1, what is the persistent connection of firewall.
2, how to configure persistent connection.
3, the main points need to be attention.
1, conversation is the basis of state detecting firewall, each session will establish a session table when passing through the firewall. In order to guarantee the safety and avoid excessive session depleted firewall’s resources, increased the session table aging time, within a certain time if the session has no message passing through, its session table will be aging off. In practical applications, some special business (network management services, etc.), continuous time interval of the business is far larger than the TCP/UDP session aging time. This time need to keep session connection for a relatively long time in the firewall. When a session’s message for a long time did not reach the firewall and then arrived again, can still pass through the firewall.
In a word: the aging time is to solve the contradiction between the infinite session and the limited firewall resources, the persistent connection is introduced to solve the contradiction between the aging and some special business.
2, configure the ACL which the persistent needs, the range should be small.
[usg5000] acl 3000
[usg5000-acl-adv-3001] rule permit tcp source 220.127.116.11 0 destination 10.1.1.1 0 source-port eq 8080
Configure the aging time of persistent in system view
[usg5000 firewall long-link aging-time 200
Configure persistent rules in inter-domain
[usg5000] firewall interzone trust untrust
[usg5000-interzone-trust-untrust] firewall long-link 3000 inbound
3, had better configure accurate ACL, avoid the persistent connection reach to the upper limit.
After configured the persistent connection, need to reset the session entry, then the persistent connection will come into effect.