Managing sessions, Overview, Session management principle – H3C Technologies H3C SecPath F1000-E User Manual

Page 95: Session management implementation

Advertising
background image

85

Managing sessions

Overview

The session management feature is designed to manage sessions of applications such as network

address translation (NAT), application specific packet filter (ASPF), and intrusion protection. This feature
regards packet exchanges at the transport layer as sessions and updates the status of sessions or ages

out sessions according to the information in packets.
Session management allows multiple features to process the same service packet respectively. It

implements the following functions:

Fast match between packets and sessions.

Management of transport layer protocol state.

Identification of application layer protocol types.

Session aging based on protocol state or application layer protocol type.

Persistent session.

Checksum verification for transport layer protocol packets.

Special packet match for the application layer protocols requiring port negotiation.

Resolution of ICMP error control packets and session match based on resolution results.

Session management principle

The session management function tracks the status of connections by inspecting the transport layer
protocol (TCP or UDP) information, and performs unified status maintenance and management for all

connections.
In actual applications, session management works together with ASPF to dynamically determine whether

a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
The session management function only implements connection status tracking. It cannot block potential

attack packets.

Session management implementation

The session management feature implemented on the firewall provides the following functions:

Supporting session creation, session status update and session timeout setting based on protocol
state for IPv4 TCP, UDP, ICMP, and Raw IP sessions

Supporting port mapping for application layer protocols and allowing application layer protocols
to use customized ports and session timeout intervals

Supporting checksum verification for TCP, UDP, and ICMP packets. In case of a checksum
verification failure, the system does not match sessions or create sessions. Instead, other services
based on session management will process the packets

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals