Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-Portal configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Keychain configuration
- 06-Public key management
- 07-PKI configuration
- 08-IPsec configuration
- 09-Group domain VPN configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-SSL VPN configuration
- 13-ASPF configuration
- 14-APR configuration
- 15-Session management
- 16-Connection limit configuration
- 17-Object group configuration
- 18-Object policy configuration
- 19-Attack detection and prevention configuration
- 20-ARP attack protection configuration
- 21-ND attack defense configuration
- 22-uRPF configuration
- 23-Crypto engine configuration
- 24-FIPS configuration
- 25-SMA configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Session management | 78.57 KB |
Setting the session aging time for different protocol states
Setting the session aging time for different application layer protocols or applications
Specifying persistent sessions
Enabling session statistics collection for software fast forwarding
Enabling top session statistics
Specifying the loose mode for session state machine
Displaying and maintaining session management
Managing sessions
Overview
Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the following purposes:
· Fast match between packets and sessions.
· Management of transport layer protocol states.
· Identification of application layer protocols.
· Session aging based on protocol states or application layer protocols.
· Persistent sessions.
· Special packet match for the application layer protocols requiring port negotiation.
· ICMP/ICMPv6 error control packet resolution and session match based on the resolution results.
Session management operation
Session management tracks the session status by inspecting the transport layer protocol information. It updates session states or ages out sessions according to data flows from the initiators or responders.
When a connection request passes through the device from a client to a server, the device creates a session entry. The entry can contain the request and response information, such as:
· Source IP address and port number.
· Destination IP address and port number.
· Transport layer protocol.
· Application layer protocol.
· Protocol state of the session.
A multichannel protocol requires that the client and the server negotiate a new connection based on an existing connection to implement an application. Session management enables the device to create a relation entry for each connection during the negotiation phase. The entry is used to associate the connection with the application. Relation entries will be removed after the associated connections are established.
If the destination IP address of a packet is a multicast IP address, the packet will be forwarded out of multiple ports. When a multicast connection request is received on an inbound interface, the device performs the following operations:
· Creates a multicast session entry on the inbound interface.
· Creates a corresponding multicast session entry for each outbound interface.
Unless otherwise stated, "session entry" in this chapter refers to both unicast and multicast session entries.
In actual applications, session management works with ASPF to dynamically determine whether a packet can pass the device and enter the internal network according to connection status, thus preventing intrusion.
Session management only tracks connection status. It does not block potential attack packets.
Session management functions
Session management enables the device to provide the following functions:
· Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states.
· Supports port mapping for application layer protocols (see "Configuring APR"), enabling application layer protocols to use customized ports.
· Sets aging time for sessions based on application layer protocols.
· Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets.
Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.
· Supports persistent sessions, which are kept alive for a long period of time.
· Supports session management for the control channels and dynamic data channels of application layer protocols, for example, FTP.
Session management task list
|
Tasks at a glance |
|
(Optional.) Setting the session aging time for different protocol states |
|
(Optional.) Setting the session aging time for different application layer protocols or applications |
|
(Optional.) Specifying persistent sessions |
|
(Optional.) Enabling session statistics collection for software fast forwarding |
|
(Optional.) Enabling top session statistics |
|
(Optional.) Specifying the loose mode for session state machine |
|
(Optional.) Configuring session logging |
Except for configuring session logging, all other tasks are mutually independent and can be configured in any order.
Setting the session aging time for different protocol states
|
|
IMPORTANT: If more than 800000 sessions exist, do not set the aging time shorter than the default for a certain protocol state. Short aging time settings can make the device slow in response. |
If a session in a certain protocol state has no packet hit before the aging time expires, the device automatically removes the session.
To set the session aging time for different protocol states:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the session aging time for different protocol states. |
session aging-time state { fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-close | tcp-est | tcp-time-wait | udp-open | udp-ready } time-value |
The default aging time for sessions in different protocol states is as follows: · FIN_WAIT: 30 seconds. · ICMP-REPLY: 30 seconds. · ICMP-REQUEST: 60 seconds. · RAWIP-OPEN: 30 seconds. · RAWIP-READY: 60 seconds. · TCP SYN-SENT and SYN-RCV: 30 seconds. · TCP CLOSE: 2 seconds. · TCP ESTABLISHED: 3600 seconds. · TCP TIME-WAIT: 2 seconds. · UDP-OPEN: 30 seconds. · UDP-READY: 60 seconds. |
Setting the session aging time for different application layer protocols or applications
|
|
IMPORTANT: If more than 800000 sessions exist, do not set the aging time shorter than the default for an application layer protocol or an application. Short aging time settings can make the device slow in response. |
The aging time for session of different application layer protocols or applications are valid for TCP sessions in ESTABLISHED state or UDP sessions in READY state. If a session has no packet hit before the aging time expires, the device automatically removes the session. For sessions used by other application layer protocols, the aging time for sessions in different protocol states applies.
Set an appropriate aging time to guarantee protocol packet exchange. For example, if the aging time for FTP session is shorter than the sending interval for FTP keepalive messages, an FTP session cannot be maintained.
To set the session aging time for different application layer protocols or applications:
|
Step |
Command |
Remarks |
|
3. Enter system view. |
system-view |
N/A |
|
4. Set the session aging time for different application layer protocols or applications. |
session aging-time application application-name time-value |
By default, the session aging time is 1200 seconds except for the following application layer protocols and applications: · BOOTPC: 120 seconds. · BOOTPS: 120 seconds. · DNS: 1 second. · FTP: 3600 seconds. · FTP-DATA: 240 seconds. · GTP-CONTROL: 60 seconds. · GTP-USER: 60 seconds. · GPRS-DATA: 60 seconds. · GPRS-SIG: 60 seconds · H.225: 3600 seconds. · H.245: 3600 seconds. · HTTPS: 600 seconds. · L2TP: 120 seconds. · MGCP-CALLAGENT: 60 seconds. · MGCP-GATEWAY: 60 seconds. · NETBIOS-DGM: 3600 seconds. · NETBIOS-NS: 3600 seconds. · NETBIOS-SSN: 3600 seconds. · NTP: 120 seconds. · PPTP: 3600 seconds. · QQ: 120 seconds. · RAS: 300 seconds. · RIP: 120 seconds. · RSH: 60 seconds. · SCCP: 3600 seconds. · SIP: 300 seconds. · SNMP: 120 seconds. · SNMPTRAP: 120 seconds. · SQLNET: 600 seconds. · STUN: 600 seconds. · SYSLOG: 120 seconds. · TFTP: 60 seconds. · TACACS-DS: 120 seconds. · WHO: 120 seconds. · XDMCP: 3600 seconds. |
Specifying persistent sessions
This task is only for TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.
For a TCP session in ESTABLISHED state, the priority order of the associated aging time is as follows:
· Aging time for persistent sessions.
· Aging time for sessions of application layer protocols.
· Aging time for sessions in different protocol states.
The system supports using multiple ACLs to specify persistent sessions.
To specify persistent sessions:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify persistent sessions. |
session persistent acl [ ipv6 ] acl-number [ aging-time time-value ] |
By default, no persistent sessions are specified. |
Enabling session statistics collection for software fast forwarding
This feature enables the device to collect session-based outbound and inbound packets and bytes processed by software fast forwarding. You can display session statistics based on different criteria.
· To display statistics per unicast session, use the display session table command.
· To display statistics per unicast packet type, use the display session statistics command.
· To display statistics per multicast session, use the display session table multicast command.
· To display statistics per multicast packet type, use the display session statistics multicast command.
For information about fast forwarding, see Layer 3—IP Services Configuration Guide.
To enable session statistics collection for software fast forwarding:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable session statistics collection for software fast forwarding. |
session statistics enable |
By default, session statistics collection is disabled for software fast forwarding. |
Enabling top session statistics
This feature collects the number of sessions for session-based services and ranks the sessions by source address and by destination address separately. To display the top session statistics, use the display session top-statistics command.
To enable the top session statistics feature:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the top session statistics feature. |
session top-statistics enable |
By default, the top session statistics feature is disabled. |
Specifying the loose mode for session state machine
For asymmetric-path networks, to prevent the device from dropping packets abnormally, set the mode of the session state machine to loose.
As a best practice, use the default strict mode on symmetric-path networks.
To specify the loose mode for session state machine:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the loose mode for session state machine. |
session state-machine mode loose |
By default, session state machine is in strict mode. |
Configuring session logging
Session logs provide information about user access, IP address translation, and network traffic for security auditing. These logs are sent to the log server or the information center.
The session logging feature must work with the flow log feature to generate session logs. For information about flow log, see Network Management and Monitoring.
The device supports time-based or traffic-based logging:
· Time-based logging—The device outputs session logs regularly.
· Traffic-based logging—The device outputs a session log when the traffic amount of a session reaches a threshold only when the session statistics collection for software fast forwarding feature is enabled. After outputting a session log, the device resets the traffic counter for the session. The traffic-based thresholds can be byte-based and packet-based. If you set both thresholds, the last configuration takes effect.
If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.
If you enable session logging but do not enable logging for session creation or deletion, the device does not output a session log when a session entry is created or removed.
To configure session logging:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Set the threshold for time-based session logging. |
session log time-active time-value |
By default, no threshold is set for time-based session logging. |
|
3. (Optional.) Set a threshold for traffic-based logging. |
session log { bytes-active bytes-value | packets-active packets-value } |
By default, no threshold is set for traffic-based logging. |
|
4. (Optional.) Enable logging for session creation. |
session log flow-begin |
By default, logging for session creation is disabled. |
|
5. (Optional.) Enable logging for session deletion. |
session log flow-end |
By default, logging for session deletion is disabled. |
|
6. Enter interface view. |
interface interface-type interface-number |
N/A |
|
7. Enable session logging. |
session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound } |
By default, session logging is disabled. |
Displaying and maintaining session management
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the aging time for sessions of different application layer protocols. |
display session aging-time application |
|
Display the aging time for sessions in different protocol states. |
display session aging-time state |
|
Display IPv4 unicast session table entries (in standalone mode). |
|
|
Display IPv4 unicast session table entries (in IRF mode). |
|
|
Display IPv6 unicast session table entries (in standalone mode). |
|
|
Display IPv6 unicast session table entries (in IRF mode). |
|
|
Display IPv4 unicast session statistics (in standalone mode). |
display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ] |
|
Display IPv4 unicast session statistics (in IRF mode). |
display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ] |
|
Display IPv6 unicast session statistics (in standalone mode). |
display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ] |
|
Display IPv6 unicast session statistics (in IRF mode). |
display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ] |
|
Display unicast session statistics (in standalone mode). |
display session statistics [ summary ] [ slot slot-number ] |
|
Display unicast session statistics (in IRF mode). |
display session statistics [ summary ] [ chassis chassis-number slot slot-number ] |
|
Display IPv4 multicast session table entries (in standalone mode). |
|
|
Display IPv4 multicast session table entries (in IRF mode). |
|
|
Display IPv6 multicast session table entries (in standalone mode). |
|
|
Display IPv6 multicast session table entries (in IRF mode). |
|
|
Display multicast session statistics (in standalone mode). |
|
|
Display multicast session statistics (in IRF mode). |
display session statistics multicast [ chassis chassis-number slot slot-number ] |
|
Display relation table entries (in standalone mode). |
display session relation-table { ipv4 | ipv6 } [ slot slot-number ] |
|
Display relation table entries (in IRF mode). |
display session relation-table { ipv4 | ipv6 } [ chassis chassis-number slot slot-number ] |
|
Display top session statistics. |
display session top-statistics { last-1-hour | last-24-hours | last-30-days } |
|
Clear IPv4 unicast session table entries (in standalone mode). |
reset session table ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] |
|
Clear IPv4 unicast session table entries (in IRF mode). |
reset session table ipv4 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] |
|
Clear IPv6 unicast session table entries (in standalone mode). |
reset session table ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] |
|
Clear IPv6 unicast session table entries (in IRF mode). |
reset session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] |
|
Clear IPv4 and IPv6 unicast session table entries (in standalone mode). |
reset session table [ slot slot-number ] |
|
Clear IPv4 and IPv6 unicast session table entries (in IRF mode). |
reset session table [ chassis chassis-number slot slot-number ] |
|
Clear unicast session statistics (in standalone mode). |
reset session statistics [ slot slot-number ] |
|
Clear unicast session statistics (in IRF mode). |
reset session statistics [ chassis chassis-number slot slot-number ] |
|
Clear IPv4 multicast session table entries (in standalone mode). |
|
|
Clear IPv4 multicast session table entries (in IRF mode). |
|
|
Clear IPv6 multicast session table entries (in standalone mode). |
|
|
Clear IPv6 multicast session table entries (in IRF mode). |
|
|
Clear IPv4 and IPv6 multicast session table entries (in standalone mode). |
|
|
Clear IPv4 and IPv6 multicast session table entries (in IRF mode). |
reset session table multicast [ chassis chassis-number slot slot-number ] |
|
Clear multicast session statistics (in standalone mode). |
|
|
Clear multicast session statistics (in IRF mode). |
reset session statistics multicast [ chassis chassis-number slot slot-number ] |
|
Clear relation table entries (in standalone mode). |
reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number ] |
|
Clear relation table entries (in IRF mode). |
reset session relation-table [ ipv4 | ipv6 ] [chassis chassis-number slot slot-number ] |
