firewall session link-state exclude
Function
The firewall session link-state exclude command excludes the traffic that matches a specific ACL from the link status check.
The undo firewall session link-state exclude command cancels the binding between the link status check and ACL.
Format
firewall session link-state exclude acl acl-number
undo firewall session link-state exclude acl
firewall ipv6 session link-state exclude acl6 acl-number
undo firewall ipv6 session link-state exclude acl6
Parameters
| Parameter | Description | Value |
|---|---|---|
exclude |
Excludes specific traffic from the link status check. |
- |
acl acl-number |
Specifies an IPv4-based advanced ACL. |
The value is an integer ranging from 3000 to 3999. |
acl6 acl-number |
Specifies an IPv6-based advanced ACL. |
The value is an integer ranging from 3000 to 3999. |
Usage Guidelines
By default, no ACL is bound to the link status check function. That is, the link status check function is performed on all ICMP/TCP traffic when the function is enabled.
Rules must be configured in the ACL to ensure that the link status check function is excluded from both forward and reverse traffic.
Do not configure over 30 rules in an ACL. Otherwise, the device performance may be affected.
Do not bind the ACL created in the virtual system or VPN instance-bound ACL created in the root system.
To enable the link status check function on all traffic, run the undo firewall session link-state exclude acl or undo firewall ipv6 session link-state exclude acl6 command to unbind the ACL.
Example
# Enable the link status check function on ICMP traffic, excluding the traffic whose source address is 10.1.1.1 and destination address is 10.2.1.1.
<FW> system-view [FW] acl 3001 [FW-acl-adv-3001] rule permit icmp source 10.1.1.1 0.0.0.255 destination 10.2.1.1 0.0.0.255 [FW-acl-adv-3001] rule permit icmp source 10.2.1.1 0.0.0.255 destination 10.1.1.1 0.0.0.255 [FW-acl-adv-3001] quit [FW] firewall session link-state icmp check [FW] firewall session link-state exclude acl 3001