< Home

Clearing a Session Table

Certain configurations may change current session entries. If you need to make the changes take effect immediately, clear the existing session table for the device to generate a new one. Clearing the session table terminates all existing sessions. Use the reset firewall session table command with caution.

Context

The session table controls packet forwarding on the FW, and session entries do not age if the traffic that matches the session entries keeps going. Therefore, in certain cases, the session table must be cleared for the FW to regenerate a new session table. For example:

  • If you change the action for a user from Permit to Deny and you need to make the configuration change take effect immediately, you must clear the session table.
  • If you change the NAT configuration, such as the IP addresses before and after NAT, and you need to make the configuration take effect immediately, you must clear the session table.

After you clear the session table, all session table connections and services are forcibly interrupted. Users must re-initiate a connection to resume the communication. Therefore, exercise caution before you clear a session table. If you must clear it, minimize the range of session entries to be cleared and avoid using the reset firewall session table command to clear all session entries.

Procedure

  • Run the following command to clear the specified IPv4 session in the user view.

    • reset firewall session table [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } ] *
    • reset firewall session table all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } ] *
    • reset firewall session table session-id session-id

    You can set one or more conditions to restrict the range of sessions to be cleared. For parameter details, see Parameter Description in reset firewall session table.

  • Run the following command to clear the specified IPv6 session in the user view.

    • reset firewall ipv6 session table [ vsys vsys ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | application application-type | slot slot-id cpu cpu-id | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } ] *
    • reset firewall ipv6 session table all-systems [ source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } ] *
    • reset firewall ipv6 session table session-id session-id

    You can set one or more conditions to restrict the range of sessions to be cleared. For parameter details, see Parameter Description in reset firewall ipv6 session table.

Parent Topic: Checking the Session Table Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic