ICMP-REQUEST: 60 seconds.
¡ RAWIP-OPEN: 30 seconds.
¡ RAWIP-READY: 60 seconds.
¡ TCP SYN-SENT and SYN-RCV: 30 seconds.
¡ TCP-CLOSE: 2 seconds.
¡ TCP ESTABLISHED: 3600 seconds.
¡ TCP-TIME-WAIT: 2 seconds.
¡ UDP-OPEN: 30 seconds.
¡ UDP-READY: 60 seconds.
Setting the session aging time for different application layer protocols
About this task
The aging time for sessions of different application layer protocols are valid for TCP sessions in ESTABLISHED state or UDP sessions in READY state. For sessions used by other application layer protocols, the aging time for sessions in different protocol states applies.
Procedure
1. Enter system view.
system-view
2. Set the session aging time for different application layer protocols.
session aging-time application { dns | ftp | gtp | h225 | h245 | ils | mgcp | nbt | pptp | ras | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp } time-value
By default, the session aging time is as follows:
¡ DNS: 1 second.
¡ FTP: 3600 seconds.
¡ GTP: 60 seconds.
¡ H.225: 3600 seconds.
¡ H.245: 3600 seconds.
¡ ILS: 3600 seconds.
¡ MGCP: 60 seconds.
¡ NBT: 3600 seconds.
¡ PPTP: 3600 seconds.
¡ RAS: 300 seconds.
¡ RSH: 60 seconds.
¡ RTSP: 3600 seconds.
¡ SCCP: 3600 seconds.
¡ SIP: 300 seconds.
¡ SQLNET: 600 seconds.
¡ TFTP: 60 seconds.
¡ XDMCP: 3600 seconds.
Specifying persistent sessions
About this task
This task is only for TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions.
A persistent session is not removed until one of the following events occurs:
· The session entry ages out.
· The device receives a connection close request from the initiator or responder.
· You manually clear the session entries.
Procedure
1. Enter system view.
system-view
2. Specify persistent sessions.
session persistent acl [ ipv6 ] acl-number [ aging-time time-value ]
Enabling session statistics collection
About this task
This feature enables the device to collect session-based outbound and inbound packets and bytes. You can display session statistics based on different criteria.
· To display statistics per unicast session, use the display session table command.
· To display statistics per unicast packet type, use the display session statistics command.
Procedure
1. Enter system view.
system-view
2. Enable session statistics collection.
session statistics enable
By default, session statistics collection is disabled.
Configuring session logging
About this task
Session logs provide information about user access, IP address translation, and network traffic for security auditing. These logs are sent to the log server or the information center.
The device supports time-based or traffic-based logging:
· Time-based logging—The device outputs session logs regularly.
· Traffic-based logging—The device outputs a session log when the traffic amount of a session reaches a threshold. After outputting a session log, the device resets the traffic counter for the session. The traffic-based thresholds can be byte-based and packet-based. If you set both thresholds, the last configuration takes effect.
If you enable session logging but specify neither the traffic-based nor the time-based type, the device outputs a session log when a session entry is created or removed.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set a time-based logging type.
session log time-active time-value
By default, the device does not output session logs.
3. (Optional.) Set a traffic-based logging type.
¡ Set the packet-based threshold.
session log packets-active packets-value
By default, the device does not output session logs based on the packet-based threshold.
¡ Set the byte-based threshold.
session log bytes-active bytes-value
By default, the device does not output session logs based on the byte-based threshold.
If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.
4. Enter interface view.
interface interface-type interface-number
5. Enable session logging.
session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound }
By default, session logging is disabled.
Verifying and maintaining session management
Displaying the aging time for sessions
Perform all display task in any view.
· Display the aging time for sessions of different application layer protocols.
display session aging-time application
· Display the aging time for sessions in different protocol states.
display session aging-time state
Displaying and clearing session entries
Displaying session entries
Perform all display tasks in any view.
· Display relation entries.
display session relation-table { ipv4 | ipv6 } [ slot slot-number ]
· Display information about IPv4 unicast session entries that match specific criteria.
display session table ipv4 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
· Display information about IPv6 unicast session entries that match specific criteria.
display session table ipv6 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
· Display IPv4 multicast session table entries.
display session table multicast ipv4 [ slot slot-number] [ destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port ] * [ verbose ]
Clearing session entries
Perform all reset tasks in user view.
· Clear relation entries.
reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number ]
· Clear all unicast session table entries.
reset session table [ slot slot-number ]
· Clear information about IPv4 unicast session entries that match specific criteria.
reset session table ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ]
· Clear information about IPv6 unicast session entries that match specific criteria.
reset session table ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ]
· Clear all multicast session table entries.
reset session table multicast [ slot slot-number]
· Clear IPv4 multicast session table entries.
reset session table multicast ipv4 [ slot slot-number] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ]
Displaying and clearing session statistics
Displaying session statistics
Perform all display tasks in any view.
· Display unicast session statistics.
display session statistics [ summary ] [ slot slot-number ]
· Display IPv4 unicast session statistics.
display session statistics ipv4 { destination-ip destination-ip | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip source-ip | source-port source-port } * [ slot slot-number ]
· Display IPv6 unicast session statistics.
display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ]
· Display multicast session statistics.
display session statistics multicast [ slot slot-number]
Clearing session statistics
To clear session statistics, execute the following commands in user view:
· Clear unicast session table entries.
reset session statistics [ slot slot-number ]
· Clear multicast session table entries.
reset session statistics multicast [ slot slot-number]
