R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

170

• Supporting checksum verification for TCP, UDP, and ICMP packets. In case of checksum verification

failure, the system will not match sessions or create sessions. Instead, other services based on

session management will process the packets.

• Supporting ICMP error packet mapping and allowing the system to search for original sessions

according to the payload of these packets. Because error packets are generated due to host errors,

the mapping can help speed up the aging of the original sessions.

• Supporting persistent sessions, which are not aged within a long period of time.

• Supporting session management of control channels and dynamic data channels of application

layer protocols, for example, FTP.

• Supporting limiting the number of session-based connections. For more information, see the chapter

“Connection limit configuration.”

Session management configuration task list

Complete the following tasks to configure session management:

• Setting session aging times based on protocol state

• Configuring session aging times based on application layer protocol type

• Enabling checksum verification

• Specifying the persistent session ACL

• Clearing sessions manually

hese tasks are mutually independent and can be configured in any order. You can configure them as

required.

Setting session aging times based on protocol state

NOTE:

• This aging time setting is effective to only the sessions that are being established.

• If the application layer protocol of a session supports session aging time configuration, the session takes

the session aging time set based on the application layer protocol type as its a

time when it is in the

READY/ESTABLISH state. For more information, see “Configuring session aging times based on

pplication layer protocol type.”

If a session entry is not matched with any packets in a specified period of time, the entry will be aged out.

Follow these steps to set the session aging times based on protocol state:

To do... Use the command...

Remarks

Enter system view

system-view —

Set the aging time for sessions of a

specified protocol and in a

specified state

session aging-time { accelerate | fin | icmp-closed |

icmp-open | rawip-open | rawip-ready | syn |

tcp-est | udp-open | udp-ready } time-value

Required

NOTE:

If there may be a large amount of sessions (more than 800000), too short aging times are not

recommended. Otherwise, the console may be slow in response.