Command Line Reference
Security Configuration
9-2-network-traffic-security-inspection
6 min
network traffic security inspection show stateful packet inspection status \[command] show stateful packet inspection status \[purpose] display the enable status of spi inspection, including the enable status for spi inspection of four message types tcp, udp, icmp, and other \[view] system view \[use cases] sonic# show stateful packet inspection status + + + \| proto | status | +=========+==========+ \| tcp | enabled | + + + \| udp | enabled | + + + \| icmp | enabled | + + + \| other | disabled | + + + show stateful packet inspection timeout { global|user defined } \[command] show stateful packet inspection timeout { global|user defined } \[purpose] display the timeout time for spi configuration, default for unconfigured protocol types \[parameter] global displays session timeout for global configuration user defined displays the session timeout for a specific protocol type, ip, and port number specified by the user \[view] system view \[use cases] sonic# show stateful packet inspection timeout global + + + \| type | timeout(second) | +=========================+===================+ \| tcp transitory timeout | default | + + + \| tcp established timeout | default | + + + \| tcp closing timeout | default | + + + \| udp timeout | 10 | + + + \| icmp timeout | default | + + + \| other timeout | default | + + + stateful packet inspection enable { tcp|udp|icmp|other } \[command] stateful packet inspection enable { tcp|udp|icmp|other } \[purpose] enable spi to monitor sessions for different protocol types statful packet inspection (spi) is a firewall technology used to monitor the status of active connections and carefully inspect incoming and outgoing network traffic not only does it check individual packets, but it also checks the context and status of network connections used to implement security policies after enabling this function, information about connection status can be maintained, data packets in connection status can be analyzed, and fine control can be allowed based on connection status and packet content \[view] system configuration view \[use cases] sonic(config)# stateful packet inspection enable udp stateful packet inspection timeout { tcp transitory|tcp established|tcp closing|udp|icmp|other } time \[command] stateful packet inspection timeout { tcp transitory|tcp established|tcp closing|udp|icmp|other } time \[purpose] configuring the aging time of the spi session table can be set for different protocol types (including tcp, udp, icmp, and others) \[parameter] tcp transitory tcp transient connection timeout configuration tcp established tcp established connection timeout configuration tcp closing tcp closing process timeout configuration udp udp type timeout configuration icmp icmp type session timeout configuration other other protocol types session timeout configuration \[view] system configuration view \[use cases] sonic(config)# stateful packet inspection timeout udp 10 stateful packet inspection user defined timeout { tcp|udp|icmp|other } ip address l4 port time \[command] stateful packet inspection user defined timeout { tcp|udp|icmp|other } ip address l4 port time \[purpose] users can set custom timeout parameters for specific protocol types, destination addresses, and l4 port numbers \[parameter] time unit seconds (range 1 262144) \[view] system configuration view \[use cases] sonic(config)# stateful packet inspection user defined timeout tcp 2 3 4 5 23 19
