send-deny-packet

Function

The send-deny-packet command configures the sending of feedback packets when a security policy blocks TCP/UDP/ICMP traffic.

The undo send-deny-packet command cancels the preceding configuration.

Format

send-deny-packet { reset { to-client | to-server }^* | icmp destination-unreachable }

undo send-deny-packet { reset { to-client | to-server }^* | icmp destination-unreachable }

Parameters

Parameter	Description	Value
reset	Indicates the TCP reset packet.	-
to-client	Sends the reset packet to the TCP connection initiator (client).	-
to-server	Sends the reset packet to the TCP connection responder (server).	-
icmp	Indicates the ICMP error packet.	-
destination-unreachable	Indicates the returned ICMP unreachable packet.	-

Views

Security policy rule view

Default Level

2: Configuration level

Usage Guidelines

The configuration of this command takes effect only when the action of the policy rule configured with the action command is deny.

If the action of the security policy matched by packets is deny, the FW discards the packets. In this case, if the FW has the send-deny-packet command executed, the FW sends feedback packets based on different packet types:

For TCP packets, the send-deny-packet reset { to-client | to-server }^* command can be executed to send TCP reset packets to the TCP client or server or to both of them.
For UDP/ICMP packets, the send-deny-packet icmp destination-unreachable command can be executed to send ICMP unreachable packets to the client.

If cross-virtual system packets, packets processed by NAT64, VPN encapsulated packets, or TCP proxy packets are blocked, the FW does not send feedback packets.

Example

# Configure the FW to send feedback reports to the TCP client.

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] rule name policy_sec
[sysname-policy-security-rule-policy_sec]send-deny-packet reset to-client