Login
- Table of Contents
-
- 07-System
- 01-High availability group
- 02-VRRP
- 03-Track
- 04-BFD
- 05-NQA
- 06-Basic log settings
- 07-Email server
- 08-Session log settings
- 09-NAT log settings
- 10-AFT log settings
- 11-Sandbox log settings
- 12-Threat log settings
- 13-Application audit log settings
- 14-NetShare log settings
- 15-URL filtering log settings
- 16-Attack defense log settings
- 17-Reputation log settings
- 18-Bandwidth alarm logs
- 19-Configuration log settings
- 20-Security policy log
- 21-Terminal identification logging
- 22-Heartbeat log settings
- 23-WAF log settings
- 24-IP access logs
- 25-MAC access log
- 26-Load balancing logging
- 27-Bandwidth management logs
- 28-Context rate limit logging
- 29-Zero trust logs
- 30-Report settings
- 31-Session settings
- 32-Signature upgrade
- 33-Software upgrade
- 34-License management
- 35-IRF
- 36-IRF advanced settings
- 37-Contexts
- 38-Administrators
- 39-Date and time
- 40-MAC address learning through a Layer 3 device
- 41-SNMP
- 42-Configuration management
- 43-Reboot
- 44-About
- 45-Ping
- 46-Tracert
- 47-Packet capture
- 48-Webpage Diagnosis
- 49-Diagnostic Info
- 50-Packet trace
- 51-Load balancing test
- 52-IPsec diagnosis
- 53-Fast Internet Access
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 31-Session settings | 31.13 KB |
Session settings
This help contains the following topics:
¡ Session management operation
¡ Session management functions
Introduction
Session management is a common module, providing basic services for service modules to implement session-based services.
Session management defines packet exchanges at transport layer as sessions. It updates session states and ages out sessions according to data flows from the initiators or responders. Session management allows multiple features to process the same service packet.
Session management operation
Session management tracks the session status by inspecting the transport layer protocol information. It performs unified status maintenance and management of all connections based on session tables and relation tables.
When a connection request passes through the device from a client to a server, the device creates a session entry. The entry can contain the request and response information, such as:
· Source IP address and port number.
· Destination IP address and port number.
· Transport layer protocol.
· Application layer protocol.
· Protocol state of the session.
A multichannel protocol requires that the client and the server negotiate a new connection based on an existing connection to implement an application. Session management enables the device to create a relation entry for each connection during the negotiation phase. The entry is used to associate the connection with the application. Relation entries will be removed after the associated connections are established.
If the destination IP address of a packet is a multicast IP address, the packet will be forwarded out of multiple ports. When a multicast connection request is received on an inbound interface, the device performs the following operations:
· Creates a multicast session entry on the inbound interface.
· Creates a corresponding multicast session entry for each outbound interface.
Unless otherwise stated, "session entry" in this document refers to both unicast and multicast session entries.
In actual applications, session management must work with other service modules. It only tracks connection status. It does not block potential attack packets.
Session management functions
Session management enables the device to provide the following functions:
· Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states.
· Supports port mapping for application layer protocols (see APR online help), enabling application layer protocols to use customized ports.
· Sets aging time for sessions based on application layer protocols.
· Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets.
· Supports session management for the control channels and dynamic data channels of application layer protocols, for example, FTP.
Session types
When receiving the first packet of a data flow, the device processes the packet and creates a session entry based on the processing result. For subsequent packets of the data flow, the device performs fast forwarding based on the session entry.
Sessions are classified into the following types according to the action taken on the packets that match a session entry:
· Permit session—The device permits all packets of a permit session. The device generates a permit session entry for a data flow if it permits the first packet of the data flow.
A permit session can only track connection status. It cannot deny potential attack packets. To deny specific packets, you must use permit sessions together with security features.
· Deny session—The device drops all packets of a deny session. The device generates a deny session entry for a data flow if it drops the first packet of the data flow.
For the device to generate deny sessions for dropped packets, you must enable the deny session feature.
Unless otherwise stated, the sessions in this document refer to permit sessions.
Restrictions and guidelines
· The aging time for sessions of different applications are valid for stable session TCP sessions in ESTABLISHED state or UDP sessions in READY state.
· For a session in a stable state, the priority order of the associated aging time is as follows:
¡ Aging time for sessions of application layer protocols.
¡ Aging time for sessions in different protocol states.
· The device generates deny sessions only for the packets dropped by the ASPF or connection limit module.
· The deny session feature supports only software-based fast packet drop. It does not support hardware-based fast packet drop.
· Session hot backup does not support deny sessions.
