Enabling checksum verification, Specifying the persistent session rule – H3C Technologies H3C SecPath F1000-E User Manual

Page 107

Configuring session aging timers based on application layer
protocol types

Aging timers set in this task apply only to the sessions in READY/ESTABLISH state.
For sessions in READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging timer

according to the type of the application layer protocol to which the sessions belong.
To set session aging times based on application layer protocol types:

Step Command

Enter system view.

system-view

Set the aging timer for
sessions of an application

layer protocol.

application aging-time { dns | ftp | msn | qq | sip } time-value

IMPORTANT:

For a large amount of sessions (more than 800000), do not specify a too short aging timer. Otherwise, the
console might be slow in response.

Enabling checksum verification

To make sure session tracking is not affected by packets with checksum errors, you can enable checksum

verification for protocol packets. With checksum verification enabled, the session management feature

processes only packets with correct checksums, and packets with incorrect checksums will be processed
by other services based on the session management.
To enable checksum verification for protocol packets:

Step Command

Remarks

Enter system view.

system-view

N/A

Enable checksum verification. session checksum { all | { icmp |

tcp | udp } * }

Disabled by default

IMPORTANT:

Enabling checksum verification might degrade the device performance.

Specifying the persistent session rule

You can set some sessions that have specific characteristics as persistent sessions. The aging time of a

persistent session does not vary with the session state transitions, neither will a persistent session be
removed because no packets match it. A persistent session can be specified with an aging time that is

longer than those of common sessions, or be configured to be a permanent connection, which will be

cleared only when the session initiator or responder sends a request to close it or you clear it manually.
You can set the persistent session criteria by specifying a basic or advanced access control list (ACL). All
sessions permitted by the ACL are persistent sessions.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS