< Home

firewall reverse-session miss-ack rate-limit

Function

The firewall reverse-session miss-ack rate-limit command limits the rate of SYN-ACK packets that do not match any session.

undo firewall reverse-session miss-ack rate-limit command restores the maximum rate to the default value (500000).

Format

firewall reverse-session miss-ack rate-limit rate-limit

undo firewall reverse-session miss-ack rate-limit

Parameters

Parameter Description Value
rate-limit rate-limit Specifies the maximum rate. The value is an integer ranging from 1 to 4000000, in pps. The default value is 500000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this command.

After receiving SYN-ACK packets, the FW searches sessions for the packets. If the FW does not find matching sessions, it discards the packets. If there are many such packets, the CPU usage of the FW may be high. To protect the FW, you can set the maximum rate for such packets.

The firewall reverse-session miss-ack rate-limit command takes effect only when link stateful inspection is enabled for TCP.

Example

# Set the maximum rate of SYN-ACK packets that do not match any session to 300000 pps.

<sysname> system-view
[sysname] firewall reverse-session miss-ack rate-limit 300000
Parent Topic: Status Check and Packet Processing Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >