send-deny-packet rate-limit

Function

The send-deny-packet rate-limit command configures rate limiting on feedback packets. When the rate of sent feedback packets exceeds the specified maximum rate, feedback packets are no longer sent.

The undo send-deny-packet rate-limit command restores the default configuration.

Format

send-deny-packet { reset | icmp } rate-limit rate-limit

undo send-deny-packet { reset | icmp } rate-limit

Parameters

Parameter	Description	Value
reset	Indicates reset feedback packets.	-
icmp	Indicates ICMP unreachable packets.	-
rate-limit rate-limit	Specifies the limited rate.	The value is an integer, in packets per second. For ICMP unreachable packets, the default value is 100 packets per second, and the value ranges from 1 to 65535. For reset packets, the default value is 1000 packets per second, and the value ranges from 1 to MAX. For the MAX specification, see USG6510E/6510E-POE/6530E: 15000 USG6515E: 15000 USG6550E/6560E/6580E: 40000 USG6525E: 15000 USG6555E/6565E/6575E-B/6585E/6605E-B: 40000 USG6630E/6650E: 200000 USG6635E/6655E/USG6680E and USG6712E/6716E: 200000 USG6615E/6610E/6620E: 150000 USG6625E: 200000

Parameter

Description

Value

reset

Indicates reset feedback packets.

icmp

Indicates ICMP unreachable packets.

rate-limit rate-limit

Specifies the limited rate.

The value is an integer, in packets per second.

For ICMP unreachable packets, the default value is 100 packets per second, and the value ranges from 1 to 65535.
For reset packets, the default value is 1000 packets per second, and the value ranges from 1 to MAX. For the MAX specification, see
- USG6510E/6510E-POE/6530E: 15000
- USG6515E: 15000
- USG6550E/6560E/6580E: 40000
- USG6525E: 15000
- USG6555E/6565E/6575E-B/6585E/6605E-B: 40000
- USG6630E/6650E: 200000
- USG6635E/6655E/USG6680E and USG6712E/6716E: 200000
- USG6615E/6610E/6620E: 150000
- USG6625E: 200000

Views

Security policy view

Default Level

2: Configuration level

Usage Guidelines

If the FW has the send-deny-packet command configured, and the security policy action matched by a packet is deny, the FW sends a feedback packet based on the packet type. When the FW is under attack, to prevent the impact of continuously sending a large number of feedback packets on the device performance, run the send-deny-packet rate-limit command to limit the rate of feedback packets. If the rate of feedback packets exceeds the specified maximum value, the FW stops sending feedback packets.

Example

# Set the limit on the rate of ICMP unreachable packets to 1500 packets per second.

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] send-deny-packet icmp rate-limit 1500