Stateful inspection configuration on the CLI

29

Do as follows to configure stateful inspection on the CLI:
1. Run the system-view command to enter the system view.
2. Enable or disable the stateful inspection function as required.
- Enable the stateful inspection function.
Run the firewall session link-state [ icmp | tcp | sctp ] check command to enable IPv4 stateful inspection.
Run the firewall ipv6 session link-state [ icmpv6 | tcp | sctp ] check command to enable IPv6 stateful inspection.
- Disable the stateful inspection function.
Run the undo firewall session link-state [ icmp | tcp ] check command to disable IPv4 stateful inspection.
Run the undo firewall ipv6 session link-state [ icmpv6 | tcp ] check command to disable IPv6 stateful inspection.
Note that after the stateful inspection function is enabled, a session can be created only when the first packet passes through the firewall. After the stateful inspection function is disabled, sessions can be created even if no subsequent packets are found.

Other related questions:
Function of stateful inspection configured on firewalls
The function of stateful inspection configured on firewalls is as follows: Using stateful inspection, a firewall checks the validity of the link status of packets and discards the packets with invalid link status. Stateful inspection takes effect on both common packets and inner packets (decapsulated VPN packets). When the firewall is the only egress of a network, all packets are forwarded through the firewall. In this case, both incoming and outgoing packets pass through the firewall. You can enable stateful inspection on the firewall to secure services.

Stateful inspection configuration on the web UI
Do as follows to configure stateful inspection on the web UI: 1. Choose System > Setup > Stateful Inspection. 2. Select TCP stateful inspection or ICMP stateful inspection to enable the corresponding function. Note that the TCP stateful inspection and ICMP stateful inspection functions are independent of each other. Enabling or disabling one function does not affect stateful inspection on the other type of data flows.

Does an FW support NAT if I disable stateful inspection on the FW
Yes. The FW supports NAT after stateful inspection is disabled on the FW.

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

Method used to install the inspection tool
For details about how to install the inspection tool, see the OceanStor Toolkit Inspection Tool Operation Guide. To download the guide, log in to the To iKnow To Live Chat
Scroll to top