Configuration of the aging time of unknown protocols on firewalls

34

For unknown protocols, a firewall uses the UDP aging time by default. To configure the aging time for unknown protocols, run the ip service-set command to define a service set and run the firewall session aging-time service-set command to set the aging time.
Example:
# Set the aging time to 120 seconds for the unknown protocol whose protocol ID is 200.
system-view
[sysname] ip service-set abc type object
[sysname-object-service-set-abc] service 0 protocol 200
[sysname-object-service-set-abc] quit
[sysname] firewall session aging-time service-set abc 120
[sysname] display firewall session aging-time

Other related questions:
Firewall session aging time
Generally, you can use the default aging time of the session table. To change the aging time of the session table for a specific protocol type, run the firewall session aging-time command. For the USG2000&5000 series, you can set the service aging time on the web UI. On the web UI, choose Firewall > Service > Service Aging Time. To view the aging time of the session entries of all traffic in the current system, you can run the display firewall session aging-time command.

Configure session table aging time of the firewall on an AR router
Background information A router creates session tables for data flows that pass the firewall over TCP, UDP, or ICMP. The session tables record connection status of the protocols. If packets do not hit a record within the aging time (the aging time expires), corresponding session entry is deleted. To modify the aging time of a protocol, configure the session table aging time of the firewall. Operation procedure Run the system-view command to access the system view. Run the firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value command to configure the session table aging time of the firewall. By default, the aging time of different protocols is as follows: DNS (120s), FTP (120s), FTP-data (120s), HTTP (120s), ICMP (20s), TCP (600s), TCP-proxy (10s), UDP (120s), SIP (1800s), SIP-media (120s), RTSP (60s), RTSP-media (120s), PPTP (600s), and PPTP-data (600s). You are advised to use the default aging time. Check the configuration result. Run the display firewall-nat session aging-time command to check information about the session table aging time. Note: The AR510 series routers do not support the keywords SIP and SIP-media.

What is the method of how to configure and check AR router NAT flow table aging time?
HUAWEI AR router, the implementation of the "firewall-nat session aging-time" command can configure a variety of session table items aging time. "Display NAT session all" command can be executed to view the NAT flow table information. Perform "reset NAT all session" command to clear the NAT mapping table entry. For example, To configure FTP sessions is 60 seconds. [Huawei] firewall-nat FTP aging-time 60

Whether USG firewalls support the aging time configured for MAC address entries
The USG2000 and USG5000 support the aging time configured for MAC address entries.

How can I set the aging time of the traffic forwarding table

You can use the firewall-nat session aging-time command to set the aging time of the session entries.

Configuration Example

# Set the aging time of FTP session entries to 60 seconds.

 system-view
[Huawei] firewall-nat session ftp aging-time 60

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top