Firewall session aging time


Generally, you can use the default aging time of the session table. To change the aging time of the session table for a specific protocol type, run the firewall session aging-time command.
For the USG2000&5000 series, you can set the service aging time on the web UI. On the web UI, choose Firewall > Service > Service Aging Time.
To view the aging time of the session entries of all traffic in the current system, you can run the display firewall session aging-time command.

Other related questions:
What is the method of how to configure and check AR router NAT flow table aging time?
HUAWEI AR router, the implementation of the "firewall-nat session aging-time" command can configure a variety of session table items aging time. "Display NAT session all" command can be executed to view the NAT flow table information. Perform "reset NAT all session" command to clear the NAT mapping table entry. For example, To configure FTP sessions is 60 seconds. [Huawei] firewall-nat FTP aging-time 60

Configure session table aging time of the firewall on an AR router
Background information A router creates session tables for data flows that pass the firewall over TCP, UDP, or ICMP. The session tables record connection status of the protocols. If packets do not hit a record within the aging time (the aging time expires), corresponding session entry is deleted. To modify the aging time of a protocol, configure the session table aging time of the firewall. Operation procedure Run the system-view command to access the system view. Run the firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value command to configure the session table aging time of the firewall. By default, the aging time of different protocols is as follows: DNS (120s), FTP (120s), FTP-data (120s), HTTP (120s), ICMP (20s), TCP (600s), TCP-proxy (10s), UDP (120s), SIP (1800s), SIP-media (120s), RTSP (60s), RTSP-media (120s), PPTP (600s), and PPTP-data (600s). You are advised to use the default aging time. Check the configuration result. Run the display firewall-nat session aging-time command to check information about the session table aging time. Note: The AR510 series routers do not support the keywords SIP and SIP-media.

USG6600 ICMP session aging time
The USG2000&5000&6000 ICMP session aging time is 20 seconds. You can run the display firewall session aging-time command to view the aging time.

Configuration of the aging time of unknown protocols on firewalls
For unknown protocols, a firewall uses the UDP aging time by default. To configure the aging time for unknown protocols, run the ip service-set command to define a service set and run the firewall session aging-time service-set command to set the aging time. Example: # Set the aging time to 120 seconds for the unknown protocol whose protocol ID is 200. system-view [sysname] ip service-set abc type object [sysname-object-service-set-abc] service 0 protocol 200 [sysname-object-service-set-abc] quit [sysname] firewall session aging-time service-set abc 120 [sysname] display firewall session aging-time

Configuration of the aging timeout period on a user-defined service of the USG9520
You can set the session timeout period of a user-defined port by configuring the persistent connection function on the USG9520. The operation is as follows: 1. In the user view, run the system-view command to enter the system view. 2. Run the security-policy command to enter the security policy view. 3. Run the rule name rule-name command to create a security policy rule and enter the rule view. 4, Run the long-link enable command to enable the persistent connection function. 5. Run the long-link aging-time interval command to set the aging time for persistent connections.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top