firewall exceeded session shutdown interface

Function

The firewall exceeded session shutdown interface command sets the list of interfaces that need to be shut down when the usage of session entries reaches the threshold.

The undo firewall exceeded session shutdown interface command deletes the list.

Format

firewall exceeded session shutdown interface [ interface-name | interface-type interface-number ]*&<1–16>

undo firewall exceeded session shutdown interface [ interface-name | interface-type interface-number ] *&<1–16>

Parameters

Parameter	Description	Value
interface { interface-name \| interface-type interface-number }	Specifies an interface. If you select interface-name, you specify an interface with a certain name, which is case-insensitive. If you select interface-type interface-number, you specify an interface of a certain type and with a certain ID.	Only physical interfaces and Eth-Trunk interfaces are supported.

Parameter

Description

Value

interface { interface-name | interface-type interface-number }

Specifies an interface.

If you select interface-name, you specify an interface with a certain name, which is case-insensitive.
If you select interface-type interface-number, you specify an interface of a certain type and with a certain ID.

Only physical interfaces and Eth-Trunk interfaces are supported.

Views

System view

Default Level

3: Management level

Usage Guidelines

By default, no interface is in the list.

This command can be backed up to the standby device.

After the function of automatically shutting down interfaces and the list of interfaces that are automatically shut down are configured, when the usage of session entries on a CPU reaches the threshold, the device shuts down the corresponding interface of the list and sends alarm FWD_1.3.6.1.4.1.2011.6.122.15.3.2.1 hwSecStatSessOverThreshold. When the usage of session entries on a CPU falls below the threshold, the interface that is shut down cannot be automatically recover, and you need to manually start the interface. In this case, the device sends alarm FWD_1.3.6.1.4.1.2011.6.122.15.3.2.2 hwSecStatSessBelowThreshold.

After the interface is disabled, the traffic bypasses the FW and is forwarded along other links.

Run the snmp-agent session trap threshold command to set the alarm threshold.

Run the firewall exceeded session enable command to configure the device to automatically disable the interface.

To make the function take effect, run the snmp-agent trap enable command to enable the alarm function.

Example

# Configure the device to automatically shut down GigabitEthernet 0/0/1 when the usage of session entries reaches the threshold.

<sysname> system-view
[sysname] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
[sysname] firewall exceeded session enable
[sysname] firewall exceeded session shutdown interface GigabitEthernet 0/0/1
This operation will affect services. Shutdown interfaces must be manually started. Continue? [Y/N]:y