No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Advanced Configuration Commands

Advanced Configuration Commands

display engine session statistics

Function

The display engine session statistics command displays session statistics for the engine.

Format

display engine session statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Displays session statistics for the engine.

<Huawei> display engine session statistics
                                                                                
  Engine Session Statistic Information of All Threads:                          
--------------------------------------------------------------------------------
  Total Current Sessions               :          733                           
  Total Current UDP Sessions           :          138                           
  Total Current TCP Sessions           :          595                           
  Total Blocked Sessions               :           61                           
  Total Current Free Sessions          :         4387                           
  Total Current Buffered TCP Segments  :         1432                           
  Total Out-of-sequence TCP Segments   :      2408755                           
  Total Overlapping TCP Segments       :       307143                           
  Total Current Free TCP Segments      :         1068                           
--------------------------------------------------------------------------------
  Engine Session Statistic Information of Each Thread:                          
--------------------------------------------------------------------------------
  T00: NgeSess     734, sent:    405952984 rcv:    402106541 lost:            0 
                                                                                
Table 14-79  Description of the display engine session statistics command output
Item Description

Engine Session Statistic Information of All Threads

Session statistics for the engines used by all threads

Total Current Sessions

Total number of all sessions

Total Current UDP Sessions

Total number of UDP sessions

Total Current TCP Sessions

Total number of TCP sessions

Total Blocked Sessions

Total number of blocked sessions

Total Current Free Sessions

Total number of idle session nodes

Total Current Buffered TCP Segments

Total number of cached TCP segments

Total Out-of-sequence TCP Segments

Total number of out-of-sequence TCP segments

Total Overlapping TCP Segments

Total number of overlapped TCP segments

Total Current Free TCP Segments

Total number of TCP segments that can be cached

Engine Session Statistic Information of Each Thread

Session statistics for the engine used by each thread

NgeSess

Number of sessions

sent

Number of sent packets

rcv

Number of received packets

lost

Number of discarded packets

display engine session table

Function

The display engine session table command displays the details about the IPv4 session table of an engine.

Format

display engine session table [ source-ip source-ip-address | source-port source-port-number | destination-ip destination-ip-address | destination-port destination-port-number | protocol { tcp | udp } ] * [ verbose ]

Parameters

Parameter Description Value
source-ip source-ip-address Indicates a source IP address. -
source-port source-port-number Indicates a source port. -
destination-ip destination-ip-address Indicates a destination IP address. -
destination-port destination-port-number Indicates a destination port. -
protocol Indicates the protocol field in a session table. -
tcp Indicates a TCP session. -
udp Indicates a UDP session. -
verbose Indicates the details. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display details about the session table of an engine.

<Huawei> display engine session table
  VSys:0 Vpn:0 TCP 10.1.1.246:61487-->10.8.1.198:135 ttl:600 left-time:580      
                                                                                
  VSys:0 Vpn:0 TCP 10.1.1.197:15141-->10.8.1.227:135 ttl:600 left-time:55       
                                                                                
  VSys:0 Vpn:0 UDP 10.6.1.35:35141-->10.8.1.28:111 ttl:120 left-time:19         
                                                                                
  VSys:0 Vpn:0 TCP 10.6.1.11:60833-->10.8.1.64:25 ttl:600 left-time:557         
                                                                                
  VSys:0 Vpn:0 UDP 10.6.1.192:52189-->10.8.1.245:53 ttl:120 left-time:22        
                                                                                
  VSys:0 Vpn:0 TCP 10.6.1.215:47705-->10.8.1.195:135 ttl:600 left-time:290      
                                                                                
  ---- More ----                                                                

display engine statistics

Function

The display engine statistics command displays engine statistics.

Format

display engine statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display engine statistics.

<Huawei> display engine statistics
Engine Statistic Table                                                          
------------------------------------------------------------------------------  
  Event statistic:                                                              
------------------------------------------------------------------------------  
    Total Alert Events  :          0                                            
    Total Block Events  :          0                                            
  ----------------------------------------------------------------------------  
    Application                             Alert Events            Block Events
  ----------------------------------------------------------------------------  
    IPS                                                0                   0    
    URL                                                0                   0    
    FILE BLOCKING                                      0                   0    
------------------------------------------------------------------------------  
                                                                                
  Traffic statistic:                                                            
------------------------------------------------------------------------------  
    Total Traffic  :               0                                            
  ----------------------------------------------------------------------------  
    Application                                   Traffic                       
  ----------------------------------------------------------------------------  
    IPS                                                0                        
    FILE BLOCKING                                      0                        
------------------------------------------------------------------------------  
                                                                                
  File statistic:                                                               
------------------------------------------------------------------------------  
    Total File  :          878838                                               
  ----------------------------------------------------------------------------  
    Application                                     File                        
  ----------------------------------------------------------------------------  
    IPS                                                0                        
    FILE BLOCKING                                 878838                        
------------------------------------------------------------------------------  

display file-frame information

Function

The display file-frame information command display the resources of file frame.

Format

display file-frame information

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the resources of file frame.

<Huawei> display file-frame information
----------------------------------------------------------------------------    
  Decompression configrations :                                                 
       Max decompression size :        100 MB                                   
      Max decompression depth :          3                                      
        Max compression ratio :        128                                      
                                                                                
  File frame resources :                                                        
        Decompression handler :          0(Total :         50)                  
                                                                                
  ----------------------------------------                                      
  File handler cachepool                                                        
  ----------------------------------------                                      
  Thread name               Used     Total                                      
  ----------------------------------------                                      
  Work thread  0              33       127                                      
  Total                       33       512                                      
  ----------------------------------------                                      
                                                                                
  ----------------------------------------                                      
  Data buffer cachepool                                                         
  ----------------------------------------                                      
  Thread name               Used     Total                                      
  ----------------------------------------                                      
  Work thread  0               2       640                                      
  Total                        2      2560                                      
  ----------------------------------------                                      
----------------------------------------------------------------------------    

display fragment-reassemble configuration

Function

The display fragment-reassemble configuration command displays the global fragment reassembly configuration.

Format

display fragment-reassemble configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the global fragment reassembly configuration.

<Huawei> display fragment-reassemble configuration
Fragment Reassembly Configuration:                                              
------------------------------------------------------------                    
  enable                : on                                                    
  overflow-mode         : forward                                               
  overlap-mode          : consistency                                           
  time-out(s)           : 5                                                     
  packet-cache(packets) : 255                                                   
  total-cache(packets)  : 256                                                   
  defense-check         : off                                                   
  pass-through          : off                                                   
------------------------------------------------------------                   
Table 14-80  Description of the display fragment-reassemble configuration

Item

Descrition

enable

State of the fragment reassembly function.

  • on: The function is enabled.
  • off: The function is disabled.
overflow-mode

Indicates the method for handling packets arriving at a full buffer in fragment reassembly.

  • discard: Packets arriving at a full buffer are discarded.
  • forward: Packets arriving at a full buffer are forwarded straight through.
overlap-mode

Indicates the policy to handle overlapping fragments:

  • consistency: Indicates that overlapping fragments are processed based whether the overlapping parts have the same content.
time-out(s)

Indicates the fragment reassembly timeout in seconds.

packet-cache(packets)

Indicates the fragment buffer size (in number of packets) for each packet.

total-cache(packets)

Indicates the total buffer size in number of packets.

defense-check

Indicates the status of the fragment attack defense function:

  • on: The function is enabled.
  • off: The function is disabled.
pass-through

Status of the fragment reassembly pass-through mode:

  • on: The pass through mode is enabled.
  • off: The pass through mode is disabled.

display fragment-reassemble session table

Function

The display fragment-reassemble session table command displays information about the IPv4 fragmented packet-specific session table.

Format

display fragment-reassemble session table [ source-ip source-ip-address | destination-ip destination-ip-address ] *

Parameters

Parameter Description Value
source-ip source-ip-address Specifies the source IP address. The value is in dotted decimal notation.
destination-ip destination-ip-address Specifies the destination IP address. The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the IPv4 fragmented packet-specific session table.

<Huawei> display fragment-reassemble session table

display fragment-reassemble statistics

Function

The display fragment-reassemble statistics command displays statistics on the fragment reassembly of IP packets.

Format

display fragment-reassemble statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display statistics on the fragment reassembly of IP packets.

<Huawei> display fragment-reassemble statistics
Fragment Reassembly Statistics:                                                 
------------------------------------------------------------                    
  Total fragments             : 0                                               
  Total cached fragments      : 0                                               
  Total error packets         : 0                                               
  Total discarded fragments   : 0                                               
  Complete overlap processing : 0                                               
  Partial overlap processing  : 0                                               
  Total current sessions      : 0                                               
  Total free sessions         : 256                                             
------------------------------------------------------------                    
Table 14-81  Description of the display fragment-reassemble statistics command output

Item

Description

Fragment Reassembly Statistics

Statistics on fragment reassembly

Total fragments

Number of received fragments

Total cached fragments

Number of cached fragments

Total error packets

Number of packets with error fragments

Total discarded fragments

Number of discarded fragments

Complete overlap processing

Complete overlap processing

Partial overlap processing

Partial overlap processing

Total current sessions

Total number of current sessions

Total free sessions

Total number of free sessions

display profile

Function

The display profile command displays profile information about all modules.

Format

display profile

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None.

Example

# Display profile information about all modules.

<Huawei> display profile
 Profile Configurations:
 Total Profiles: 15
 ----------------------------------------------------------------------------
 ProfileName                       ProfileType  Referenced  State
 ----------------------------------------------------------------------------
 ips1                              ips          0           committed
 strict                            ips          0           committed
 web_server                        ips          0           committed
 file_server                       ips          0           committed
 dns_server                        ips          0           committed
 mail_server                       ips          0           committed
 inside_firewall                   ips          0           committed
 dmz                               ips          0           committed
 outside_firewall                  ips          0           committed
 ids                               ips          0           committed
 default                           ips          3           committed
 url1                              url-filter   0           committed
 default                           url-filter   1           committed
 file1                             file-block   0           committed
 default                           file-block   1           committed
[AR169FGVW-L]                      
Table 14-82  Description of the display profile command output
Item Description

Total profiles

Total number of profiles

Profile Name

Name of the profile

ProfileType

Module where the profile belongs to

Referenced

Number of references by a security policy

State

Status of a profile:

  • committed
  • not committed

display stream-reassemble configuration

Function

The display stream-reassemble configuration command displays the global TCP stream reassembly configuration.

Format

display stream-reassemble configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display the global TCP stream reassembly configuration.

<Huawei> display stream-reassemble configuration
Stream Reassembly Configuration:                                                
------------------------------------------------------------                    
  enable                : on                                                    
  overflow-mode         : forward                                               
  overlap-mode          : preserve                                              
  session-cache(KB)     : 128                                                   
  total-cache(packets)  : 2048                                                  
  timestamp-check       : false                                                 
  tcp-option check      : false                                                 
  defense-check         : off                                                   
------------------------------------------------------------                     
Table 14-83  Description of the display stream-reassemble configuration

Item

Description

enable

Indicates the state of the TCP stream reassembly function.

  • on: The function is enabled.
  • off: The function is disabled.

overflow-mode

Indicates the method for handling packets arriving at a full buffer in stream reassembly.

  • discard: Packets arriving at a full buffer are discarded.
  • forward: Packets arriving at a full buffer are forwarded straight through.

overlap-mode

Indicates the policy to handle overlapping packets:

  • overwrite: Indicate overwrite the original overlapped part.
  • preserve: Indicate preserve the original overlapped part.

session-cache(KB)

Indicates the buffer size in KB for each session in TCP stream reassembly.

total-cache(packets)

Global buffer size in number of packets in stream reassembly.

timestamp-check

Indicates the timestamp check state.

  • true: The function is enabled.
  • false: The function is disabled.

tcp-option check

Indicates the tcp option check state.

  • true: The function is enabled.
  • false: The function is disabled.

defense-check

Indicates the status of the TCP attack defense function:

  • on: The function is enabled.
  • off: The function is disabled.

fragment-reassemble enable

Function

The fragment-reassemble enable command enables fragment reassembly.

The undo fragment-reassemble enable command disables fragment reassembly.

Format

fragment-reassemble enable

undo fragment-reassemble enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, fragment reassembly is enabled.

If fragment reassembly is disabled, fragments will not be reassembled and will not be inspected. Meanwhile, TCP stream reassembly may also fail.

Example

# Enable fragment reassembly.

<Huawei> system-view
[Huawei] fragment-reassemble enable

fragment-reassemble overflow-mode

Function

The fragment-reassemble overflow-mode command configures the action to take on fragments that overflow the cache.

The undo fragment-reassemble overflow-mode command restores the default action to take on fragments that overflow the cache.

Format

fragment-reassemble overflow-mode { discard | forward }

undo fragment-reassemble overflow-mode

Parameters

Parameter Description Value
discard Discards the fragments that overflow the cache. -
forward Forwards the fragments that overflow the cache. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the system forwards the fragments that overflow the cache to ensure services.

If the action is set to discard, the system discards the fragments that overflow the cache, which may interrupt services.

Example

# Configure the action to take on fragments that overflow the cache to discard.

<Huawei> system-view
[Huawei] fragment-reassemble overflow-mode discard

fragment-reassemble user-configure

Function

The fragment-reassemble user-configure command configures user-defined items for the fragment reassembly function.

The undo fragment-reassemble user-configure command cancels the configuration of user-defined items for the fragment reassembly function.

Format

fragment-reassemble user-configure { defense-check | pass-through }

undo fragment-reassemble user-configure { defense-check | pass-through }

Parameters

Parameter Description Value
defense-check Indicates fragment attack defense. -
pass-through Indicates the pass through mode. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, all user-defined items of the fragment reassembly function are disabled.

After the pass through mode is enabled (using the fragment-reassemble user-configure pass-through command), in some special fragment traffic scenarios (for example, the fragments completely overlap, and the overlapped part has the same content), the system will regard the traffic as abnormal traffic and will not reassemble the fragments. If the fragment attack defense function has been enabled (using the fragment-reassemble user-configure defense-check command), the abnormal fragments will be discarded. If the fragment attack defense function has not been enabled, the system will forward the fragments. After the pass through mode is disabled, the system assembles the fragments based on the normal processing flow.

Example

# Enable the fragment attack defense function.

<Huawei> system-view
[Huawei] fragment-reassemble user-configure defense-check

fragment-reassemble user-configure defense-check

Function

The fragment-reassemble user-configure defense-check command enables the fragment attack defense function.

The undo fragment-reassemble user-configure defense-check command disables the fragment attack defense function.

Format

fragment-reassemble user-configure defense-check

undo fragment-reassemble user-configure defense-check

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the fragment attack defense function is disabled.

After this function is enabled, the Router directly discards abnormal fragments.

Example

# Enable the fragment attack defense function.

<Huawei> system-view
[Huawei] fragment-reassemble user-configure defense-check

reset engine session statistics

Function

The reset engine session statistics command clears the session statistics of the engine.

Format

reset engine session statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Use caution before you decide to run this command. Once the session statistics of the engine are cleared, they cannot be restored.

Example

# Clear the session statistics of the engine.

<Huawei> reset engine session statistics

reset engine session table

Function

The reset engine session table command clears the session information of the engine.

Format

reset engine session table [ source source-ip-address | destination destination-ip-address | destination-port destination-port-number | protocol { tcp | udp } ] *

Parameters

Parameter Description Value
source-ip-address

Specifies the source IP address.

The value is in dotted decimal notation.
destination-ip-address

Specifies the destination IP address.

The value is in dotted decimal notation.
destination-port-number

Specifies the destination port number.

The value is an integer ranging from 0 to 65535.
protocol

Indicates a protocol.

-
tcp

Indicates Transmission Control Protocol (TCP).

-
udp

Indicates User Datagram Protocol (UDP).

-

Views

User view

Default Level

3: Management level

Usage Guidelines

If no parameter is specified, all session information of the engine is cleared after you run the reset engine session table command.

Use caution before you decide to run this command. Clearing the session information of the engine adversely affects the service operating.

Example

# Clear all session information of the engine.

<Huawei> reset engine session table
Warning: Reseting session table will affect the engine's normal service. Continue? [Y/N]: Y 

reset engine statistics

Function

The reset engine statistics command clears engine statistics.

Format

reset engine statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

None

Example

# Clear engine statistics.

<Huawei> reset engine statistics

reset fragment-reassemble statistics

Function

The reset fragment-reassemble statistics command clears statistics on fragment reassembly.

Format

reset fragment-reassemble statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

None

Example

# Clear statistics on fragment reassembly.

<Huawei> reset fragment-reassemble statistics

stream-reassemble enable

Function

The stream-reassemble enable command enables TCP stream reassembly.

The undo stream-reassemble enable command disables TCP stream reassembly.

Format

stream-reassemble enable

undo stream-reassemble enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, TCP stream reassembly is enabled.

If TCP stream reassembly is disabled, TCP packets will not be reassembled and will not be inspected. Meanwhile, security inspections based on TCP streams may also fail.

Example

# Enable TCP stream reassembly.

<Huawei> system-view
[Huawei] stream-reassemble enable

stream-reassemble overflow-mode

Function

The stream-reassemble overflow-mode command configures the action for cache overflow during TCP stream reassembly.

The undo stream-reassemble overflow-mode command restores the default action for cache overflow during TCP stream reassembly.

Format

stream-reassemble overflow-mode { discard | forward }

undo stream-reassemble overflow-mode

Parameters

Parameter Description Value
discard Discards the packets that overflow the cache. -
forward Forwards the fragments that overflow the cache. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The default action for cache overflow during TCP stream reassembly is forward.

Example

# Set the action for cache overflow during TCP stream reassembly to forward.

<Huawei> system-view
[Huawei] stream-reassemble overflow-mode forward

stream-reassemble overlap-mode

Function

The stream-reassemble overlap-mode command configures the action for overlapping packets during TCP stream reassembly.

The undo stream-reassemble overlap-mode command restores the default action for overlapping packets during TCP stream reassembly.

Format

stream-reassemble overlap-mode { preserve | overwrite }

undo stream-reassemble overlap-mode

Parameters

Parameter Description Value
preserve Preserves overlapping packets. -
overwrite Overwrites overlapping packets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The default action for the overlapping packets during TCP stream reassembly is preserve.

Example

# Set the action for the overlapping packets during TCP stream reassembly to preserve.

<Huawei> system-view
[Huawei] stream-reassemble overlap-mode preserve

stream-reassemble response enable

Function

The stream-reassemble response enable command enables the TCP stream reassembly response function.

The undo stream-reassemble response enable command disables the TCP stream reassembly response function.

Format

stream-reassemble response enable

undo stream-reassemble response enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the TCP stream reassembly response function is enabled.

This function allows the device sends ACK packets to the peer end when receiving TCP out-of-order packets. After receiving the ACK packets, the peer end rapidly retransmit the packets. Enable this function in the case of massive TCP out-of-order packets to accelerate data sending.

Example

# Enable the TCP stream reassembly response function.

<Huawei> system-view
[Huawei] stream-reassemble response enable

stream-reassemble session-cache

Function

The stream-reassemble session-cache command configures the maximum cache for each session during TCP stream reassembly for out-of-order packets.

The undo stream-reassemble session-cache command restores the default values.

Format

stream-reassemble session-cache session-cache-value

undo stream-reassemble session-cache

Parameters

Parameter Description Value
session-cache-value Specifies the maximum cache for a session. The value is an integer ranging from 0 to 256, in KB. The default value is 128.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the session-cache-value is 0 or the size of a single session exceeds the session-cache-value, the stream reassembly for out-of-order packets becomes invalid.

Example

# Set the maximum cache for each session to 16 KB during stream reassembly.

<Huawei> system-view
[Huawei] stream-reassemble session-cache 16

stream-reassemble tcp-option check

Function

The stream-reassemble tcp-option check command enables the TCP option check function.

The undo stream-reassemble tcp-option check command disables the TCP option check function.

Format

stream-reassemble tcp-option check

undo stream-reassemble tcp-option check

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the TCP option check function is disabled.

After this function is enabled, the engine directly discards packets with abnormal TCP options.

Example

# Enable the TCP option check function.

<Huawei> system-view
[Huawei] stream-reassemble tcp-option check

stream-reassemble timestamp check

Function

The stream-reassemble timestamp check command enables timestamp check of TCP flow reassembly.

The undo stream-reassemble timestamp check command disables timestamp check of TCP flow reassembly.

Format

stream-reassemble timestamp check

undo stream-reassemble timestamp check

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After you enable timestamp check of TCP flow reassembly, the device verifies the timestamp option of TCP packets. If the option is incorrect, the device discards the packets.

The timestamp check function is disabled by default.

Example

# Enable timestamp check of TCP flow reassembly.

<Huawei> system-view
[Huawei] stream-reassemble timestamp check

stream-reassemble user-configure defense-check

Function

The stream-reassemble user-configure defense-check command enables the TCP attack defense function.

The undo stream-reassemble user-configure defense-check command disables the TCP attack defense function.

Format

stream-reassemble user-configure defense-check

undo stream-reassemble user-configure defense-check

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the TCP attack defense function is disabled.

After this function is enabled, the Router directly discards abnormal TCP packets.

Example

# Enable the TCP attack defense function.

<Huawei> system-view
[Huawei] stream-reassemble user-configure defense-check
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35492

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next