Flows and Sessions

Flow-based packet processing, which is stateful, requires the creation of sessions. A session is created, based on the characteristics assessed for the first packet of a flow, for the following purposes:

• To store the security measures to be applied to the packets of the flow
• To cache information about the state of the flow

  For example, logging and counting information for a flow is cached in its session. (Some stateful firewall screens rely on threshold values that pertain to individual sessions or across all sessions.)

• To allocate required resources for the flow for features such as Network Address Translation (NAT) and IPsec tunnels
• To provide a framework for features such as Application Layer Gateways (ALGs) and firewall features

Most packet processing occurs in the context of a flow. The flow engine and session bring together the following features and events that affect a packet as it undergoes flow-based processing:

• Flow-based forwarding
• Session management, including session aging and changes in routes, policy, and interfaces
• Management of virtual private networks (VPNs), ALGs, and authentication
• Management of policies, NAT, zones, and screens