Configuration Guide Configuring FPM
2.3.3 Flow Entry Aging
2.3.3.1 Working Principle
The aging of a flow entry means that the device actively withdraws the flow entry when there is no data exchange in a certain
period of time. If a session attack occurs, the flow table will be full, causing the failure to establish sessions. The aging of the
flow table is designed to solve this problem. For flow entries of different data types, their aging time shall be set according to
actual service requirements. For flows of different service data types, different aging time shall be set according to different
states of the flows. For example, the aging time of a TCP flow in SYN status is different from that of a TCP flow in
ESTABLISH status. For example again, when a port scanning attack occurs on a network, abundant flow table resources of
the system are occupied, and then appropriate aging time can be configured for flows established on these connections
according to the states of the flows, so as to effectively reclaim flow entries and avoid flow interruption. Configuring
appropriate aging time can help to reduce "useless" flow entries in the flow table while meeting the requirement for
exchanging service data flows.
2.3.4 Number of Packets Permitted in a Flow
2.3.4.1 Working Principle
For each flow in the current status, there is a counter that records the number of packets processed in the flow. An attacker
may send a large number of packets of a certain type to wage a traffic attack, in which case other types of packets cannot be
processed in time. You can configure the number of packets permitted to pass in a flow in a certain status, so as to solve this
problem and meet the requirement for exchanging service data flows.
2.3.5 TCP Status Tracing
2.3.5.1 Working Principle
A complete handshake process is required for the establishment of a TCP connection; otherwise, the connection is
illegitimate or the packets are attack packets. The FPM needs to trace the states of TCP connections, so as to distinguish
flows that are established over TCP session connections in various states and determine whether the connections are
legitimate. In some special scenarios such as asymmetrical routing, however, the states of TCP connections cannot be
traced and then this function should be disabled.
2.3.6 Packet Threshold for Flows in Various States
2.3.6.1 Working Principle
For a flow in a certain status established over a connection, there is an upper limit on the number of packets permitted on the
legitimate connection. If this upper limit is exceeded, a packet flooding attack probably occurs, occupying the forwarding
resources of the system. Therefore, you can configure a packet threshold for flows in various states so as to effectively
defend against such attacks.
To Next Page
Loading...
Need help?
General
