3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
Packet Filtering Firewall Configuration Commands 303
Packet filtering firewall will consume some system resources for recording the
fragment status. If the exact match mode is not used, you are recommended to
disable this function so as to improve the running efficiency of system and reduce
the system cost.
Only when the fragment packet inspection is enabled, can the exact match really
take effect.
Related command: firewall packet-filter (interface view).
Example
# Enable the fragment inspection switches
[SecBlade_FW] firewall packet-filter fragments-inspect
firewall packet-filter
fragments-inspect { high
| low }
Syntax
firewall packet-filter fragments-inspect { high | low }
undo firewall packet-filter fragments-inspect { high | low }
View
System view
Parameter
high number: Specifies the high threshold of the fragment status records. It is in
the range from 100 to 10000.
low number: Specifies the low threshold of the fragment status records. It is in the
range from 100 to 10000.
default: Default number of fragment status records. The default high threshold of
the fragment status records is 2000 and the default low threshold of the fragment
status records is 1500.
Description
Use the firewall packet-filter fragments-inspect { high | low } command to
configure the high and low thresholds of records for fragment inspection.
Use the undo firewall packet-filter fragments-inspect { high | low } command
to restore the default high and low thresholds.
If fragment inspection switch is enabled and exact match filtering is applied, the
executing efficiency of the packet filtering will be slightly reduced. As the number
of matching entries increases, efficiency is reduced. Therefore, the (high and low)
thresholds should be set. When the number of fragment status records reaches
the high threshold, those status entries first reserved will be deleted until the
number of records is below the low threshold.
The low threshold must be no greater than the high threshold.
Related command: display firewall packet-filter statistics fragments-inspect
and firewall packet-filter fragments-inspect.