Session management operation

Session management tracks the session status by inspecting the transport layer protocol information. It updates session states or ages out sessions according to data flows from the initiators or responders.

When a connection request passes through the device from a client to a server, the device creates a session entry. The entry can contain the request and response information, such as:

• Source IP address and port number.

• Destination IP address and port number.

• Transport layer protocol.

• Application layer protocol.

• Protocol state of the session.

A multichannel protocol requires that the client and the server negotiate a new connection based on an existing connection to implement an application. Session management enables the device to create a relation entry for each connection during the negotiation phase. The entry is used to associate the connection with the application. Relation entries will be removed after the associated connections are established.

If the destination IP address of a packet is a multicast IP address, the packet will be forwarded out of multiple ports. When a multicast connection request is received on an inbound interface, the device performs the following operations:

• Creates a multicast session entry on the inbound interface.

• Creates a corresponding multicast session entry for each outbound interface.

Unless otherwise stated, "session entry" in this chapter refers to both unicast and multicast session entries.

In actual applications, session management works with ASPF to dynamically determine whether a packet can pass the firewall and enter the internal network according to connection status, thus preventing intrusion.

Session management only tracks connection status. It does not block potential attack packets.