Login
- Table of Contents
-
- 14-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-ARP attack protection configuration
- 11-ND attack defense configuration
- 12-Password control configuration
- 13-Crypto engine configuration
- 14-Connection limit configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-Session management | 120.03 KB |
Restrictions and guidelines: Session management configuration
Session management tasks at a glance
Setting the session aging time for different protocol states
Setting the session aging time for different application layer protocols or applications
Specifying persistent sessions
Enabling top session statistics for IPv4 sessions
Enabling top session statistics for IPv6 sessions
Configuring alarms for abrupt session changes
Configuring alarms for abrupt session table usage changes
Configuring alarms for abrupt session creation rate changes
Configuring alarms for abrupt session attempt rate changes
Enabling ALG to process IP fragments and TCP segments
Configuring relation table destination IP address matching for SIP
Display and maintenance commands for session management
Managing sessions
About session management
Session management is a common module, providing basic services for NAT, ASPF, and attack detection and protection to implement their session-based services.
Session management defines packet exchanges at transport layer as sessions. It updates session states and ages out sessions according to data flows from the initiators or responders. Session management allows multiple features to process the same service packet.
Session management operation
Session management tracks the session status by inspecting the transport layer protocol information. It performs unified status maintenance and management of all connections based on session tables and relation tables.
When a connection request passes through the device from a client to a server, the device creates a session entry. The entry can contain the request and response information, such as:
· Source IP address and port number.
· Destination IP address and port number.
· Transport layer protocol.
· Application layer protocol.
· Protocol state of the session.
A multichannel protocol requires that the client and the server negotiate a new connection based on an existing connection to implement an application. Session management enables the device to create a relation entry for each connection during the negotiation phase. The entry is used to associate the connection with the application. Relation entries will be removed after the associated connections are established.
If the destination IP address of a packet is a multicast IP address, the packet will be forwarded out of multiple ports. When a multicast connection request is received on an inbound interface, the device performs the following operations:
· Creates a multicast session entry on the inbound interface.
· Creates a corresponding multicast session entry for each outbound interface.
Unless otherwise stated, "session entry" in this chapter refers to both unicast and multicast session entries.
Session management functions
Session management enables the device to provide the following functions:
· Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states.
· Sets aging time for sessions based on application layer protocols.
· Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets.
Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.
· Supports persistent sessions, which are kept alive for a long period of time.
· Supports session management for the control channels and dynamic data channels of application layer protocols, for example, FTP.
Restrictions and guidelines: Session management configuration
For a TCP session in ESTABLISHED state, the priority order of the associated aging time is as follows:
· Aging time for persistent sessions.
· Aging time for sessions of application layer protocols.
· Aging time for sessions in different protocol states.
If the device has excessive sessions, do not set the aging time shorter than the default for a certain protocol state or an application layer protocol. Short aging time settings can make the device slow in response.
Session management tasks at a glance
To configure session management, perform the following tasks:
· Configure session management timers
¡ Setting the session aging time for different protocol states
¡ Setting the session aging time for different application layer protocols or applications
¡ Specifying persistent sessions
· Configure session statistics collection
¡ Enabling top session statistics for IPv4 sessions
¡ Enabling top session statistics for IPv6 sessions
· Configuring alarms for abrupt session changes
· Enabling ALG to process IP fragments and TCP segments
· Configuring relation table destination IP address matching for SIP
Setting the session aging time for different protocol states
About this task
If a session in a certain protocol state has no packet hit before the aging time expires, the device automatically removes the session.
Procedure
1. Enter system view.
system-view
2. Set the session aging time for different protocol states.
session aging-time state { fin | icmp-reply | icmp-request | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | syn | tcp-close | tcp-est | tcp-time-wait | udp-open | udp-ready } time-value
The default aging time for sessions in different protocol states is as follows:
¡ FIN_WAIT: 30 seconds.
¡ ICMP-REPLY: 30 seconds.
¡ ICMP-REQUEST: 60 seconds.
¡ ICMPv6-REPLY: 30 seconds.
¡ ICMPv6-REQUEST: 60 seconds.
¡ RAWIP-OPEN: 30 seconds.
¡ RAWIP-READY: 60 seconds.
¡ TCP SYN-SENT and SYN-RCV: 30 seconds.
¡ TCP-CLOSE: 2 seconds.
¡ TCP ESTABLISHED: 3600 seconds.
¡ TCP-TIME-WAIT: 2 seconds.
¡ UDP-OPEN: 30 seconds.
¡ UDP-READY: 60 seconds.
Setting the session aging time for different application layer protocols or applications
About this task
The aging time for sessions of different application layer protocols or applications are valid for TCP sessions in ESTABLISHED state or UDP sessions in READY state. For sessions used by other application layer protocols, the aging time for sessions in different protocol states applies.
Procedure
1. Enter system view.
system-view
2. Set the session aging time for different application layer protocols.
session aging-time application application-name time-value
By default, the aging time is 1200 seconds for sessions of application layer protocols or applications except for the following sessions:
¡ BOOTPC sessions: 120 seconds.
¡ BOOTPS sessions: 120 seconds.
¡ DNS sessions: 30 seconds.
¡ FTP sessions: 3600 seconds.
¡ FTP-DATA sessions: 240 seconds.
¡ GPRS-DATA sessions: 60 seconds.
¡ GPRS-SIG sessions: 60 seconds.
¡ GTP-CONTROL sessions: 60 seconds.
¡ GTP-USER sessions: 60 seconds.
¡ H.225 sessions: 3600 seconds.
¡ H.245 sessions: 3600 seconds.
¡ HTTPS sessions: 600 seconds.
¡ ILS sessions: 3600 seconds.
¡ L2TP sessions: 120 seconds.
¡ MGCP-CALLAGENT sessions: 60 seconds.
¡ MGCP-GATEWAY sessions: 60 seconds.
¡ NETBIOS-DGM sessions: 3600 seconds.
¡ NETBIOS-NS sessions: 3600 seconds.
¡ NETBIOS-SSN sessions: 3600 seconds.
¡ NTP sessions: 120 seconds.
¡ PPTP sessions: 3600 seconds.
¡ QQ sessions: 120 seconds.
¡ RAS sessions: 300 seconds.
¡ RIP sessions: 120 seconds.
¡ RSH sessions: 60 seconds.
¡ RTSP session: 3600 seconds.
¡ SCCP sessions: 3600 seconds.
¡ SIP sessions: 300 seconds.
¡ SQLNET sessions: 600 seconds.
¡ STUN sessions: 600 seconds.
¡ SYSLOG sessions: 120 seconds.
¡ TACACS-DS sessions: 120 seconds.
¡ TFTP sessions: 60 seconds.
¡ WHO sessions: 120 seconds.
¡ XDMCP sessions: 3600 seconds.
Specifying persistent sessions
About this task
This task is only for TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions.
A persistent session is not removed until one of the following events occurs:
· The session entry ages out.
· The device receives a connection close request from the initiator or responder.
· You manually clear the session entries.
Procedure
1. Enter system view.
system-view
2. Specify persistent sessions.
session persistent acl [ ipv6 ] acl-number [ aging-time time-value ]
Enabling top session statistics for IPv4 sessions
About this task
This task enables the device to collect the number of IPv4 sessions for session-based services based on the session creation rate and the number of concurrent sessions, and rank the sessions by source address and by destination address.
To view the ranking results, log in to the device management page through the Web interface.
If you specify a source or destination IPv4 address for the top session statistics policy, the system collects statistics for only IPv4 sessions that match the specified address. If you do not specify any source or destination IPv4 address, the system collects statistics for all sessions.
Procedure
1. Enter system view.
system-view
2. Enter top IPv4 session statistics policy view.
session ip-top-count policy
3. Specify a source IPv4 address matching criterion for the top session statistics policy.
source-ip subnet subnet-ip-address mask-length
By default, no source IPv4 address matching criterion is specified.
4. Specify a destination IPv4 address matching criterion for the top session statistics policy.
destination-ip subnet subnet-ip-address mask-length
By default, no destination IPv4 address matching criterion is specified.
5. Return to system view.
quit
6. Enable top session statistics for IPv4 sessions.
session ip-top-count enable
By default, top session statistics for IPv4 sessions is disabled.
Enabling top session statistics for IPv6 sessions
About this task
This task enables the device to collect the number of IPv6 sessions for session-based services based on the session creation rate and the number of concurrent sessions, and rank the sessions by source address and by destination address.
To view the ranking results, log in to the device management page through the Web interface.
If you specify a source or destination IPv6 address for the top session statistics policy, the system collects statistics for only IPv6 sessions that match the specified address. If you do not specify any source or destination IPv6 address, the system collects statistics for all sessions.
Procedure
1. Enter system view.
system-view
2. Enter top IPv6 session statistics policy view.
session ipv6-top-count policy
3. Specify a source IPv4 address matching criterion for the top session statistics policy.
source-ip subnet subnet-ipv6-address prefix-length
By default, no source IPv6 address matching criterion is specified.
4. Specify a destination IPv6 address matching criterion for the top session statistics policy.
destination-ip subnet subnet-ipv6-address prefix-length
By default, no destination IPv6 address matching criterion is specified.
5. Return to system view.
quit
6. Enable top session statistics for IPv6 sessions.
session ipv6-top-count enable
By default, top session statistics for IPv6 sessions is disabled.
Configuring alarms for abrupt session changes
Configuring alarms for abrupt session table usage changes
About this task
Perform this task for the device to generate alarms for abrupt increase or drop in the session table usage. With this feature enabled, the system collects the session table usage at an interval of 10 seconds and checks whether the following indicators reach the corresponding alarm thresholds:
· Session table usage change in percentage—Obtained by dividing the difference between the session entry counts at the beginning and end of a collection interval by the session entry count at the beginning of the collection interval.
· Base session table usage in percentage—Obtained by dividing the session entry count at the beginning of a collection interval by the supported maximum number of session entries.
If both of the following conditions are met in a detection interval, the system generates an alarm for the abrupt change of the session table usage:
· The session table usage change threshold is reached.
· The base session table usage threshold is crossed.
Procedure
1. Enter system view.
system-view
2. Enable alarms for abrupt session table usage changes.
session alarm usage-abrupt enable
By default, alarms are disabled for abrupt session table usage changes.
3. Set the alarm thresholds for abrupt session table usage changes.
session alarm usage-abrupt threshold threshold-value [ base-threshold base-value ]
By default, the session table usage change threshold is 20%, and the base session table usage threshold is 10%.
Configuring alarms for abrupt session creation rate changes
About this task
Perform this task for the device to generate alarms for abrupt increase or drop in the session creation rate. With this feature enabled, the system collects the session creation rate at an interval of 10 seconds and checks whether the following indicators reach the corresponding alarm thresholds:
· Session creation rate change in percentage—Obtained by dividing the difference between the session creation rates at the beginning and end of a collection interval by the session creation rate at the beginning of the collection interval.
· Base session creation rate in percentage—Obtained by dividing the session creation rate at the beginning of a collection interval by 100000.
If both of the following conditions are met in a detection interval, the system generates an alarm for the abrupt change of the session creation rate:
· The session creation rate change threshold is reached.
· The base session creation rate threshold is crossed.
Procedure
1. Enter system view.
system-view
2. Enable alarms for abrupt session creation rate changes.
session alarm rate-abrupt enable
By default, alarms are disabled for abrupt session creation rate changes.
3. Set the alarm thresholds for abrupt session creation rate changes.
session alarm rate-abrupt threshold threshold-value [ base-threshold base-value ]
By default, the session creation rate change threshold is 20%, and the base session creation rate threshold is 10%.
Configuring alarms for abrupt session attempt rate changes
About this task
Perform this task for the device to generate alarms for abrupt increase or drop in the session creation attempt rate. With this feature enabled, the system collects the session creation attempt rate at an interval of 10 seconds and checks whether the following indicators reach the corresponding alarm thresholds:
· Session attempt rate change in percentage—Obtained by dividing the difference between the session creation attempt rates at the beginning and end of a collection interval by the session creation attempt rate at the beginning of the collection interval.
· Base session attempt rate in percentage—Obtained by dividing the session creation attempt rate at the beginning of a collection interval by 100000.
If both of the following conditions are met in a detection interval, the system generates an alarm for the abrupt change of the session creation attempt rate:
· The session attempt rate change threshold is reached.
· The base session attempt rate threshold is crossed.
Procedure
1. Enter system view.
system-view
2. Enable alarms for abrupt session attempt rate changes.
session alarm try-rate-abrupt enable
By default, alarms are disabled for abrupt session attempt rate changes.
3. Set the alarm thresholds for abrupt session attempt rate changes.
session alarm try-rate-abrupt threshold threshold-value [ base-threshold base-value ]
By default, the session attempt rate change threshold is 20%, and the base session attempt rate threshold is 10%.
Enabling ALG to process IP fragments and TCP segments
About this task
This task enables ALG to process IP fragments and TCP segments of specified protocols. In the current software version, ALG can process only IP fragments and TCP segments of SIP.
Procedure
1. Enter system view.
system-view
2. Enable ALG to process IP fragments and TCP segments.
session alg fragment sip
By default, ALG does not process IP fragments and TCP segments.
Configuring relation table destination IP address matching for SIP
About this task
In an SIP network, data traffic does not match any destination IP address in the relation table during traffic forwarding. If a client accesses multiple servers through multiple outbound interfaces on the device, the traffic might match incorrect table entries, causing traffic forwarding issues.
With this feature enabled, data traffic must match the destination IP addresses in the relation table, ensuring accurate traffic forwarding.
Procedure
1. Enter system view.
system-view
2. Enable relation table destination IP address matching for SIP.
session relation-table match destination-ip sip enable
By default, relation table destination IP address matching for SIP is disabled.
Display and maintenance commands for session management
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the aging time for sessions of different application layer protocols. |
display session aging-time application |
|
Display the aging time for sessions in different protocol states. |
display session aging-time state |
|
Display the configuration information about top session statistics for IPv4 sessions. |
display session ip-top-count policy |
|
Display the configuration information about top session statistics for IPv6 sessions. |
display session ipv6-top-count policy |
|
Display relation table entries. |
display session relation-table { ipv4 | ipv6 } |
|
Display unicast session statistics. |
display session statistics [ history-max | summary ] |
|
Display IPv4 unicast session statistics. |
display session statistics ipv4 [ [ responder ] { application application-name | destination-ip destination-ip | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | dns | ftp | gtp | h323 | http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | security-policy-rule rule-name | source-ip source-ip | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } } * ] |
|
Display IPv6 unicast session statistics. |
display session statistics ipv6 [ [ responder ] { application application-name | destination-ip destination-ip | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | dns | ftp | gtp | h323 | http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | security-policy-rule rule-name | source-ip source-ip | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } } * ] |
|
Display multicast session statistics. |
display session statistics multicast |
|
Display IPv4 unicast session table entries. |
display session table ipv4 [ [ responder ] { application application-name | destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | security-policy-rule rule-name | source-ip start-source-ip [ end-source-ip ] | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } } * ] [ verbose ] |
|
Display IPv6 unicast session table entries. |
display session table ipv6 [ [ responder ] { application application-name | destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | security-policy-rule rule-name | source-ip start-source-ip [ end-source-ip ] | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } } * ] [ verbose ] |
|
Display IPv4 multicast session table entries. |
display session table multicast ipv4 [ [ responder ] { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ verbose ] |
|
Display IPv6 multicast session table entries. |
display session table multicast ipv6 [ [ responder ] { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ verbose ] |
|
Display top session statistics. |
display session top-statistics { last-1-hour | last-24-hours | last-30-days } |
|
Clear relation table entries. |
reset session relation-table [ ipv4 | ipv6 ] |
|
Clear unicast session statistics. |
reset session statistics |
|
Clear multicast session table entries. |
reset session statistics multicast |
|
Clear IP unicast session table entries. |
reset session table |
|
Clear IPv4 unicast session table entries. |
reset session table ipv4 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] |
|
Clear IPv6 unicast session table entries. |
reset session table ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] |
|
Clear IP multicast session table entries. |
reset session table multicast |
|
Clear IPv4 multicast session table entries. |
reset session table multicast ipv4 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] |
|
Clear IPv6 multicast session table entries. |
reset session table multicast ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] |
