USG6600 ICMP session aging time

31

The USG2000&5000&6000 ICMP session aging time is 20 seconds. You can run the display firewall session aging-time command to view the aging time.

Other related questions:
Firewall session aging time
Generally, you can use the default aging time of the session table. To change the aging time of the session table for a specific protocol type, run the firewall session aging-time command. For the USG2000&5000 series, you can set the service aging time on the web UI. On the web UI, choose Firewall > Service > Service Aging Time. To view the aging time of the session entries of all traffic in the current system, you can run the display firewall session aging-time command.

What is the method of how to configure and check AR router NAT flow table aging time?
HUAWEI AR router, the implementation of the "firewall-nat session aging-time" command can configure a variety of session table items aging time. "Display NAT session all" command can be executed to view the NAT flow table information. Perform "reset NAT all session" command to clear the NAT mapping table entry. For example, To configure FTP sessions is 60 seconds. [Huawei] firewall-nat FTP aging-time 60

Configure session table aging time of the firewall on an AR router
Background information A router creates session tables for data flows that pass the firewall over TCP, UDP, or ICMP. The session tables record connection status of the protocols. If packets do not hit a record within the aging time (the aging time expires), corresponding session entry is deleted. To modify the aging time of a protocol, configure the session table aging time of the firewall. Operation procedure Run the system-view command to access the system view. Run the firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value command to configure the session table aging time of the firewall. By default, the aging time of different protocols is as follows: DNS (120s), FTP (120s), FTP-data (120s), HTTP (120s), ICMP (20s), TCP (600s), TCP-proxy (10s), UDP (120s), SIP (1800s), SIP-media (120s), RTSP (60s), RTSP-media (120s), PPTP (600s), and PPTP-data (600s). You are advised to use the default aging time. Check the configuration result. Run the display firewall-nat session aging-time command to check information about the session table aging time. Note: The AR510 series routers do not support the keywords SIP and SIP-media.

Configuration of the aging timeout period on a user-defined service of the USG9520
You can set the session timeout period of a user-defined port by configuring the persistent connection function on the USG9520. The operation is as follows: 1. In the user view, run the system-view command to enter the system view. 2. Run the security-policy command to enter the security policy view. 3. Run the rule name rule-name command to create a security policy rule and enter the rule view. 4, Run the long-link enable command to enable the persistent connection function. 5. Run the long-link aging-time interval command to set the aging time for persistent connections.

What are the aging time and aging mechanism of ARP entries
The default aging time of ARP entries is 20 minutes. You can run the arp expire-time command to change the aging time. You can also change the number of ARP probes by running the arp detect-times command. The default number of ARP probes is 3. When the aging time of an ARP entry expires, the device sends a probe packet to the corresponding IP address every 5 seconds. If the device does not receive any response after the specified number of probes, it deletes the ARP entry. For example, the aging time of ARP entries is set to 60s and the number of ARP probes is set to 6. After 60s since an ARP entry is generated, the device sends an ARP probe every 5s. If the device does not receive any response after sending six probes, it deletes the ARP entry. Therefore, the actual aging time of the ARP entry is (60 + 6 x 5) = 90s. NOTE: For V100R002 version, the S2700/S3700/S5700/S6700 supports the 1/2 probe time and 3/4 probe time. The numbers of probes on the two time points are both 3 and cannot be changed. For example, if the aging time is 20 minutes (1200s) and the number of ARP probes is 6, the SS2700/S3700/S5700/S6700 sends three ARP probes at an interval of 5s after 10 minutes. After 15 minutes, the S2700/S3700/S5700/S6700 also sends three ARP probes at an interval of 5s. After 20 minutes, the S2700/S3700/S5700/S6700 sends six ARP probes at an interval of 5s. If the S2700/S3700/S5700/S6700 does not receive any response, it deletes the ARP entry.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top