Nexapp - Connections

Connections

NexappOS includes connection tracking (Conntrack), a stateful firewall feature that monitors and manages active network sessions. Every flow passing through the gateway is tracked in a connection table, with its current state recorded (for example: new, established, related, or expired).

Conntrack enables: - Stateful packet inspection — filtering decisions are made using connection context, not just raw packet headers. - Accurate security enforcement — only valid packets that belong to legitimate connections are allowed through. - NAT awareness — internal-to-external address mappings are tracked to ensure return traffic reaches the correct host. - Performance optimization — invalid or expired sessions are dropped quickly without wasting CPU.

Filtering Connections

You can filter the connection list using:

  • Protocol
    Example: TCP, UDP, ICMP, ESP, GRE.

  • Status
    Example: new, established, related, time-wait, expired.

  • IP Address
    Filter by source or destination IP.

  • Port
    Filter by service port (source/destination).

Refresh behavior
The connection list does not update in real time.
To see new sessions, click Refresh page.

Managing Sessions

From the Connections page, an administrator can:

  • Delete a single connection
    Useful for removing one problematic or suspicious session.

  • Flush the entire connection table using Delete all connections
    This terminates every tracked session immediately.
    Use only when necessary since it may disrupt active users.

Good Practices for Terminating Sessions

When to terminate a connection

Terminate a session if:

  • the connection is idle or expired for a long time
  • there are signs of malicious activity on the session
  • a connection is stale/hanging and blocking new flows
  • termination is needed for troubleshooting or diagnostics

When to avoid terminating a connection

Avoid dropping a session if:

  • it is active and behaving normally
  • it supports a critical, ongoing service
  • the issue appears temporary and may self-resolve

SD-WAN / MultiWAN Operational Note

In a MultiWAN SD-WAN design, some traffic (for example, VoIP trunks or SaaS paths) may be: - routed through a specific WAN interface - NATed to a provider-specific public IP

If that WAN path goes down, old sessions bound to the failed interface will not automatically re-register through the healthy link. The service may remain broken until those sessions expire.

Recommended fix:
Drop all Conntrack entries tied to the failed WAN IP/interface, so NexappOS can rebuild sessions through the correct active path.

You can do this directly from the Connections page by filtering on the old external IP and removing the related entries.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on