[Dr.WoW] [No.6] Appendix to the Stateful Inspection and Session Mechanism

Latest reply: Mar 27, 2015 03:39:19 2801 1 0 0

In section 5 "Stateful Inspection and Session Mechanism", we learn how stateful inspection works and what 5-tuple means. Now, you may have the following doubts:

  • Does a firewall session include only 5-tuple?
  • For what protocols does the firewall establishes connections?
  • Does stateful inspection apply to all network environments?

In this appendix to the previous section, Dr. WoW will further discuss the stateful inspection and session mechanism, introduce more about sessions, and conclude how the firewall processes packets with stateful inspection enabled or not. Hopefully, this appendix will clarify your doubts.

1 More About Sessions

Let's also start from a simple network setup as shown in Figure 1-1, where the PC and Web server are directly connected to the firewall. The firewall has added the PC's and Web server's ports to different security zones and applied a rule to allow the PC to access the Web server.

Figure 1-1 Network setup for PC-to-Web server access
[Dr.WoW] [No.6] Appendix to the Stateful Inspection and Session Mechanism-1274563-1

The PC is properly accessing the Web server. If you run the display firewall session table verbose command on the firewall, you can find that the session has been established successfully. This command includes the verbose parameter, which requests more about the session.

[FW] display firewall session table verbose

Current Total Sessions : 1
  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:10  Left: 00:00:04
  Interface: GigabitEthernet0/0/2  NextHop: 172.16.0.1  MAC: 54-89-98-fc-36-96
  <--packets:4 bytes:465   -->packets:7 bytes:455
  192.168.0.1:2052-->172.16.0.1:80

In addition to the 5-tuple, the command output includes more:

  • Zone: the direction in which packets flow between security zones. trust->untrust indicates that packets flow from a trust zone to an untrust zone.
  • TTL: session aging time. When TTL expires, the session will be tore down.
  • Left: left time to live for the session.
  • Interface: packet egress.
  • NextHop: next hop's IP address for packet destination, which is the Web server's IP address in this network setup.
  • MAC: next hop's MAC address for packet destination, which is the Web server's MAC address in this network setup.
  • <--packets:4 bytes:465: packet statistics in the reverse session direction, or the number of packets and bytes sent by the Web server to PC.
  • <--packets:7 bytes:455: packet statistics in the forward session direction, or the number of packets and bytes sent by the PC to Web server.

Among the preceding items, two deserves more attention. One is session aging time. A session is generated dynamically and will not exist for ever. If a session does not match packets in a long time, the communication peers may have been disconnected and this session is not required any longer. To save the system resources, the firewall will delete the session after a certain period of time, which is called session aging time.

The session aging time has to be set properly. If a session is aged over an over-long time, the system resources will be unnecessarily occupied, affecting establishment of other sessions; if a session is aged over an over-short time, the firewall may forcibly tear down the service connection. For different types of protocols, Huawei firewall sets proper default aging time, for example, 20s for ICMP sessions and 30s for DNS sessions. Generally, the default aging time ensures proper running of protocols. If it is required to change the default aging time, use the firewall session aging-time command. For example, you can run the following command to change the DNS session aging time to 10s.

[FW] firewall session aging-time dns 10

For one type of services live on networks, such as SQL database services, the two consecutive packets over a connection may have an extended time interval. When a user retrieves data on an SQL database server, the time interval between retrievals may far exceed the session aging time of SQL database service. After the firewall ages the session for this service, the user may experience sluggish or even failed access to the SQL database.

One way to resolve the issue is to extend the session aging time for such services, but some other sessions may not need extended aging time and have to unnecessarily occupy system resources.

To completely resolve this issue, Huawei firewall provides the long connection function, which extends the session aging time only for the specified packets that match certain ACL rules. Unlike the way to extend the protocol-specific session aging time, the long connection function extends the session aging time more precisely. By default, the session aging time for the packets with the long connection function applied is 168 hours (long enough), which can also be manually changed.

NOTE

Currently, the long connection function applies to TCP protocol packets only.


The long connection function can be configured to apply within or between security zones. The following provides an example of configuring the long connection function that will apply between trust and untrust security zones. It is specific to the SQL database packets from the 192.168.0.1 IP address (source) to the 172.16.0.2 IP address (destination).

[FW] acl 3000
[FW-acl-adv-3000] rule permit tcp source 192.168.0.1 0 destination 172.16.0.2 0 destination-port eq sqlnet
[FW-acl-adv-3000] quit
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] long-link 3000 outbound
WARNING: Too large range of ACL maybe affect the performance of firewall, please use this command carefully!
Are you sure?[Y/N]y


The other is packet statistics. Packet statistics in both directions (identified by the <- and -> symbols) are important for locating network faults. If there are packet statistics in only the "->" direction but not the "<-" direction, the PC-to-Web server packets have passed the firewall but the Web server-to-PC packets have not, which means a communication anomaly. Regarding the possible causes of anomaly, the firewall may have discarded the Web server-to-PC packets, the firewall and Web server may have failed communication, or the Web server may be malfunctioning. Then the scope of faults can be narrowed down for easier troubleshooting. There can be surely exceptions. Under special network environment, communication may be functional even if there are no packet statistics in one direction. How special is the network environment? This remains to be seen in the later sections.

2 Stateful Inspection and Session Establishment

The firewall's stateful inspection function takes packets over a connection as a complete data flow. How to express a connection as a session? This requires the firewall's ***ysis of protocol-specific exchange modes. The following uses TCP as an example. For a TCP connection, the communication peers need to have three-way handshakes, as shown in Figure 1-2.

Figure 1-2 Three-way handshakes of TCP
[Dr.WoW] [No.6] Appendix to the Stateful Inspection and Session Mechanism-1274563-2

As a SYN packet identifies a TCP connection, the SYN packet is usually called the head packet. For a TCP connection, the firewall establishes a session only after it receives SYN packets and the applied rule allows them to pass. Then the TCP packets that match the session will be directly forwarded. If the firewall does not receive any SYN packet, but the following SYN+ACK or ACK packets, it does not establish a session and directly discards these packets.

This process is fine unless under special network environments. As shown in Figure 1-3, the request packets from the internal network go to the external network directly through the router, and the reply packets from the external network are forwarded by the router to the firewall, which then forwards them back to the router after processing them. Finally, the router forwards the reply packets to the internal network. In other words, the firewall does not receive any SYN packet but only SYN+ACK packets. In this example, the request and reply packets are forwarded over different paths.

Figure 1-3 Request and reply packets being forwarded over different paths
[Dr.WoW] [No.6] Appendix to the Stateful Inspection and Session Mechanism-1274563-3

In this network environment, the firewall discards the received SYN+ACK packets as there is no session for them. Consequently, the internal and external networks have interrupted communication. Then what to do next?

The firewall provides a solution of disabling stateful inspection. After stateful inspection is disabled, the firewall will not ***yze the status of connection just as a packet filtering firewall does. Then the firewall establishes a session for the following packets if the rules (security policies) allow them to pass, which ensures uninterrupted communication.

CAUTION

Disabling stateful inspection will change the firewall working mode. On live networks, do not disable stateful inspection, unless otherwise required.

The following uses a network setup where the request and reply packets are forwarded over different paths as an example to show how the firewall processes the TCP, UDP, and ICMP protocol packets, when its stateful inspection is enabled and disabled.

TCP

Let's start with the TCP protocol. The network setup is simulated using the eNSP. The request packets from the PC reach the Web server through the router and the reply packets from the Web server are forwarded to the firewall, then back to the router and finally to the PC. Figure 1-4 shows the network topology.

NOTE

To simulate the network setup, policy-based routing (PBR) needs to be configured on the router so that the reply packets from the Web server are redirected to the firewall. For details on how to configure PBR, see the router-associated configuration guides. In addition, a route to the PC needs to be configured on the firewall and the route's next hop has to be the router's port (assumed IP address: 10.1.2.2) connected to the firewall's port GE0/0/1.

Figure 1-4 TCP request and reply packets being forwarded over different paths
[Dr.WoW] [No.6] Appendix to the Stateful Inspection and Session Mechanism-1274563-4

A rule listed in Table 1-1 is configured on the firewall to allow the reply packets from the Web server to pass.

Table 1-1 Rule to allow the reply packets from the Web server to pass

No.

Source IP Address

Source Port

Destination IP Address

Destination Port

Action

1

172.16.0.1

80

192.168.0.1

ANY

Permit

When stateful inspection is enabled on the firewall, an attempt for the PC to access the Web server fails, as shown in Figure 1-5.

Figure 1-5 PC's failure to access the Web server
[Dr.WoW] [No.6] Appendix to the Stateful Inspection and Session Mechanism-1274563-5

On the firewall, no session information can be found.

[FW] display firewall session table
Current Total Sessions : 0


When you run the display firewall statistic system discard command to check packet loss on the firewall, you will find Session miss packets discarded.

[FW] display firewall statistic system discard
Packets discarded statistic
                            Total packets discarded:   8
                    Session miss packets discarded:   8

This information indicates that the firewall has to discard packets for which no session can be found. As the firewall receives the reply SYN+ACK packets but not SYN packets, there is no session and the firewall has to discard the SYN+ACK packets.

Then you use the undo firewall session link-state check command to disable stateful inspection.

[FW] undo firewall session link-state check

Then an attempt for the PC to access the Web server succeeds, and session information can be found on the firewall.

[FW] display firewall session table verbose
Current Total Sessions : 1
  tcp  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:10
  Interface: GigabitEthernet0/0/1  NextHop: 10.1.2.2  MAC: 54-89-98-e4-79-d5
  <--packets:0 bytes:0   -->packets:5 bytes:509
  172.16.0.1:80-->192.168.0.1:2051

In the session information, there are packet statistics in the "->" direction but none in the "<-" direction, which means that only the reply packets from the server pass the firewall. Then we can conclude that after stateful inspection is disabled, the firewall establishes a session for the received SYN+ACK packets, maintaining communication between the PC and Web server.

On a network where the request and reply packets are forwarded over different paths, and stateful inspection is disabled on the firewall, there are no packet statistics in one session direction but the communication is normal. This is how we say "special" in the preceding sections. For live networks, no rule always applies.

UDP

Then let's see the UDP protocol. Unlike TCP, UDP is a connectionless protocol. The firewall establishes a session for the received UDP packets if the rule allows them to pass, regardless of whether stateful inspection is enabled or not.

ICMP

Let's see the ICMP protocol at last. ICMP is a reminder of ping tests. Ping tests are usually used in routine maintenance to check whether a device is reachable on a network. The device where a ping test is carried out sends an echo request, and the destination device replies with an echo reply.

When stateful inspection is enabled, the firewall establishes a session for the received echo request only if the firewall rule allows it to pass, and establishes no session for the received echo reply if it does not receive the echo request, and discards the echo reply. When stateful inspection is disabled, the firewall establishes a session for the echo request or reply.

The following provides an example of session information for a network where the request and reply packets are forwarded over different paths, and stateful inspection is disabled on the firewall.

[FW] display firewall session table verbose
Current Total Sessions : 1
  icmp  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:00:20  Left: 00:00:11
  Interface: GigabitEthernet0/0/1  NextHop: 10.1.2.2  MAC: 54-89-98-e4-79-d5
  <--packets:0 bytes:0   -->packets:1 bytes:60
  172.16.0.1:2048-->192.168.0.1:45117

For other types of ICMP packets, the firewall establishes a session for the received packets if the rule allows them to pass, regardless of whether stateful inspection is enabled or not.

Table 1-2 concludes how the firewall processes TCP, UDP, and ICMP packets when stateful inspection is enabled or disabled, given that the firewall rule allows the packets to pass.

Table 1-2 Session establishment for the TCP, UDP, and ICMP packets

Protocol

Stateful Inspection Enabled

Stateful Inspection Disabled

TCP

SYN packets

Session established, packets forwarded

Session established, packets forwarded

SYN+ACK and ACK packets

Session not established, packets discarded

Session established, packets forwarded

UDP

Session established, packets forwarded

Session established, packets forwarded

ICMP

Ping echo requests

Session established, packets forwarded

Session established, packets forwarded

Ping echo replys

Session not established, packets discarded

Session established, packets forwarded

Other ICMP packets

Session not established, packets forwarded

Session not established, packets forwarded

 

The preceding sections explain how the firewall processes the TCP, UDP, and ICMP packets when stateful inspection is enabled or disabled, for you to better understand the stateful inspection and session mechanism. The next section will describe the essential precautions for configuring security zones and the stateful inspection and session mechanism, and will also provide troubleshooting guidelines.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Mar 27, 2015 03:39:19 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login