firewall session link-state check

Function

The firewall session link-state check command configures the link status check function.

The undo firewall session link-state check command disables the link status check function.

Format

firewall session link-state [ icmp | tcp ] check

undo firewall session link-state [ icmp | tcp ] check

firewall ipv6 session link-state [ icmpv6 | tcp ] check

undo firewall ipv6 session link-state [ icmpv6 | tcp ] check

Parameters

Parameter	Description	Value
icmp	Indicate the ICMP flow.	-
tcp	Indicate the TCP flow.	-
icmpv6	Indicate the ICMPv6 flow.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the link status check function is enabled. The firewall session link-state check command enables the link status check function on ICMP or TCP subsequent packets when incoming and outgoing paths are consistent.

You can specify the ICMP flow or TCP flow for the system to enable or disable the link status check function on the specified flow. This does not affect the other flow.

If the link status check does not need to be performed on specific traffic, create an advanced ACL and run the firewall session link-state exclude acl acl-number or firewall ipv6 session link-state exclude acl6 acl-number command to reference the ACL.

Rules must be configured in the ACL to ensure that the link status check function is excluded from both forward and reverse traffic.

Do not configure over 30 rules in an ACL. Otherwise, the device performance may be affected.

Do not bind the ACL created in the virtual system or VPN instance-bound ACL created in the root system.

To enable the link status check function on all traffic, run the undo firewall session link-state exclude acl or undo firewall ipv6 session link-state exclude acl6 command to unbind the ACL.

Disable stateful inspection if the forward and return paths of packets are different. If you disable stateful inspection, do not use TCP proxy to defend against SYN flood, or perform SMTP/POP3/IMAP mail filtering/content filtering/anti-virus.

Table 1 lists the impacts of enabling or disabling the link status check function on TCP and ICMP session creation.

**Table 1** Session establishment against received packets
Protocol		Enabling the Link Status Check Function	Disabling the Link Status Check Function
TCP	SYN packets	Sessions are established, and packets are forwarded.	Sessions are established, and packets are forwarded.
TCP	SYN+ACK and ACK packets	No session is established, and the packets are discarded.	Sessions are established, and the packets are forwarded.
ICMP	Ping echo request packets	Sessions are established, and the packets are forwarded.	Sessions are established, and the packets are forwarded.
	Ping echo reply packets	No session is established, and the packets are discarded.	Sessions are established, and the packets are forwarded.
	Other ICMP packets	No Sessions are established, and the packets are forwarded.	No Sessions are established, and the packets are forwarded.

Example

# Enable the link status check function. Then the system performs link status checks on ICMP and TCP flows.

<FW> system-view
[FW] firewall session link-state check

# Disable the link status check function on the ICMP flow.

[FW] undo firewall session link-state icmp check

# Disable the link status check function. Then the system does not check the validity of the link status.

[FW] undo firewall session link-state check