The firewall session aging-time command sets the aging time of the session table.
The undo firewall session aging-time command restores the default configuration.
firewall session aging-time { service-set session-type aging-time | default | sa-block { tcp | udp } aging-time }
undo firewall session aging-time { service-set session-type | sa-block { tcp | udp } }
| Parameter | Description | Value |
|---|---|---|
| session-type | Specifies the type of a session. | For details on the values, see Table 1. |
| aging-time | Specifies the aging time of a session. | It is an integer, expressed in seconds. The value range of the aging time depends on the session type. For details, see Table 1. |
| default | Restores the aging time of all types of sessions to the default setting. | - |
| sa-block | Indicates the session blocked by policies. |
For details, see firewall session aging-time sa-block. |
The default UDP session aging time applies to the sessions of unknown protocols that the FW fails to identify. To set an aging time for the sessions of unknown protocols, run the ip service-set command to device a service group, use the firewall session aging-time service-set command to reference the service group, and then set the aging time.
If the user-defined service set has the same port as the predefined service set, the aging time of session entries is the aging time of the predefined service set.
Table 1 shows the default aging time and related value range for various types of sessions in the session table.
Session Type |
Value Range (Second) |
Default Aging Time (Second) |
Port |
|---|---|---|---|
| ah | 1~65535 | 600 | 51 |
| dns | 1~65535 | 30 | UDP/53 |
| esp | 1~65535 | 600 | 50 |
| fin-rst | 1~65535 | 10 | – |
| first-fin NOTE:
If status detection is disabled, the aging time
of first-fin does not take effect for the first-fin session. The aging
time of the first-fin session keeps unchanged. |
1~65535 | 900 | – |
| fragment NOTE:
fragment needs to be configured only in the root system. The configuration
takes effect in both root and virtual systems. |
1~65535 | 5 | – |
| ftp | 1~65535 | 1200 | TCP/21 |
| ftp-data | 1~65535 | 240 | TCP/20 |
| gre | 1~65535 | 600 | 47 |
| h225 | 1~65535 | 10800 | TCP/1720 |
| h245 | 1~65535 | 10800 | – |
| h323-rtcp | 1~65535 | 120 | – |
| h323-rtp | 1~65535 | 120 | – |
| h323-t120 | 1~65535 | 10800 | – |
| http | 1~65535 | 1200 | TCP/80 |
| hwcc | 1~65535 | 120 | UDP/10000 |
| icmp | 1~65535 | 20 | – |
| ils | 1~65535 | 1200 | TCP/1002 or 389 |
| imap | 1~65535 | 120 | TCP/143 |
| mgcp | 1~65535 | 120 | UDP/2727 |
| mms | 1~65535 | 600 | TCP/1755 |
| mms-rtcp | 1~65535 | 120 | – |
| mms-rtp | 1~65535 | 240 | – |
| msn | 1~65535 | 600 | TCP/1863 |
| netbios-session | 1~65535 | 120 | TCP/139 |
| pop3 | 1~65535 | 120 | TCP/110 |
| pptp | 1~65535 | 1200 | TCP/1723 |
| 1~65535 | 600 | UDP/8000 | |
| ras | 1~65535 | 600 | UDP/1719 |
| rpc | 1~65535 | 600 | TCP or UDP/135 |
| rsh | 1~65535 | 120 | TCP/514 |
| rsh-data | 1~65535 | 240 | – |
| rtsp | 1~65535 | 1200 | TCP or UDP 554 |
| rtsp-rtcp | 1~65535 | 120 | – |
| rtsp-rtp | 1~65535 | 120 | – |
| sctp | 1~65535 | 600 | – |
| sctp-close | 1~65535 | 10 | – |
| sctp-init | 1~65535 | 5 | – |
| multihome | 1~65535 | 30 | – |
| sip | 1~65535 | 600 | TCP or UDP/5060 |
| sip-rtcp | 1~65535 | 120 | – |
| sip-rtp | 1~65535 | 120 | – |
| smtp | 1~65535 | 1200 | TCP/25 |
| sqlnet NOTE:
An SQL-NET session is a persistent
connection session. When the number of persistent connection sessions
reaches the maximum value (1/3 of the total number of sessions), the
aging time of the SQL-NET session is equal to the aging time of TCP
until the number of persistent connection sessions falls below the
maximum value. |
1~65535 | 14400 | TCP/1521 |
| sqlnet-data | 1~65535 | 14400 | – |
| syn | 1~65535 | 5 | – |
| tcp | 1~65535 | 1200 | – |
| telnet | 1~65535 | 1200 | TCP/23 |
| udp | 1~65535 | 120 | – |
| qq-derived | 1~65535 | 120 | – |
| msn-stun | 1~65535 | 600 | UDP/3478 |
| diameter | 1~65535 | 1200 | TCP/3868 |
| msn-audio | 1~65535 | 600 | UDP/7001 |
| msn-discard | 1~65535 | 600 | UDP/9 |
| tftp | 1~65535 | 120 | UDP/69 |
| gtpv0 | 1~65535 | 3600 | UDP/3386 |
| gtpc | 1~65535 | 3600 | UDP/2123 |
| gtpu | 1~65535 | 3600 | UDP/2152 |
| pptp-gre | 1~65535 | 600 | – |
| msn-derived | 1~65535 | 120 | – |
| sccp | 1~65535 | 1200 | TCP/2000 |
| sccp-rtp | 1~65535 | 120 | – |
| radius | 1~65535 | 120 | UDP/1812 |
| radius-accounting | 1~65535 | 120 | UDP/1813 |
| stun-derived | 1~65535 | 600 | – |
| https | 1~65535 | 600 | TCP/443 |
| ssh | 1~65535 | 1200 | TCP/22 |
| l2tp | 1~65535 | 120 | UDP/1701 |
| dns-tcp | 1~65535 | 1200 | TCP/53 |
| p2p | 1~65535 | 120 | – |
| icmpv6 | 1~65535 | 45 | – |
| bootps | 1~65535 | 120 | UDP/67 |
| discard-udp | 1~65535 | 120 | UDP/9 |
| dnsix | 1~65535 | 120 | UDP/90 |
| echo-udp | 1~65535 | 120 | UDP/7 |
| mobileip-ag | 1~65535 | 120 | UDP/434 |
| mobileip-mn | 1~65535 | 120 | UDP/435 |
| nameserver | 1~65535 | 120 | UDP/42 |
| netbios-datagram | 1~65535 | 120 | UDP/138 |
| netbios-name | 1~65535 | 120 | UDP/137 |
| netbios-ssn | 1~65535 | 120 | UDP/139 |
| ntp | 1~65535 | 120 | UDP/123 |
| rip | 1~65535 | 120 | UDP/520 |
| snmp | 1~65535 | 120 | UDP/161 |
| snmptrap | 1~65535 | 120 | UDP/162 |
| sunrpc-udp | 1~65535 | 120 | UDP/111 |
| syslog | 1~65535 | 120 | UDP/514 |
| tacacs-ds | 1~65535 | 120 | UDP/65 |
| talk-udp | 1~65535 | 120 | UDP/517 |
| time-udp | 1~65535 | 120 | UDP/37 |
| who | 1~65535 | 120 | UDP/513 |
| xdmcp | 1~65535 | 120 | UDP/177 |
| h323 | 1~65535 | 120 | TCP/1719 |
| ad | 1~65535 | 120 | UDP/1773 |
| portalserver | 1~65535 | 120 | UDP/62314 |
| bgp | 1~65535 | 1200 | TCP/179 |
| chargen | 1~65535 | 1200 | TCP/19 |
| daytime | 1~65535 | 1200 | TCP/13 |
| discard-tcp | 1~65535 | 1200 | TCP/9 |
| echo-tcp | 1~65535 | 1200 | TCP/7 |
| exec | 1~65535 | 1200 | TCP/512 |
| finger | 1~65535 | 1200 | TCP/79 |
| gopher | 1~65535 | 1200 | TCP/70 |
| hostname | 1~65535 | 1200 | TCP/101 |
| irc | 1~65535 | 1200 | TCP/194 |
| klogin | 1~65535 | 1200 | TCP/543 |
| kshell | 1~65535 | 1200 | TCP/544 |
| login | 1~65535 | 1200 | TCP/513 |
| lpd | 1~65535 | 1200 | TCP/515 |
| nntp | 1~65535 | 1200 | TCP/119 |
| pop2 | 1~65535 | 1200 | TCP/109 |
| sunrpc-tcp | 1~65535 | 1200 | TCP/111 |
| tacacs | 1~65535 | 1200 | TCP/49 |
| talk-tcp | 1~65535 | 1200 | TCP/517 |
| time-tcp | 1~65535 | 1200 | TCP/37 |
| uucp | 1~65535 | 1200 | TCP/540 |
| whois | 1~65535 | 1200 | TCP/43 |
| biff | 1~65535 | 120 | UDP/512 |
| bootpc | 1~65535 | 120 | UDP/68 |
# Set the aging time of the TCP session table to 600 seconds.
<sysname> system-view [sysname] firewall session aging-time service-set tcp 600
# Set the aging time of the unknown protocol (protocol number: 200) to 120 seconds.
<sysname> system-view [sysname] ip service-set abc type object [sysname-object-service-set-abc] service 0 protocol 200 [sysname-object-service-set-abc] quit [sysname] firewall session aging-time service-set abc 120 [sysname] display firewall session aging-time Sequence user-defined vsys-name Timeout(s) -------------------------------------------------------------------------------- 1 abc public 120(s) -------------------------------------------------------------------------------- Sequence Pre-defined Default-Time(s) Timeout(s) -------------------------------------------------------------------------- 1 tcp 1200 (s) 1200 (s) 2 udp 120 (s) 120 (s) 3 icmp 20 (s) 20 (s) 4 fin-rst 10 (s) 10 (s) 5 first-fin 900 (s) 900 (s) 6 fragment 5 (s) 5 (s) 7 syn 5 (s) 5 (s) 8 ah 600 (s) 600 (s) 9 gre 600 (s) 600 (s) 10 esp 600 (s) 600 (s) 11 sctp 600 (s) 600 (s) 12 sctp-init 5 (s) 5 (s) 13 sctp-close 10 (s) 10 (s) 14 multihome 30 (s) 30 (s) 15 http 1200 (s) 1200 (s) 16 dns 30 (s) 30 (s) 17 ftp 1200 (s) 1200 (s) 18 ras 600 (s) 600 (s)