Configuration task list, Configuring basic session management settings – H3C Technologies H3C SecPath F1000-E User Manual
Page 96
86
•
Supporting ICMP error packet mapping and allowing the system to search for original sessions
according to the payloads of these packets. As ICMP error packets are generated due to errors, this
helps speed up the aging of the original sessions.
•
Supporting persistent sessions. You can specify TCP sessions meeting certain criteria as persistent
sessions. The aging time of a persistent session does not vary with the session state transitions,
neither will a persistent session be removed because no packets match it. A persistent session can
be specified with an aging time that is longer than those of common sessions (up to 360 hours), or
be configured to be a permanent connection, which will be deleted only when the session initiator
or responder sends a request to close it or you clear it manually.
•
Supporting both control channels and dynamic data channels of application layer protocols such
as DNS, FTP, MSN, QQ, and SIP
•
Supporting both unidirectional and bidirectional traffic (the hybrid mode). Bidirectional traffic
environment means that packets in both of the two directions pass the firewall. Unidirectional traffic
environment means that packets in only one direction pass the firewall. In this case, the normal
session state machine of the firewall cannot process the packets. After the unidirectional traffic
detection mode is enabled, session management adopts a special session state machine, which
can process the bidirectional and the unidirectional packets simultaneously, but some service
functions cannot be supported. For example, ASPF will not check the first TCP packet that is not SYN.
Therefore, the system security will be degraded. If unidirectional traffic exists in the network, enable
the unidirectional traffic detection to ensure normal processing of the unidirectional traffic. However,
if no unidirectional traffic exists in the network, disable the unidirectional traffic detection to ensure
the system security.
•
Supporting limiting the number of session-based connections. For more information, see
"
NOTE:
Only TCP sessions in the ESTABLISHED state can be specified as persistent sessions.
Configuring session management in the Web
interface
Configuration task list
Configuring basic session management settings
Task Remarks
Configuring basic session
management settings
Optional.
Basic session management settings include:
•
Configuring whether to enable unidirectional traffic detection
•
Configuring persistent session rule, which is available only for TCP
sessions in the ESTABLISHED state.
•
Configuring aging times for protocol states, which are effective only for
sessions being established
•
Configuring aging times for application layer protocols, which are
effective only for the sessions in the READY or ESTABLISHED state.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS