R3303-HP 6600/HSR6600 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-G Router

511

512

513

514

515

516

517

518

519

520

Table Of Contents

Title Page
Contents
AAA configuration commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting lan-access
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication lan-access
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization lan-access
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- authorization-attribute user-profile
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas device-id
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- access-limit
- authorization-attribute
- bind-attribute
- display local-user
- display user-group
- expiration-date
- group
- group-attribute allow-guest
- local-user
- password
- service-type
- state (local user view)
- user-group
- validity-date
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-backup-ip
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-backup-ip
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
802.1X commands
- display dot1x
- dot1x
- dot1x authentication-method
- dot1x auth-fail vlan
- dot1x critical vlan
- dot1x critical recovery-action
- dot1x domain-delimiter
- dot1x guest-vlan
- dot1x handshake
- dot1x handshake secure
- dot1x mandatory-domain
- dot1x max-user
- dot1x multicast-trigger
- dot1x port-control
- dot1x port-method
- dot1x quiet-period
- dot1x re-authenticate
- dot1x retry
- dot1x supp-proxy-check
- dot1x timer
- dot1x unicast-trigger
- reset dot1x statistics
EAD fast deployment commands
- dot1x free-ip
- dot1x timer ead-timeout
- dot1x url
MAC authentication configuration commands
- display mac-authentication
- mac-authentication
- mac-authentication domain
- mac-authentication max-user
- mac-authentication timer
- mac-authentication user-name-format
- reset mac-authentication statistics
Portal configuration commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal auth-network destination
- portal backup-group
- portal delete-user
- portal device-id
- portal domain
- portal free-rule
- portal max-user
- portal nas-id
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
Port security configuration commands
- display port-security
- display port-security mac-address block
- display port-security mac-address security
- port-security authorization ignore
- port-security enable
- port-security intrusion-mode
- port-security mac-address aging-type inactivity
- port-security mac-address dynamic
- port-security mac-address security
- port-security max-mac-count
- port-security ntk-mode
- port-security oui
- port-security port-mode
- port-security timer autolearn aging
- port-security timer disableport
- port-security trap
User profile configuration commands
- display user-profile
- user-profile enable
- user-profile
Password control configuration commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
RSH configuration commands
- rsh
Public key configuration commands
- display public-key local public
- display public-key peer
- peer-public-key end
- public-key-code begin
- public-key-code end
- public-key local create
- public-key local destroy
- public-key local export
- public-key local export public dsa
- public-key local export public rsa
- public-key local import
- public-key peer
- public-key peer import sshkey
PKI configuration commands
- attribute
- ca identifier
- certificate request entity
- certificate request from
- certificate request mode
- certificate request polling
- certificate request url
- common-name
- country
- crl check
- crl update-period
- crl url
- display pki certificate
- display pki certificate access-control-policy
- display pki certificate attribute-group
- display pki crl domain
- fqdn
- ip (PKI entity view)
- ldap-server
- locality
- organization
- organization-unit
- pki certificate access-control-policy
- pki certificate attribute-group
- pki delete-certificate
- pki domain
- pki entity
- pki import-certificate
- pki request-certificate domain
- pki retrieval-certificate
- pki retrieval-crl domain
- pki validate-certificate
- root-certificate fingerprint
- rule (PKI CERT ACP view)
- state
IPsec configuration commands
- ah authentication-algorithm
- connection-name
- cryptoengine enable
- display ipsec policy
- display ipsec policy-template
- display ipsec profile
- display ipsec sa
- display ipsec statistics
- display ipsec transform-set
- display ipsec tunnel
- encapsulation-mode
- esp authentication-algorithm
- esp encryption-algorithm
- ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)
- ipsec anti-replay check
- ipsec anti-replay window
- ipsec decrypt check
- ipsec fragmentation before-encryption
- ipsec invalid-spi-recovery enable
- ipsec policy (interface view)
- ipsec policy (system view)
- ipsec policy isakmp template
- ipsec policy-template
- ipsec profile (system view)
- ipsec profile (tunnel interface view)
- ipsec sa global-duration
- ipsec transform-set
- pfs
- policy enable
- qos pre-classify
- reset ipsec sa
- reset ipsec statistics
- reverse-route
- reverse-route preference
- reverse-route tag
- sa authentication-hex
- sa duration
- sa encryption-hex
- sa spi
- sa string-key
- security acl
- transform
- transform-set
- tunnel local
- tunnel remote
IKE configuration commands
- authentication-algorithm
- authentication-method
- certificate domain
- dh
- display ike dpd
- display ike peer
- display ike proposal
- display ike sa
- dpd
- encryption-algorithm
- exchange-mode
- id-type
- ike dpd
- ike local-name
- ike next-payload check disabled
- ike peer (system view)
- ike proposal
- ike sa keepalive-timer interval
- ike sa keepalive-timer timeout
- ike sa nat-keepalive-timer interval
- interval-time
- local
- local-address
- local-name
- nat traversal
- peer
- pre-shared-key
- proposal (IKE peer view)
- remote-address
- remote-name
- reset ike sa
- sa duration
- time-out
SSH configuration commands
- display ssh server
- display ssh user-information
- sftp server enable
- sftp server idle-timeout
- ssh server authentication-retries
- ssh server authentication-timeout
- ssh server compatible-ssh1x enable
- ssh server enable
- ssh server rekey-interval
- ssh user
- bye
- cd
- cdup
- delete
- dir
- display sftp client source
- display ssh client source
- display ssh server-info
- exit
- get
- help
- ls
- mkdir
- put
- pwd
- quit
- remove
- rename
- rmdir
- scp
- sftp
- sftp client ipv6 source
- sftp client source
- sftp ipv6
- ssh client authentication server
- ssh client first-time enable
- ssh client ipv6 source
- ssh client source
- ssh2
- ssh2 ipv6
SSL configuration commands
- ciphersuite
- client-verify enable
- client-verify weaken
- close-mode wait
- display ssl client-policy
- display ssl server-policy
- handshake timeout
- pki-domain
- prefer-cipher
- server-verify enable
- session
- ssl client-policy
- ssl server-policy
- version
SSL VPN configuration commands
- ssl-vpn enable
- ssl-vpn server-policy
Firewall configuration commands
- display firewall ipv6 statistics
- display firewall-statistics
- firewall default
- firewall enable
- firewall ipv6 default
- firewall ipv6 enable
- firewall packet-filter
- firewall packet-filter ipv6
- reset firewall ipv6 statistics
- reset firewall-statistics
- aspf-policy
- display aspf all
- display aspf interface
- display aspf policy
- display port-mapping
- firewall aspf
- icmp-error drop
- port-mapping
- tcp syn-check
ALG configuration commands
- alg
Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session hardware
- display session relation-table
- display session statistics
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session early-ageout
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session max-entries
- session persist acl
Connection limit configuration commands
- connection-limit apply policy
- connection-limit policy
- display connection-limit policy
- limit
Web filtering configuration commands
- display firewall http activex-blocking
- display firewall http java-blocking
- display firewall http url-filter host
- display firewall http url-filter parameter
- firewall http activex-blocking acl
- firewall http activex-blocking enable
- firewall http activex-blocking suffix
- firewall http java-blocking acl
- firewall http java-blocking enable
- firewall http java-blocking suffix
- firewall http url-filter host acl
- firewall http url-filter host default
- firewall http url-filter host enable
- firewall http url-filter host ip-address
- firewall http url-filter host url-address
- firewall http url-filter parameter
- firewall http url-filter parameter enable
- reset firewall http
Attack detection and protection configuration commands
- attack-defense apply policy
- attack-defense logging enable
- attack-defense policy
- blacklist enable
- blacklist ip
- defense icmp-flood action drop-packet
- defense icmp-flood enable
- defense icmp-flood ip
- defense icmp-flood rate-threshold
- defense scan add-to-blacklist
- defense scan blacklist-timeout
- defense scan enable
- defense scan max-rate
- defense syn-flood action
- defense syn-flood enable
- defense syn-flood ip
- defense syn-flood rate-threshold
- defense udp-flood action drop-packet
- defense udp-flood enable
- defense udp-flood ip
- defense udp-flood rate-threshold
- display attack-defense policy
- display attack-defense statistics interface
- display blacklist
- display flow-statistics statistics
- display flow-statistics statistics interface
- display tcp-proxy protected-ip
- flow-statistics enable
- reset attack-defense statistics interface
- signature-detect
- signature-detect action drop-packet
- signature-detect large-icmp max-length
- tcp-proxy enable
- tcp-proxy mode
TCP attack protection configuration commands
- display tcp status
- tcp anti-naptha enable
- tcp state
- tcp syn-cookie enable
- tcp timer check-state
IP source guard configuration commands
- display ip source binding
- ip source binding
- ip verify source
- ip verify source max-entries
ARP attack protection configuration commands
- arp resolving-route enable
- arp source-suppression enable
- arp source-suppression limit
- display arp source-suppression
- arp rate-limit
- arp anti-attack valid-ack enable
- arp anti-attack active-ack enable
- arp authorized enable
- arp detection
- arp detection enable
- arp detection trust
- arp detection validate
- arp restricted-forwarding enable
- display arp detection
- display arp detection statistics
- reset arp detection statistics
- arp fixup
- arp scan
- arp filter source
- arp filter binding
ND attack defense configuration commands
- ipv6 nd mac-check enable
URPF configuration commands
- ip urpf
FIPS configuration commands
- display fips status
- fips mode enable
- fips self-test
Group Domain VPN commands
- display gdoi ks
- display gdoi ks acl
- display gdoi ks members
- display gdoi ks policy
- display gdoi ks redundancy
- display gdoi ks rekey
- gdoi ks group
- gdoi ks redundancy port
- gdoi ks rekey
- identity address
- identity number
- ipsec
- local priority
- peer address
- profile (GDOI KS group IPsec policy view)
- redundancy enable
- redundancy hello
- redundancy retransmit
- rekey acl
- rekey authentication
- rekey encryption
- rekey lifetime
- rekey retransmit
- rekey transport unicast
- reset gdoi ks
- reset gdoi ks members
- reset gdoi ks redundancy role
- security acl (GDOI KS group IPsec policy view)
- source address
- client registration interface
- display gdoi gm
- display gdoi gm acl
- display gdoi gm ipsec sa
- display gdoi gm members
- display gdoi gm pubkey
- display gdoi gm rekey
- gdoi gm group
- group
- identity
- reset gdoi gm
- server address
Support and other resources
- Subscription service
- Documents
- Websites
Index

497

Use undo tcp timer check-state to restore the default.

Syntax

tcp timer check-state time-value

undo tcp timer check-state

Default

The TCP connection state check interval is 30 seconds.

Views

System view

Default command level

2: System level

Parameters

time-value: Specifies the TCP connection state check interval in seconds, in the range of 1 to 60.

Usage guidelines

The device periodically checks the number of TCP connections in each state. If it detects that the number

of TCP connections in a state exceeds the maximum number, it accelerates the aging of TCP connections

in such a state.

You must enable the protection against Naptha attack before executing this command. Otherwise, an

error is prompted.

Example

# Set the TCP connection state check interval to 40 seconds.

<Sysname> system-view

[Sysname] tcp anti-naptha enable

[Sysname] tcp timer check-state 40

Related commands

tcp anti-naptha enable