HP VPN Firewall Appliances Access Control Configuration Guide
121
Setting session aging time for application layer protocols
For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times
according to the types of the application layer protocols to which the sessions belong.
IMPORTANT:
For a lar
g
e amount of sessions (more than 800000), do not specify too short a
g
in
g
time. Otherwise, the
console might be slow in response.
To set session aging times based on application layer protocol type:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the aging time for sessions
of an application layer
protocol.
application aging-time { dns | ftp |
msn | qq | sip } time-value
Aging times set in this command
applies to only the sessions in the
READY/ESTABLISH state.
Enabling checksum verification
To make sure session tracking is not affected by packets with checksum errors, you can enable checksum
verification for protocol packets. With checksum verification enabled, the session management feature
processes only packets with correct checksums, and packets with incorrect checksums will be processed
by other services based on the session management.
IMPORTANT:
Checksum verification might degrade the device performance. Enable it with caution.
To enable checksum verification for protocol packets:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable checksum verification.
session checksum { all | { icmp | tcp | udp } * } Disabled by default.
Specifying persistent sessions
You can set the sessions that match the permit statements in a specific basic or advanced ACL as
persistent sessions, and set longer lifetime or never-age-out persistent sessions. A lifelong session is not
removed until the device receives a connection close request from the initiator or responder, or you
manually clear the session entries.
For more information about the configuration of basic and advance ACLs, see Access Control
Configuration Guide.
To specify persistent sessions:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify persistent
sessions.
session persist acl acl-number
[ aging-time time-value ]
By default, no persistent sessions are specified.
If you configure this command multiple times,
the last configuration takes effect.