R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101
70
If a session entry is not matched with any packets in a specified period of time, the entry will be aged out.
Follow these steps to set the session aging times based on protocol state:
To do... Use the command...
Remarks
Enter system view
system-view —
Set the aging time for sessions
of a specified protocol and in
a specified state
session aging-time { accelerate | fin
| icmp-closed | icmp-open |
rawip-open | rawip-ready | syn |
tcp-est | udp-open | udp-ready }
time-value
Required
The defaults varies are as follows:
• accelerate: 10 seconds
• fin: 30 seconds
• icmp-closed: 30 seconds
• icmp-open: 60 seconds
• rawip-open: 30 seconds
• rawip-ready: 60 seconds
• syn: 30 seconds
• tcp-est: 3600 seconds
• udp-open: 30 seconds
• udp-ready: 60 seconds
CAUTION:
For a large amount of sessions (more than 800000), do not specify too short a
g
in
g
time. Otherwise, the
console might be slow in response.
Configuring session aging times based on application layer
protocol type
NOTE:
Ag
in
g
times set in this task applies to only the sessions in the READY/ESTABLISH state.
For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times
according to the types of the application layer protocols to which the sessions belong.
Follow these steps to set session aging times based on application layer protocol type:
To do... Use the command...
Remarks
Enter system view
system-view —
Set the aging time for sessions
of an application layer
protocol
application aging-time { dns | ftp |
msn | qq } time-value
Required
The default varies as follows:
• dns: 60 seconds
• ftp: 3600 seconds
• msn: 3600 seconds
• qq: 60 seconds