Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction
Active sessions can be refreshed for specific protocols and port ranges per VDOM in a specified direction. This option can help prevent potential denial of service (DoS) attacks by controlling the direction of traffic that refreshes existing sessions.
config system session-ttl config port edit <id> set protocol <integer> set timeout <timeout_value> set refresh-direction {both | outgoing | incoming} next end end
Setting the refresh-direction
to outgoing
will use the original direction, while incoming
will use the reply direction. To refresh in both directions, select both
.
Example
In this example, active sessions for UDP port 5001 will be refreshed in the incoming direction.
To refresh active sessions for UDP port 5001 in the incoming direction:
-
Configure the global session TTL timer:
config system session-ttl set default 3600 config port edit 5001 set protocol 17 set timeout 5001 set refresh-direction incoming set start-port 5001 set end-port 5001 next end end
-
Send UDP 5001 traffic from the client to the server.
-
Verify the session table:
# diagnose sys session list session info: proto=17 proto_state=00 duration=77 expire=4923 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=58/2/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458) hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041) src_mac=00:0c:29:b6:e8:be dst_mac=00:0c:29:92:89:96 misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0 serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
The timeout and refresh for the reply direction are attached to the session.
-
Send UDP 5001 traffic again from the client to the server.
-
Verify the diagnostics.
- Run the sniffer trace:
# diagnose sniffer packet any 'udp and port 5001' 4 interfaces=[any] filters=[udp and port 5001] 3.387747 wan2 in 10.1.100.41.2041 -> 172.16.200.55.5001: udp 1 3.387757 wan1 out 172.16.200.10.62458 -> 172.16.200.55.5001: udp 1 ^C 2 packets received by filter 0 packets dropped by kernel
- Verify the session table:
# diagnose sys session list session info: proto=17 proto_state=00 duration=119 expire=4881 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=116/4/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458) hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041) src_mac=00:0c:29:b6:e8:be dst_mac=00:0c:29:92:89:96 misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0 serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
As the traffic flows from the client to the server (outgoing), the expiration timer continues to count down and is not refreshed.
- Run the sniffer trace:
-
Send reverse UDP 5001 traffic from the server to the client.
-
Verify the diagnostics again.
- Run the sniffer trace:
# diagnose sniffer packet any 'udp and port 62458 or port 2041' 4 interfaces=[any] filters=[udp and port 62458 or port 2041] 3.237328 wan1 in 172.16.200.55.5001 -> 172.16.200.10.62458: udp 1 3.237339 wan2 out 172.16.200.55.5001 -> 10.1.100.41.2041: udp 1 ^C 2 packets received by filter 0 packets dropped by kernel
- Verify the session table:
# diagnose sys session list session info: proto=17 proto_state=01 duration=1710 expire=4995 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=116/4/1 reply=116/4/1 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/10.1.100.41 hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458) hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041) src_mac=00:0c:29:b6:e8:be dst_mac=00:0c:29:92:89:96 misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0 serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
As the traffic flows from the server to the client (incoming), the expiration timer is refreshed.
- Run the sniffer trace: