Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction
Active sessions can be refreshed for specific protocols and port ranges per VDOM in a specified direction. This option can help prevent potential denial of service (DoS) attacks by controlling the direction of traffic that refreshes existing sessions.
config system session-ttl
config port
edit <id>
set protocol <integer>
set timeout <timeout_value>
set refresh-direction {both | outgoing | incoming}
next
end
end
Setting the refresh-direction to outgoing will use the original direction, while incoming will use the reply direction. To refresh in both directions, select both.
Example
In this example, active sessions for UDP port 5001 will be refreshed in the incoming direction.
To refresh active sessions for UDP port 5001 in the incoming direction:
-
Configure the global session TTL timer:
config system session-ttl set default 3600 config port edit 5001 set protocol 17 set timeout 5001 set refresh-direction incoming set start-port 5001 set end-port 5001 next end end -
Send UDP 5001 traffic from the client to the server.
-
Verify the session table:
# diagnose sys session list session info: proto=17 proto_state=00 duration=77 expire=4923 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=58/2/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458) hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041) src_mac=00:0c:29:b6:e8:be dst_mac=00:0c:29:92:89:96 misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0 serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
The timeout and refresh for the reply direction are attached to the session.
-
Send UDP 5001 traffic again from the client to the server.
-
Verify the diagnostics.
- Run the sniffer trace:
# diagnose sniffer packet any 'udp and port 5001' 4 interfaces=[any] filters=[udp and port 5001] 3.387747 wan2 in 10.1.100.41.2041 -> 172.16.200.55.5001: udp 1 3.387757 wan1 out 172.16.200.10.62458 -> 172.16.200.55.5001: udp 1 ^C 2 packets received by filter 0 packets dropped by kernel
- Verify the session table:
# diagnose sys session list session info: proto=17 proto_state=00 duration=119 expire=4881 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=116/4/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458) hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041) src_mac=00:0c:29:b6:e8:be dst_mac=00:0c:29:92:89:96 misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0 serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
As the traffic flows from the client to the server (outgoing), the expiration timer continues to count down and is not refreshed.
- Run the sniffer trace:
-
Send reverse UDP 5001 traffic from the server to the client.
-
Verify the diagnostics again.
- Run the sniffer trace:
# diagnose sniffer packet any 'udp and port 62458 or port 2041' 4 interfaces=[any] filters=[udp and port 62458 or port 2041] 3.237328 wan1 in 172.16.200.55.5001 -> 172.16.200.10.62458: udp 1 3.237339 wan2 out 172.16.200.55.5001 -> 10.1.100.41.2041: udp 1 ^C 2 packets received by filter 0 packets dropped by kernel
- Verify the session table:
# diagnose sys session list session info: proto=17 proto_state=01 duration=1710 expire=4995 timeout=5001 refresh_dir=reply flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=116/4/1 reply=116/4/1 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=18->17/17->18 gwy=172.16.200.55/10.1.100.41 hook=post dir=org act=snat 10.1.100.41:2041->172.16.200.55:5001(172.16.200.10:62458) hook=pre dir=reply act=dnat 172.16.200.55:5001->172.16.200.10:62458(10.1.100.41:2041) src_mac=00:0c:29:b6:e8:be dst_mac=00:0c:29:92:89:96 misc=0 policy_id=99 pol_uuid_idx=1501 auth_info=0 chk_client_info=0 vd=0 serial=00005071 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy total session: 1
As the traffic flows from the server to the client (incoming), the expiration timer is refreshed.
- Run the sniffer trace: