10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
11-Session Management Configuration
Title Size Download
11-Session Management Configuration 137.87 KB

Session management overview

The session management feature is a common feature to implement session-based services such as network address translation (NAT), and intrusion detection and protection. This feature regards packet exchanges at transport layer as sessions and updates the status of sessions or ages out sessions according to the information in the initiators’ or responders’ packet information.

Session management allows multiple features to process the same service packet respectively. It implements the following functions:

·     Fast match between packets and sessions

·     Management of transport layer protocol state

·     Identification of application layer protocol types

·     Session aging based on protocol state

·     Special packet match for the application layer protocols requiring port negotiation

·     Resolution of ICMP error control packets and session match based on resolution results

Session management principle

The session management function tracks the status of connections by inspecting the transport layer protocol (TCP or UDP) information, and performs unified status maintenance and management of all connections.

Note that the session management function implements only connection status tracking. It itself cannot block potential attack packets.

Session management implementation

The session management feature implemented on the device provides the following functions:

·     Supporting session creation, session status update and timeout time setting based on protocol state for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets.

·     Supporting port mapping for application layer protocols and allowing application layer protocols to use customized ports

·     Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.

·     Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.

·     Limiting the number of session-based connections. For more information, see Layer 3—IP Services Configuration Guide.

Session management configuration task list

Complete the following tasks to configure session management:

·     Setting session aging times based on protocol state

·     Configuring session aging times based on application layer protocol type

·     Clearing sessions manually

These tasks are mutually independent and can be configured in any order. You can configure them as required.

Setting session aging times based on protocol state

If a session entry is not matched with any packets in a specified period of time, the entry will be aged out.  

To set the session aging times based on protocol state:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the aging time for sessions of a specified protocol and in a specified state.

session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value

The system supports keywords syn, tcp-est, and udp-ready.

The defaults are as follows:

·     accelerate10 seconds

·     fin30 seconds,

·     icmp-closed30 seconds,

·     icmp-open60 seconds,

·     rawip-open30 seconds,

·     rawip-ready60 seconds,

·     syn—15 seconds,

·     tcp-est—300 seconds,

·     udp-open30 seconds,

·     udp-ready60 seconds.

 

CAUTION

CAUTION:

Do not set a too short aging time when the number of sessions exceeds 800000. Otherwise, the console may be slow in response.

 

Configuring session aging times based on application layer protocol type

 

 

NOTE:

Aging times set in this task applies to only the sessions in the READY/ESTABLISH state.

 

For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times according to the types of the application layer protocols to which the sessions belong.

To set session aging times based on application layer protocol type:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the aging time for sessions of an application layer protocol.

application aging-time { dns | ftp | msn | qq | sip } time-value

The defaults are as follows:

·     dns60 seconds

·     ftp3600 seconds

·     msn3600 seconds

·     qq60 seconds

·     sip300 seconds

 

CAUTION

CAUTION:

Do not set a too short aging time when the number of sessions exceeds 800000. Otherwise, the console may be slow in response.

 

Enabling checksum verification

 

 

NOTE:

The IM-NAT LPU does not support this feature.

 

To make sure that session tracking is not affected by packets with checksum errors, you can enable checksum verification for protocol packets. With checksum verification enabled, the session management feature processes only packets with correct checksums, and packets with incorrect checksums will be processed by other services based on the session management.

To enable checksum verification for protocol packets:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable checksum verification.

session checksum { all | { icmp | tcp | udp } * }

Disabled by default

 

CAUTION

CAUTION:

Checksum verification may degrade the device performance. Enable it with caution.

 

Specifying the persistent session ACL

 

 

NOTE:

The IM-NAT LPU does not support this feature.

 

You can set some sessions that have specific characteristics as persistent sessions. The aging time of a persistent session does not vary with the session state transitions, neither will a persistent session be removed because no packets match it. A persistent session can be specified with an aging time that is longer than those of common sessions (up to 360 hours), or be configured to be a permanent connection, which will be cleared only when the session initiator or responder sends a request to close it or you clear it manually.

You can set the persistent session criteria by specifying a basic or advanced access control list (ACL). All sessions permitted by the ACL are persistent sessions.

 

 

NOTE:

For more information about the configuration of basic and advance ACLs, see ACL and QoS Configuration Guide.

 

To specify the persistent session ACL:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify the persistent session ACL.

session persist acl acl-number [ aging-time time-value ]

Not specified by default

 

 

NOTE:

There can be only one persistent session ACL.

 

Clearing sessions manually

To clear sessions manually:

 

Task

Command

Remarks

Clear sessions.

reset session [ slot slot-num ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

Available in user view

 

 

NOTE:

For the IM-NAT LPU, this feature can clear only all sessions of the card.

 

Configuring session logging

A session log records information about user access, IP address translation, and traffic, and can be sent to the log server in a specific format. It can help network administrators in security auditing.

Enabling session logging

To enable session logging:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter NAT virtual interface view.

interface nat interface-number

N/A

3.     Enable session logging.

session log enable [ acl acl-number ]

Disabled by default

 

Setting the session logging threshold

When the holdtime of a session reaches the preset threshold, the system outputs a session log.

To set the session logging threshold:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the threshold for session logging.

session log time-active time-value

Optional.

0 by default, which means that the system does not output session logs based on session holdtime threshold.

 

Configuring session log export

Session logs are exported in the form of flow logs.

To configure session log exporting:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify the flow log version.

userlog flow export version version-number

Optional.

1.0 by default.

3.     Specify the source IP address for UDP packets carrying flow logs.

userlog flow export source-ip ip-address

Optional.

IP address of the interface sending UDP packets by default.

4.     Specify the IP address and UDP port number of the flow log server.

userlog flow export slot slot-number [ vpn-instance vpn-instance-name ] host ip-address udp-port

Not specified by default.

5.     Specify to export flow logs to the information center.

userlog flow syslog

Optional.

Flow logs are not exported to the flow log server by default.

 

 

NOTE:

·      For more information about flow logging functions, see Network Management and Monitoring Configuration Guide.

·     For more information about flow logging commands, see Network Management and Monitoring Command Reference.

 

Displaying and maintaining session management

 

Task

Command

Remarks

Display the session aging times for application layer protocols.

display application aging-time [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the session aging times in different protocol states.

display session aging-time [ | { begin | exclude | include } regular-expression ]

Available in any view

Display information about sessions.

display session table [ slot slot-num ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ verbose ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display statistics about sessions.

display session statistics [ slot slot-num ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display session relationship table information.

display session relation-table [ slot slot-num ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display configuration and statistics about logs.

display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear sessions.

reset session [ slot slot-num ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

Available in user view

Clear session statistics.

reset session statistics [ slot slot-num ]

Available in user view

Clear the log statistics on a specified card.

reset userlog flow export slot slot-number

Available in user view

Clear flow logs in the buffer.

reset userlog flow logbuffer slot slot-number

Available in user view

 

 

NOTE:

·     For more information about the commands display userlog export and reset userlog flow export, see Layer 3—IP Services Command Reference.

·     For more information about the reset userlog flow logbuffer command, see Network Management and Monitoring Command Reference.