The firewall session aging-time sa-block command sets the aging time for the sessions that are already blocked by policies.
The undo firewall session aging-time sa-block command restores the aging time for the sessions that are already blocked by policies to the default value.
firewall session aging-time sa-block { tcp | udp } aging-time
undo firewall session aging-time sa-block { tcp | udp }
| Parameter | Description | Value |
|---|---|---|
| tcp | Indicates the TCP protocol. | - |
| udp | Indicates the UDP protocol. | - |
| aging-time | Indicates the aging time of the session blocked by policies. | The value is an integer ranging from 1 to 65535, in seconds. |
Once a packet matches an application-based security policy and the action defined in the policy is block, the current session cannot be aged and is retained for a while. This is because the FW identifies application protocols based on the initial packets in each data flow. If the session is aged, subsequent packets in the data flow initiate new sessions. However, the FW may not identify the application protocol based on the subsequent packets and therefore fails to block the data flow.
By default, TCP and UDP sessions are aged within 120 seconds. For certain applications that continue to send packets after the FW blocks the traffic, run the firewall session aging-time sa-block command to adjust the aging time.