- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Portal Configuration
- 05-Password Control Configuration
- 06-Public Key Configuration
- 07-IPsec Configuration
- 08-SSH Configuration
- 09-Packet-Filter Firewall Configuration
- 10-ALG Configuration
- 11-Session Management Configuration
- 12-TCP and ICMP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-URPF Configuration
- 16-COPS Configuration
- 17-FIPS Configuration
- 18-PKI Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
11-Session Management Configuration | 137.87 KB |
Contents
Session management implementation
Session management configuration task list
Setting session aging times based on protocol state
Configuring session aging times based on application layer protocol type
Enabling checksum verification
Specifying the persistent session ACL
Setting the session logging threshold
Configuring session log export
Displaying and maintaining session management
Session management overview
The session management feature is a common feature to implement session-based services such as network address translation (NAT), and intrusion detection and protection. This feature regards packet exchanges at transport layer as sessions and updates the status of sessions or ages out sessions according to the information in the initiators’ or responders’ packet information.
Session management allows multiple features to process the same service packet respectively. It implements the following functions:
· Fast match between packets and sessions
· Management of transport layer protocol state
· Identification of application layer protocol types
· Session aging based on protocol state
· Special packet match for the application layer protocols requiring port negotiation
· Resolution of ICMP error control packets and session match based on resolution results
Session management principle
The session management function tracks the status of connections by inspecting the transport layer protocol (TCP or UDP) information, and performs unified status maintenance and management of all connections.
Note that the session management function implements only connection status tracking. It itself cannot block potential attack packets.
Session management implementation
The session management feature implemented on the device provides the following functions:
· Supporting session creation, session status update and timeout time setting based on protocol state for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets.
· Supporting port mapping for application layer protocols and allowing application layer protocols to use customized ports
· Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.
· Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.
· Limiting the number of session-based connections. For more information, see Layer 3—IP Services Configuration Guide.
Session management configuration task list
Complete the following tasks to configure session management:
· Setting session aging times based on protocol state
· Configuring session aging times based on application layer protocol type
These tasks are mutually independent and can be configured in any order. You can configure them as required.
Setting session aging times based on protocol state
If a session entry is not matched with any packets in a specified period of time, the entry will be aged out.
To set the session aging times based on protocol state:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the aging time for sessions of a specified protocol and in a specified state. |
session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value |
The system supports keywords syn, tcp-est, and udp-ready. The defaults are as follows: · accelerate—10 seconds · fin—30 seconds, · icmp-closed—30 seconds, · icmp-open—60 seconds, · rawip-open—30 seconds, · rawip-ready—60 seconds, · syn—15 seconds, · tcp-est—300 seconds, · udp-open—30 seconds, · udp-ready—60 seconds. |
|
CAUTION: Do not set a too short aging time when the number of sessions exceeds 800000. Otherwise, the console may be slow in response. |
Configuring session aging times based on application layer protocol type
|
NOTE: Aging times set in this task applies to only the sessions in the READY/ESTABLISH state. |
For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times according to the types of the application layer protocols to which the sessions belong.
To set session aging times based on application layer protocol type:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the aging time for sessions of an application layer protocol. |
application aging-time { dns | ftp | msn | qq | sip } time-value |
The defaults are as follows: · dns—60 seconds · ftp—3600 seconds · msn—3600 seconds · qq—60 seconds · sip—300 seconds |
|
CAUTION: Do not set a too short aging time when the number of sessions exceeds 800000. Otherwise, the console may be slow in response. |
Enabling checksum verification
|
NOTE: The IM-NAT LPU does not support this feature. |
To make sure that session tracking is not affected by packets with checksum errors, you can enable checksum verification for protocol packets. With checksum verification enabled, the session management feature processes only packets with correct checksums, and packets with incorrect checksums will be processed by other services based on the session management.
To enable checksum verification for protocol packets:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable checksum verification. |
session checksum { all | { icmp | tcp | udp } * } |
Disabled by default |
|
CAUTION: Checksum verification may degrade the device performance. Enable it with caution. |
Specifying the persistent session ACL
|
NOTE: The IM-NAT LPU does not support this feature. |
You can set some sessions that have specific characteristics as persistent sessions. The aging time of a persistent session does not vary with the session state transitions, neither will a persistent session be removed because no packets match it. A persistent session can be specified with an aging time that is longer than those of common sessions (up to 360 hours), or be configured to be a permanent connection, which will be cleared only when the session initiator or responder sends a request to close it or you clear it manually.
You can set the persistent session criteria by specifying a basic or advanced access control list (ACL). All sessions permitted by the ACL are persistent sessions.
|
NOTE: For more information about the configuration of basic and advance ACLs, see ACL and QoS Configuration Guide. |
To specify the persistent session ACL:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify the persistent session ACL. |
session persist acl acl-number [ aging-time time-value ] |
Not specified by default |
|
NOTE: There can be only one persistent session ACL. |
Clearing sessions manually
To clear sessions manually:
Task |
Command |
Remarks |
Clear sessions. |
reset session [ slot slot-num ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] |
Available in user view |
|
NOTE: For the IM-NAT LPU, this feature can clear only all sessions of the card. |
Configuring session logging
A session log records information about user access, IP address translation, and traffic, and can be sent to the log server in a specific format. It can help network administrators in security auditing.
Enabling session logging
To enable session logging:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter NAT virtual interface view. |
interface nat interface-number |
N/A |
3. Enable session logging. |
session log enable [ acl acl-number ] |
Disabled by default |
Setting the session logging threshold
When the holdtime of a session reaches the preset threshold, the system outputs a session log.
To set the session logging threshold:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the threshold for session logging. |
session log time-active time-value |
Optional. 0 by default, which means that the system does not output session logs based on session holdtime threshold. |
Configuring session log export
Session logs are exported in the form of flow logs.
To configure session log exporting:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify the flow log version. |
userlog flow export version version-number |
Optional. 1.0 by default. |
3. Specify the source IP address for UDP packets carrying flow logs. |
userlog flow export source-ip ip-address |
Optional. IP address of the interface sending UDP packets by default. |
4. Specify the IP address and UDP port number of the flow log server. |
userlog flow export slot slot-number [ vpn-instance vpn-instance-name ] host ip-address udp-port |
Not specified by default. |
5. Specify to export flow logs to the information center. |
userlog flow syslog |
Optional. Flow logs are not exported to the flow log server by default. |
|
NOTE: · For more information about flow logging functions, see Network Management and Monitoring Configuration Guide. · For more information about flow logging commands, see Network Management and Monitoring Command Reference. |
Displaying and maintaining session management
Task |
Command |
Remarks |
Display the session aging times for application layer protocols. |
display application aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display the session aging times in different protocol states. |
display session aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display information about sessions. |
display session table [ slot slot-num ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ verbose ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display statistics about sessions. |
display session statistics [ slot slot-num ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display session relationship table information. |
display session relation-table [ slot slot-num ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display configuration and statistics about logs. |
display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Clear sessions. |
reset session [ slot slot-num ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] |
Available in user view |
Clear session statistics. |
reset session statistics [ slot slot-num ] |
Available in user view |
Clear the log statistics on a specified card. |
reset userlog flow export slot slot-number |
Available in user view |
Clear flow logs in the buffer. |
reset userlog flow logbuffer slot slot-number |
Available in user view |
|
NOTE: · For more information about the commands display userlog export and reset userlog flow export, see Layer 3—IP Services Command Reference. · For more information about the reset userlog flow logbuffer command, see Network Management and Monitoring Command Reference. |