Configuring Status Check Using the CLI

This section describes how to configure the status check function using the CLI.

Context

You can enable or disable the IPv4/IPv6 TCP or ICMP status check function as required.

Procedure

Access the system view.
```
system-view
```
Enable or disable the status check function as required.
- Enable the IPv4 or IPv6 status check function.
```
firewall session link-state [ icmp | tcp ] check
```
  Or
```
firewall ipv6 session link-state [ icmpv6 | tcp ] check
```
  If the link status check does not need to be performed on specific traffic, create an advanced ACL and run the firewall session link-state exclude acl acl-number or firewall ipv6 session link-state exclude acl6 acl-number command to reference the ACL.
  
  Rules must be configured in the ACL to ensure that the link status check function is excluded from both forward and reverse traffic.
  
  Do not configure over 30 rules in an ACL. Otherwise, the device performance may be affected.
  
  Do not bind the ACL created in the virtual system or VPN instance-bound ACL created in the root system.
  
  To enable the link status check function on all traffic, run the undo firewall session link-state exclude acl or undo firewall ipv6 session link-state exclude acl6 command to unbind the ACL.
- Disable the IPv4 or IPv6 status check function.
```
undo firewall session link-state [ icmp | tcp ] check
```
  Or
```
undo firewall ipv6 session link-state [ icmpv6 | tcp ] check
```
After the status check function is enabled, a session is established only when the first packet passes through the FW. After the status check function is disabled, sessions can be established even if no subsequent packets are found.

If status detection is disabled, the aging time of first-fin does not take effect for the first first-fin session. The aging time of the first first-fin session keeps unchanged.

Disabling the TCP status check function makes defending against SYN flood attacks in TCP proxy mode unavailable.

Follow-up Procedure

Run the display firewall [ ipv6 ] session link-state command to check whether the status check function is enabled.

Check whether the IPv4 status check function is enabled. The command output shows that the status check function is enabled for TCP traffic, excluding the traffic matching ACL 3456. The status check function is disabled for ICMP traffic.

<FW> display firewall session link-state
 Current firewall session link-state:                                                                                               
 ------------------------------------                                                                                               
 TCP check:                        on                                                                                               
 ICMP check:                       off 
 Exclude acl:                      3456   
------------------------------------

Check whether the IPv6 status check function is enabled. The command output shows that the status check function is enabled for TCP and ICMP traffic, excluding the traffic matching ACL 3333.

<FW> display firewall ipv6 session link-state
 Current firewall ipv6 session link-state:                                      
 -----------------------------------------                                      
 TCP check:                          on                                      
 ICMPv6 check:                       on                                      
 Exclude acl:                        3333          
-----------------------------------------