HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

121

122

123

124

125

126

127

128

129

130

122

Configuring the operating mode for session management

By default, session management operates in bidirectional mode, and it can process only bidirectional

sessions. You can set the operating mode to hybrid mode for processing both bidirectional sessions and

unidirectional sessions. In a unidirectional session, packets in a specific direction can pass the device.

In the hybrid mode, some features cannot function correctly, and system security is adversely affected. For

example, in hybrid mode, ASPF cannot drop a non-SYN packet that is the first packet over a TCP

connection. If unidirectional sessions exist, set the operating mode to hybrid.

To configure the operating mode for session management:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Configure the

operating mode for

session management.

• Configure the hybrid mode:

session mode hybrid

• Configure the bidirectional mode:

undo session mode

Use either command.

Bidirectional mode by

default.

Enabling session synchronization for stateful failover

The session synchronization for stateful failover feature enables two devices to synchronize in real time

the sessions and dynamic entries of session-based services, such as NAT, ALG, and ASPF. The two

devices are generally the central gateway devices of an enterprise, one acting as the primary and the

other acting as the backup. They use a virtual IP address to communicate with a peer device (generally

a branch gateway device). When the primary central gateway device fails, the services are switched to

the backup central gateway device according to the redundancy negotiation mechanism, and the

backup one takes over to process and forward service traffic. The failover process is invisible to the peer

device, and the peer device, without any reconfiguration, can still communicate with the central gateway

device. Because all dynamic entries are synchronized in real time between the two central gateway

devices, a failover does not interrupt ongoing services.

Before this configuration task, enable the stateful failover feature, and enable the support for asymmetric

paths according to the networking for stateful failover.

To enable session synchronization for stateful failover:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable session synchronization for

stateful failover.

session synchronization

enable

Optional.

Disabled by default.

Clearing sessions

Task Command Remarks

Clear sessions.

reset session [ vd-name vd-name ] [ source-ip source-ip ]

[ destination-ip destination-ip ] [ protocol-type protocol-type ]

[ source-port source-port ] [ destination-port destination-port ]

[ vpn-instance vpn-instance-name ]

Available in user

view.