< Home

firewall monitor session ipv6

Function

The firewall monitor session ipv6 command enables the function of recording information such as 5-tuples and discard cause for TCP or SCTP packets as well as session creation and forcible aging information in the service flows that match IPv6 ACLs.

The undo firewall monitor session ipv6 command disables the function.

Format

firewall monitor session ipv6 acl acl-number

undo firewall monitor session ipv6

Parameters

Parameter Description Value

acl-number

Indicates the number of an ACL.

The value is an integer ranging from 3000 to 3999.

Views

System view

Default Level

3: Management level

Usage Guidelines

By default, this function is disabled.

This command is supported since V600R007C20SPC500.

Application Scenario

After the firewall monitor session ipv6 command is run, the system records information such as 5-tuples, discard cause, session creation, and forcible aging for TCP or SCTP packets in the service flows that match IPv6 ACLs. Take TCP as an example. The system records TCP connection establishment packets (namely three-way handshake packets: SYN, SYN_ACK, and the first ACK packets) and TCP connection release packets (FIN or RST packets) of a flow. In addition, the system records the packets discarded in this flow, the reason why the packets are discarded, as well as session creation and forcible aging information. View service flow monitoring information using the following methods:

  • Run the display firewall monitor session ipv6 command.

    This method displays a maximum of only 2048 information entries.

  • View log file sess_mon_ipv6.log.

    Log file sess_mon_ipv6.log is generated after the number of information entries displayed by the display firewall monitor session ipv6 command exceeds 2000. The system will store the 2000 entries to log file sess_mon_ipv6.log and clear statistics displayed by the display firewall monitor session ipv6 command. The sess_mon_ipv6.log file is 10 MB at the maximum and can store around 60,000 information entries. The storage path of the sess_mon_ipv6.log file is as follows:

    hda1:/monlog/sess_mon_ipv6.log

  • View compressed log file sess_mon_ipv6.log.zip.

    sess_mon_ipv6.log.zip is generated after the size of sess_mon_ipv6.log exceeds 10 MB. The system dumps the 10 MB log file information to sess_mon_ipv6.log.zip and clears the records in sess_mon_ipv6.log after the dumping succeeds. When the size of sess_mon_ipv6.log reaches 10 MB again, the newly compressed information will overwrite the information compressed previously. The storage path of compressed log file sess_mon_ipv6.log.zip is as follows:

    hda1:/monlog/sess_mon_ipv6.log.zip

Precautions

After you enable this function, ACL match shall be performed for connection establishment and termination packets, affecting the performance. The degree to which the performance is affected increases with the number of referenced ACL rules. Do not enable this function when the number of referenced ACL rules exceeds 10 or the CPU usage exceeds 70%.

Example

# Enable the function of recording IPv6 ACL-matching service flow information.

<sysname> system-view
[sysname] firewall monitor session ipv6 acl 3001
Parent Topic: Session Table Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >