Little Learn: Introduction to Firewalls (10)

Originally, a firewall referred to a wall built between houses to prevent fire from spreading. The firewall technology is an important part of security technology. This course discusses hardware firewalls. Hardware firewalls integrate security technologies to protect private networks (computers). To do this, they use the dedicated hardware structure, high-speed CPUs, and embedded OS, and support various high-speed interfaces (LAN interfaces). Hardware firewalls are independent of OSs (such as HP-UNIX, SUN OS, AIX, and NT) and computers (such as the IBM6000 and common PC). Hardware firewalls are used to solve network security problems in a centralized manner. They are applicable to various scenarios and provide efficient filtering. In addition, they provide security features such as access control, identity authentication, data encryption, VPN technology, and address translation. Users can configure security policies based on their network environments to prevent unauthorized access and protect their networks.

The modern firewall system should not be just an "entrance barrier". Firewalls should be the access control points of networks. All data flows entering and leaving the network should pass through the firewall that serves as a gateway for incoming and outgoing information. Therefore, a firewall not only protects the security of an intranet on the Internet, but also protects the security of hosts on the intranet. All computers in a security zone configured on a firewall are considered "trustworthy" and communications between them are not affected by the firewall. However, communications between networks that are separated by a firewall must follow the policies configured on the firewall.

Firewalls have been developed for three generations, and their classification methods are various. For example, firewalls can be classified into hardware firewalls and software firewalls by form or standalone firewalls and network firewalls by protection object. In general, the most popular classification method is by access control mode.

Network firewalls can protect the entire network in a distributed manner. Their features are as follows:

Centralized security policies
Diversified security functions
Maintenance by dedicated administrators
Low security risks
Complicated policy configuration

Packet filtering checks each packet at the network layer and forwards or discards packets based on configured security policies. The basic principle of the packet filtering firewall is to configure ACLs to filter data packets based on the source/destination IP address, source/destination port number, IP identifier, and packet transmission direction in a data packet.

The packet filtering firewall is simple in design, easy to implement, and cost-effective.

The disadvantages of the packet filtering firewall are as follows:

As ACL complexity and length increase, filtering performance decreases exponentially.
Static ACL rules cannot meet dynamic security requirements.
Packet filtering does not check session status or analyze data, which makes it easy for attackers to escape. For example, an attacker sets the IP address of their host to an IP address permitted by a packet filter. In this way, packets from the attacker's host can easily pass through the packet filter.

Note: A multi-channel protocol example is FTP. Based on the negotiation of the control channel, FTP generates the dynamic data channel port. Then, data exchange is performed on the data channel.

The proxy applies to the application layer of the network. The proxy checks the services directly transmitted between intranet and Internet users. After the request passes the security policy check, the firewall establishes a connection with the real server on behalf of the Internet user, forwards the Internet user's request, and sends the response packet returned by the real server to the Internet user.

The proxy firewall can completely control the exchange of network information and the session process, achieving high security. Its disadvantages are as follows:

Software implementation limits its processing speed. Therefore, the proxy firewall is vulnerable to DoS attacks.
Application-layer proxy must be developed for each protocol. The development period is long, and the upgrade is difficult.

Stateful inspection is an extension of the packet filtering technology. Packets are filtered based on connection status, with each packet treated as an independent unit and the historical association of packets considered. All data flows based on reliable connections (TCP-based data flows) are processed in three phases: client request, server response, and client response (three-way handshakes). This indicates that each data packet does not exist independently, but is closely related to preceding and subsequent packets. Based on the status association, the stateful inspection technology is developed.

Its mechanism is as follows:

A stateful inspection firewall uses various session tables to trace activated TCP sessions and pseudo UDP sessions. The ACL determines the sessions to be established. A data packet is forwarded only when it is associated with a session. A pseudo UDP session monitors the status of the UDP connection process. The pseudo UDP session is a virtual connection established for the UDP data flow when UDP packets are processed (UDP is a connectionless protocol).
The stateful inspection firewall intercepts data packets at the network layer, extracts the status information required by security policies from each application layer, and saves the information to the session table. The session table and subsequent connection requests related to the data packets are analyzed to make proper decisions.

Stateful inspection firewalls have the following advantages:

Outstanding performance for processing subsequent packets: When checking data packets based on ACLs, a stateful inspection firewall records the connection status of the data flows. The subsequent packets in the data flows do not need to be checked based on the ACLs. Instead, the firewall checks the connection status records of the newly received packets according to the session table. After the check is passed, the connection status record is refreshed to avoid repeatedly checking the data packets with the same connection status. The sequence of records in the connection session table can be adjusted as required, which is different from an ACL whose records are arranged in a fixed sequence. Therefore, a stateful inspection firewall may perform fast search by using algorithms such as a binary tree or a hash algorithm, thereby improving transmission efficiency of the system.
High security: The connection status list is dynamically managed. After a session is complete, the temporary return packet entry created on the firewall is closed, ensuring real-time security of the internal network. In addition, the stateful inspection firewall uses real-time connection status monitoring technology to identify connection status factors such as response in the session table, which enhances system security

Mode 1: A firewall only forwards packets and does not perform routing. The two service networks interconnected by the firewall must be in the same network segment. In this mode, the upstream and downstream interfaces of the firewall work at Layer 2 and do not have IP addresses.

This networking mode avoids issues caused by topology changes. Deploy a firewall like a

bridge on the network. There is no need to modify existing configurations. The firewall

filters IP packets and protects users on the intranet.

Mode 2: A firewall is located between the intranet and the Internet. The upstream and downstream service interfaces on the firewall work at Layer 3 and must be configured with IP addresses in different network segments. The firewall performs routing on the intranet and Internet, like a router.

In this mode, the firewall supports more security features, such as NAT and UTM, but the original network topology must be modified. For example, the intranet users must modify their gateway configurations, or the route configuration on a router must be modified. Therefore, the design personnel should consider factors such as network reconstruction and service interruption when selecting a networking mode.

As a network security protection mechanism, packet filtering mainly controls the forwarding of various traffic on the network.

A traditional packet-filtering firewall obtains header information (including the source and destination IP addresses, IP-bearing upper-level protocol number, and source and destination port numbers) from a packet to be forwarded, matches the predefined packet-filtering rules, and forwards or discards the packets according to the matching result.

As the packet-filtering firewall matches packets with packet-filtering rules one by one and checks the packets, the forwarding efficiency is low. Currently, a firewall usually uses the stateful inspection mechanism to check the first packet of each connection. If the first packet passes the check (matching a packet-filtering rule), the firewall creates a session and directly forwards subsequent packets according to the session.

The basic function of firewalls is to protect a network from being attacked by any untrust network while permitting legitimate communication between two networks. Security policies check passing data flows. Only the data flows that match the security policies are allowed to pass through firewalls.

By using firewall security policies, you can control the access rights of the intranet to the Internet and control the access rights of the subnets of different security levels on the intranet. In addition, security policies can control the access to a firewall, for example, by restricting the IP addresses that can be used to log in to the firewall through Telnet and the web UI, and by controlling the communication between the NMS/NTP server and the firewall.

Security policies define rules for processing data flows on a firewall. The firewall processes data flows according to the rules. Therefore, the core functions of security policies are as follows: Filter the traffic passing through the firewall according to the defined rules, and determine the next operation performed on the filtered traffic based on keywords.

In firewall application, security policies are a basic means of network security access to the data flows passing through the firewall, and determine whether subsequent application data flows are processed. The firewall analyzes traffic and retrieves the attributes, including the source security zone, destination security zone, source IP address, source region, destination IP address, destination region, user, service (source port, destination port, and protocol type), application, and schedule.

Early packet-filtering firewalls match packets one by one with packet filtering rules. Firewalls check all received packets to decide whether to allow them to pass through. This mechanism greatly affects the forwarding efficiency and create forwarding bottlenecks on networks.

Therefore, more and more firewalls use the stateful inspection mechanism for packet filtering. The stateful inspection mechanism checks and forwards packets based on data flows; a firewall checks the first packet of a data flow with packet-filtering rules, and records the result as the status of the data flow. For subsequent packets of the data flow, the firewall determines whether to forward (or perform content security detection) or discard the packets according to the status. This "status" is presented as a session entry. This mechanism improves the detection rate and forwarding efficiency of firewall products and has become the mainstream packet filtering mechanism.

Generally, a firewall checks five elements (quintuple) in an IP packet. They are the source IP address, destination IP address, source port number, destination port number, and protocol type. By checking the quintuple of each IP packet, the firewall can determine the IP packets in one data flow. In addition to the quintuple, an NGFW also checks users, applications, and schedules of packets.

Generally, in the three-way handshake phase, fields in addition to the quintuple in TCP data packets are calculated and checked. After the three-way handshake succeeds, the firewall matches subsequent packets with the quintuple in the session table to determine whether to allow the packets to pass through.

Inspection on the packets that match a session takes much shorter time than on the packets that do not match any sessions. After the first packet of a connection is inspected and considered legitimate, a session is created and most subsequent packets are not inspected. This is where a stateful inspection firewall outperforms a packet inspection firewall in inspection and forwarding efficiency

For TCP packets:

If stateful inspection is enabled and the first packet is a SYN packet, a session is created. If the first packet is not a SYN packet and does not match any session, the packet is discarded, and no session is created.
If stateful inspection is disabled, a session is created as long as a packet that does not match any session passes the inspections.

For UDP packets:

UDP is a connectionless protocol. If a UDP packet does not match any session and passes the inspections, a session is created.

For ICMP packets:

If stateful inspection is enabled, an ICMP echo message does not match any session, and no ICMP reply is sent in response, the ICMP echo message is discarded.
If stateful inspection is disabled, an ICMP echo message does not match any session, and no ICMP reply is sent in response, the ICMP echo message is processed as the first packet.

Sessions are the basis of a stateful inspection firewall. A session is created for each data flow passing through the firewall. With the quintuple (source and destination IP addresses, source and destination ports, and protocol number) used as the key value, a dynamic session table is created to ensure the security of data flows forwarded between zones. The NGFW extends quintuple, with two elements (user and application) added.

The session table on an NGFW contains seven elements:

Source IP address
Source port
Destination IP address
Destination port
Protocol number
User
Application

Description of the display firewall session table command output

current total sessions: Number of current sessions
telnet/http: Protocol name
VPN:public-->public: VPN instance name and direction (source to destination)
192.168.3.1:2855-->192.168.3.2:23: Session table information

Description of the display firewall session table verbose command output

current total sessions: Number of current sessions
http: Protocol name
VPN:public-->public: VPN instance name and direction (source to destination)
ID: Current session ID
zone:trust-->local: Security zones involved in the session (source zone to destination zone)
TTL: Time to live of the session
Left: Remaining TTL of the session
Output-interface: Outbound interface
NextHop: IP address of the next hop
MAC: MAC address of the next hop
<--packets:3073 bytes:3251431: indicates the number of packets (including fragments) and bytes in the inbound direction of the session.
-->packets:2881 bytes:705651: indicates the number of packets (including fragments) and bytes in the outbound direction of the session.
PolicyName: indicates the name of the policy matched by packets.

In the first-packet process, the firewall matches the packet with security policies. In the subsequent-packet process, the firewall does not match the packets with security policies.

When traffic passes through an NGFW, the NGFW matches the traffic with security policies as follows:

The NGFW analyzes traffic and retrieves the attributes, including the source security zone, destination security zone, source IP address, source region, destination IP address, destination region, user, service (source port, destination port, and protocol type), application, and schedule.
The NGFW compares traffic attributes with the conditions defined in security policies. If all conditions of a security policy are matched, the traffic matches the security policy. If one or more conditions are not met, the NGFW matches the traffic attributes with the conditions defined in the next policy. If none of the policies is met, the NGFW takes the action defined in the default policy (deny by default).
If the traffic matches a security policy, the NGFW performs the action defined in the policy on the traffic. If the action is deny, the NGFW blocks the traffic. If the action is permit, the NGFW checks whether the policy references a profile. If yes, go to the next step. If no, the traffic is permitted.
If profiles are referenced in the policy and the action defined in the policy is permit, the NGFW performs integrated checks on the content carried over the traffic.

The integrated check inspects the content carried over the traffic based on the conditions defined in the referenced profile and takes an appropriate action based on the check result. If any security profile denies the traffic, the NGFW blocks the traffic. If all profiles permit the traffic, the NGFW allows the traffic through.

Compared with conventional security policies, the security policies on NGFWs can:

Distinguish between employees from different departments based on "users", making network management more flexible and visualized.
Distinguish between applications (such as web IM and web game) using the same protocol (such as HTTP), achieving refined network management.
Inspect content security and block viruses and hacker intrusions to better protect internal networks.

Procedure for creating a security zone:

Choose Network > Zone.
Click Add.
Set security zone parameters.

The firewall can identify traffic attributes and match the attributes with security policy conditions. If all conditions of a security policy are matched, the traffic matches the security policy. The firewall takes the action defined in the matched security policy on the traffic.

If the action is permit, the firewall inspects the traffic content. If the traffic passes the content security inspection, the traffic is allowed to pass through. If not, the traffic is denied.

If the action is deny, the traffic is denied.

Procedure for configuring the address and address group on the web UI: Choose Object > Address > Address (or Address Group).

Click Add and set the parameters of the address (or address group).

Click OK. The created address (or address group) is displayed.

Procedure for configuring the region and region group on the web UI:

Choose Object > Region > Region (or Region Group).
Click Add to set the parameters of the region (or region group).
Click OK. The created region (or region group) is displayed.

Predefined services are generally well-known protocols, such as HTTP, FTP, and Telnet. Predefined services cannot be deleted.

Procedure for configuring services and service groups on the web UI:

Choose Object > Service > Service (or Service Group).
Click Add and set the parameters of the user-defined service.
Click OK. The created service (or service group) is displayed.

Procedure for configuring applications and application groups on the web UI:

Choose Object > Application > Application (or Application Group).
Click Add and set the parameters of the user-defined application.
Click OK. The created application (or application group) is displayed.

Procedure for configuring a schedule on the web UI:

Choose Object > Schedule.
Click Add.
Enter the name of the schedule list to be created.
Add schedules to the list.
Click OK.

Procedure for configuring a security policy on the web UI:

Choose Policy > Security Policy > Security Policy.
Click Add.
Enter the name and description of the security policy.
Define the matching conditions of the security policy.
Set the action of the security policy.
Configure the security policy to reference content security profiles.
Click OK.

Configuration roadmap:

Plan security policies: The network segment 192.168.5.0/24 is permitted, but several IP addresses within the range are denied. In this case, configure two forwarding policies. The first forwarding policy denies the specific IP addresses and the second forwarding policy allows the entire network segment. If the configuration sequence is reversed, the special IP addresses will match the permit policy and the packets pass through the firewall.
Plan address groups: It is required to control access permissions by IP address. Specify IP addresses as the matching conditions in the forwarding policies. Consecutive address segments can be directly configured in a policy. For inconsecutive addresses, you are advised to add them to an address group, so that the addresses can be controlled in a unified manner and the address group can be referenced by policies. In this example, the special IP addresses can be configured as an address group.
Configure forwarding policies to control Internet access permissions.

Security policy configuration roadmap:

Determine security zones, connect interfaces, and assign the interfaces to the security zones.
Classify employees by source IP address or user.
Use security policies to determine the permissions of user groups and then those of privileged users. You must specify the source security zones and addresses of users, destination security zones and addresses of users, services and applications that the users can access, and schedules in which the policies take effect. To allow a certain type of network access, set the action of the security policy to permit. To disable network access, set the action of the security policy to deny.
Determine which types of traffic needs content security inspection and what items need to be inspected.
List the parameters in the security policies, sort the policies from the most specific to the least specific, and configure security policies in this order.

The configuration of the ip_deny address group is as follows:

[sysname] ip address-set ip_deny type object
[sysname-object-address-set-ip_deny] address 0 192.168.5.2 0
[sysname-object-address-set-ip_deny] address 1 192.168.5.3 0
[sysname-object-address-set-ip_deny] address 2 192.168.5.6 0

Configure address group ip_deny and add the IP addresses that are not allowed to access the Internet to this address group.

Choose Object > Address > Address.
Click Add and set address parameters.
Click OK. The added addresses are displayed.

Configure a security policy for denying the access from the IP addresses in address group ip_deny to the Internet. Set Source Address to ip_deny and Action to Deny.

Configure a security policy to allow access from the 192.168.5.0/24 network segment to the Internet. Set Source Address to 192.168.5.0/24 and Action to Permit.

Most multimedia application protocols (such as H.323 and SIP), FTP, and NetMeeting use prescribed ports to initialize a control connection and then dynamically select a port for data transmission. Port selection is unpredictable. An application may use more than one port at a time. Packet filtering firewalls can use ACLs to match applications of singlechannel protocols to prevent network attacks. However, ACLs can block only applications using fixed ports. Multi-channel protocol applications that use random ports bring security risks.

ASPF maintains information about connections in its own data structure and uses the information to create temporary rules. ASPF stores status information that cannot be stored in ACLs. A firewall checks each packet in a data flow to ensure that the packet status and packet comply with user-defined security rules. The status information of connections is used to intelligently permit or deny packets. When a session is closed, the ASPF session management module deletes this session from its session table and closes it in the session table of the firewall.

For TCP connections, ASPF can dynamically detect TCP three-way handshake and the handshake for connection termination to ensure normal TCP access. The packets of incomplete TCP handshake connections are rejected.

UDP is a connectionless protocol. Therefore, there is no UDP connection. ASPF is connection-based. It checks the source IP address, destination IP address, and port of a UDP packet and determines whether the packet is similar to other UDP packets received within a specific period. If the packet is similar, ASPF determines that these packets are over the same connection.

ACL-based IP packet filtering technology is widely used for access control. This technology is simple but lacks flexibility and is unable to competently protect complex networks. For example, for the multi-channel protocols using FTP for communication, it is difficult to configure the rules of the firewall.

ASPF enables the firewall to support the protocols of multiple data connections over one control channel. It also supports various security policies in very complex application scenarios. ASPF monitors the port used by each application connection, opens an appropriate path to permit the data in a session, and closes this path at the end of the session. In this way, the firewall can control the access of applications using dynamic ports.

In a multi-channel protocol, for example, FTP, the control channel is separated from the data channel. The data channel is dynamically negotiated by control packets. To prevent the data channel from being disconnected by other rules, such as ACLs, a channel must be temporarily enabled. This is why the server map is applied.

FTP establishes a TCP control channel with predefined ports and a dynamically negotiated TCP data channel. For a common packet filtering firewall, you cannot obtain the port number of the data channel when configuring security policies, and therefore cannot determine the ingress of the data channel. In this case, precise security policies cannot be configured. ASPF resolves this problem. It detects application-layer information and dynamically creates and deletes temporary rules based on packet content to allow or deny packets.

According to the figure, the server map entry is generated during the dynamic detection of the FTP control channel. When a packet passes the firewall, ASPF compares the packet with the specified access rules. If the rules permit, the packet is checked; otherwise, the packet is discarded. If the packet is used to establish a new control or data connection, ASPF dynamically creates a server map entry. Return packets can pass through the firewall only when they have a matching server map entry. When processing return packets, the firewall updates the status table. When a connection is closed or times out, the corresponding status table is deleted to block unauthorized packets. Therefore the ASPF technology can accurately protect the network even in complicated application scenarios.

The server map is a mapping relationship. If a data connection matches a dynamic server map entry, the firewall does not need to search for a packet filtering policy. This mechanism ensures normal forwarding of some special applications. In another case, if a data connection matches the server map table, the IP address and port number in the packet are translated.

The server map is used only for checking the first packet. After a connection is established, packets are forwarded based on the session table.

Currently, the firewall generates server map entries in the following situations: server map entries generated when the firewall forwards the traffic of multi-channel protocols, such as FTP and RTSP, after ASPF is configured; triplet server map entries generated when the firewall forwards the traffic of the Simple Traversal of UDP Through NAT (STUN) protocols, such as MSN and TFTP, after ASPF is configured; static server map entries generated when NAT server mapping is configured; dynamic server map entries generated when NAT No-PAT is configured; dynamic server map entries generated when NAT full-cone is configured; dynamic server map entries generated when PCP is configured; static server map entries generated when server load balancing (SLB) is configured; dynamic server map entries generated when NAT Server is configured in DSLite scenarios; static server map entries generated when static NAT64 is configured.

The data connection of a multi-channel protocol is negotiated on the control connection. Therefore, source and destination ports of the data connection are dynamically negotiated. After ASPF is configured, the firewall identifies the negotiation of the control channel, and dynamically creates a server map entry according to the address information in the key packet payload being queried during the connection initiation of the data channel. The server map entry contains information about the negotiated data channel.

After an MSN user logs in, the IP address and port of the user are determined, but those of the other party that may initiate a connection to the user are unknown. If you configure ASPF, the firewall records the IP address and port of the user and generates a dynamic server map entry when the MSN user is connected to the server. The server map entry contains only triplet information: IP address, port number, and protocol number of one communications party. In this way, other users can directly adopt the IP address and port to communicate with this user.

After NAT Server is configured, Internet users can initiate access requests to the intranet server. The IP addresses and ports of the users are unknown, but the IP address of the intranet server and the port are known. Therefore, after NAT Server is successfully configured, the firewall automatically generates the server map entry to save the mapping relationship between the public and private IP addresses. The firewall translates the IP address of the packet and forwards the packet according to the mapping relationship. A pair of forward and reverse static server map entries are generated for each valid NAT Server configuration. For SLB, as multiple intranet servers use the same public IP address, the firewall creates server map entries similar to those of NAT Server. If the number of intranet servers is N, the firewall creates one server map entry for forward traffic and N server map entries for reverse traffic.

If you configure NAT and specify the No-PAT parameter, the firewall translates only the IP addresses but not the port numbers. All port numbers used by private IP addresses are mapped to the port number used by the public address. Internet users can initiate connections to any port used by an intranet user. After NAT No-PAT is configured, the firewall creates server map entries for the data flows to maintain the mapping between the private and public IP addresses. Then the firewall translates IP addresses and forwards packets according to the mappings.

Port identification, also called port mapping, is used by the firewall to identify application-layer protocol packets that use non-standard ports. Port mapping supports the following application-layer protocols: FTP, HTTP, RTSP, PPTP, MGCP, MMS, SMTP, H323, SIP, and SQLNET.

Port mapping is implemented based on ACLs. Only the packets matching an ACL rule are mapped. Port mapping uses basic ACLs (ACLs 2000 to 2999). In ACL-based packet filtering, the firewall matches the destination IP addresses of packets with the source IP addresses in basic ACLs.

An ACL is a collection of sequential rules used by a device to filter network traffic. Each rule contains a filter element that is based on criteria such as the source IP address, destination IP address, and port number of a packet. An ACL classifies packets based on rules. After the rules are applied to a router, the router determines whether a packet is permitted or denied in accordance with these rules.

ACLs are classified into the following types:

Basic ACLs (2000 to 2999): A basic ACL matches traffic only by source IP address and schedule. It applies to simple matching scenarios.
Advanced ACLs (3000 to 3999): Traffic is matched by source IP address, destination IP address, ToS, schedule, protocol type, priority, ICMP packet type, and ICMP packet code. In most functions, advanced ACLs can be used for accurate traffic matching.
MAC address-based ACLs (4000 to 4999): Traffic is matched by source MAC address, destination MAC address, CoS, and protocol code.

Hardware packet filtering ACLs (9000 to 9499): After a hardware packet filtering ACL isdelivered to an interface card, the interface card filters packets using hardware, which is faster than common software-based packet filtering and consumes less system resources. Hardware packet filtering ACLs can match traffic based on the source IP address, destination IP address, source MAC address, destination MAC address, CoS, and protocol type.

Port mapping applies only to the data within an interzone; therefore, when configuring port mapping, you must configure security zones and the interzone.

Thinking: What is the application system object matching ACLs?

When a network device transmits a packet, if the Maximum Transfer Unit (MTU) configured on the device is shorter than the length of the packet, the packet is fragmented before transmission. In an ideal case, fragment packets are transmitted in a fixed order. During actual transmission, the first fragment may not be the first to reach the firewall. In this case, the firewall discards the fragmented packet. To ensure session continuity, the firewall can cache fragments by default. The firewall caches the fragments that reach the firewall before the first fragment to the fragment hash list. When the first fragment arrives, the firewall creates a session for the fragmented packet and forwards all the fragments. If the first fragment does not arrive within a specified period, the firewall discards the fragments in the fragment hash list.

In VPN applications (such as IPSec and GRE), because the firewall can perform further processing only after it reassembles, and decrypts or decapsulates fragmented packets. Therefore, the fragment cache function must be configured on the firewall to reassemble packets, so that the packets can be encrypted or decrypted. In NAT application, the firewall can translate the IP address of a fragmented packet only after it reassembles the fragments. Therefore, the fragment cache function is also required.

The function of directly forwarding fragments applies when NAT is not performed. After this function is enabled, the firewall directly forwards received fragments without creating any session.

Set the aging time for fragment cache.

Firewall session aging-time fragment interval (1-40000)

Enable or disable the function of directly forwarding fragments.

Firewall fragment-forward enable/disable

If the interval for two consecutive packets of a TCP session reaching the firewall is longer than the aging time of the session, the firewall deletes the session information from the session table. In this case, after subsequent packets reach the firewall, the firewall discards the packets. As a result, the connection is interrupted. Some services require persistent sessions. To solve this problem, the firewall supports the configuration of persistent connections in the interzone. By referencing ACLs to define data flow rules, you can set long aging time for the sessions of the packets that match the ACL rules to ensure the normal use of the sessions. The default aging time of a persistent connection is 168 hours.

The firewall supports the persistent connection function only for TCP packets.

When stateful inspection is disabled, the firewall also creates session entries for non-first packets. In this case, you do not need to enable the persistent connection function.

Set aging time for a persistent connection.

Firewall long-link aging-time time

Enable persistent connection.

Firewall interzone zone-name1 zone-name2
lonk-link acl-number { inbound | outbound }

Ref : [1]