< Home

About Session Tables

Session Table Definition

A session table records the connection status of protocols, such as TCP, UDP, and ICMP, and provides reference for the FW to forward packets.

Session Table Function

The FW uses a stateful inspection mechanism that improves the detection and forwarding efficiency. This mechanism determines the status of a connection based on the first packet or the first several packets received. Subsequent packets are then processed based on this connection status.

A session table is used to maintain this connection status. To forward TCP, UDP, and ICMP packets, the device must first look up the connection status in the session table and then process the packets accordingly.

Sessions are created for IP protocol packets, including UDP, TCP, ICMP ping, ICMPv6 ping, GRE, AH, ESP, IPIP, OSPF, RIP, and BFD packets. Sessions are not created for ICMP error, multicast, broadcast, non-first fragment, and non-IP protocol packets.

Session Aging

The created session entry needs to be matched by packets constantly. If no packet matches for a long time, it indicates that the connection between both communications parties is interrupted, and the session entry is unnecessary. To save system resources, the system deletes the entry that is not matched for a continuous period of time; that is, the session entry ages.

When the session entry ages and the packet whose 5-tuple is the same as that of the entry passes through, the system determines whether to create a session entry based on the security policy. If no session entry is created, the packet cannot be forwarded. The length of the aging time of the session table affects system forwarding as following:

  • If the aging time is too long, a large number of interrupted session entries may exist in the system and consume system resources. In addition, new session entries may not be created, affecting the forwarding of other services.
  • If the aging time of the session entry is too short, certain connections that require a long time for sending packets are interrupted, affecting service forwarding.

In some scenarios, when the number of concurrent sessions on the FW increases quickly due to a network attack, sessions cannot be created for normal services. To address the problem, the FW provides the fast session aging function. When the number of sessions or the memory usage reaches the specified value, the FW accelerates the session aging process and ages sessions before the aging time elapses, which reduces the session table usage.

Parent Topic: Session Tables
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >