Managing sessions, Overview, Session management principle – H3C Technologies H3C SecPath F1000-E User Manual
Page 95: Session management implementation
85
Managing sessions
Overview
The session management feature is designed to manage sessions of applications such as network
address translation (NAT), application specific packet filter (ASPF), and intrusion protection. This feature
regards packet exchanges at the transport layer as sessions and updates the status of sessions or ages
out sessions according to the information in packets.
Session management allows multiple features to process the same service packet respectively. It
implements the following functions:
•
Fast match between packets and sessions.
•
Management of transport layer protocol state.
•
Identification of application layer protocol types.
•
Session aging based on protocol state or application layer protocol type.
•
Persistent session.
•
Checksum verification for transport layer protocol packets.
•
Special packet match for the application layer protocols requiring port negotiation.
•
Resolution of ICMP error control packets and session match based on resolution results.
Session management principle
The session management function tracks the status of connections by inspecting the transport layer
protocol (TCP or UDP) information, and performs unified status maintenance and management for all
connections.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
The session management function only implements connection status tracking. It cannot block potential
attack packets.
Session management implementation
The session management feature implemented on the firewall provides the following functions:
•
Supporting session creation, session status update and session timeout setting based on protocol
state for IPv4 TCP, UDP, ICMP, and Raw IP sessions
•
Supporting port mapping for application layer protocols and allowing application layer protocols
to use customized ports and session timeout intervals
•
Supporting checksum verification for TCP, UDP, and ICMP packets. In case of a checksum
verification failure, the system does not match sessions or create sessions. Instead, other services
based on session management will process the packets
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS