Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
61626364656667686970
58
Session management
NOTE:
The firewall supports session management only in the web interface.
Session management overview
The session management feature is designed to manage sessions of applications such as network
address translation (NAT), application specific packet filter (ASPF), and intrusion protection. This feature
regards packet exchanges at the transport layer as sessions and updates the status of sessions or ages
out sessions according to the information in packets.
Session management allows multiple features to process the same service packet respectively. It
implements the following functions:
Fast match between packets and sessions
Management of transport layer protocol state
Identification of application layer protocol types
Session aging based on protocol state or application layer protocol type
Permanent session
Special packet match for the application layer protocols requiring port negotiation
Resolution of ICMP error control packets and session match based on resolution results
Session management principle
The session management function tracks the status of connections by inspecting the transport layer
protocol (TCP or UDP) information, and performs unified status maintenance and management for all
connections.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
The session management function implements only connection status tracking. It cannot block potential
attack packets.
Session management implementation
The session management feature implemented on the device provides the following functions:
Supporting session creation, session status update and session timeout setting based on protocol
state for IPv4 TCP, UDP, ICMP, and Raw IP sessions.
Supporting long-term sessions. A long-term session will not be aged due to status changes nor
removed due to no matching of it, until the session initiator or responder tears it down or the
administrator removes it manually.