Network Traffic Security Inspection
show stateful-packet-inspection status
Section titled “show stateful-packet-inspection status”[Command] show stateful-packet-inspection status
[Purpose] Display the enable status of SPI inspection, including the enable status for SPI inspection of four message types: TCP, UDP, ICMP, and other.
[View] System view
[Use Cases]
sonic# show stateful-packet-inspection status+---------+----------+| proto | status |+=========+==========+| tcp | enabled |+---------+----------+| udp | enabled |+---------+----------+| icmp | enabled |+---------+----------+| other | disabled |+---------+----------+show stateful-packet-inspection timeout {
Section titled “show stateful-packet-inspection timeout {”[Command] show stateful-packet-inspection timeout {global|user-defined}
[Purpose] Display the timeout time for SPI configuration, default for unconfigured protocol types
[Parameter]
| Parameter | Description |
|---|---|
| global | displays session timeout for global configuration |
| user-defined | displays the session timeout for a specific protocol type, IP, and port number specified by the user |
[View] System view
[Use Cases]
sonic# show stateful-packet-inspection timeout global+-------------------------+-------------------+| type | timeout(second) |+=========================+===================+| tcp_transitory_timeout | default |+-------------------------+-------------------+| tcp_established_timeout | default |+-------------------------+-------------------+| tcp_closing_timeout | default |+-------------------------+-------------------+| udp_timeout | 10 |+-------------------------+-------------------+| icmp_timeout | default |+-------------------------+-------------------+| other_timeout | default |+-------------------------+-------------------+stateful-packet-inspection enable {
Section titled “stateful-packet-inspection enable {”[Command] stateful-packet-inspection enable {tcp|udp|icmp|other}
[Purpose] Enable SPI to monitor sessions for different protocol types. Statful packet inspection (SPI) is a firewall technology used to monitor the status of active connections and carefully inspect incoming and outgoing network traffic. Not only does it check individual packets, but it also checks the context and status of network connections. Used to implement security policies. After enabling this function, information about connection status can be maintained, data packets in connection status can be analyzed, and fine control can be allowed based on connection status and packet content.
[View] System configuration view
[Use Cases]
sonic(config)# stateful-packet-inspection enable udpstateful-packet-inspection timeout {
Section titled “stateful-packet-inspection timeout {”[Command] **stateful-packet-inspection timeout {tcp-transitory|tcp-established|tcp-closing|udp|icmp|other}**time
[Purpose] Configuring the aging time of the SPI session table can be set for different protocol types (including TCP, UDP, ICMP, and others).
[Parameter]
| Parameter | Description |
|---|---|
| tcp-transitory | TCP transient connection timeout configuration |
| tcp-established | TCP established connection timeout configuration |
| tcp-closing | TCP closing process timeout configuration |
| udp | UDP type timeout configuration |
| icmp | ICMP type session timeout configuration |
| other | Other protocol types session timeout configuration |
[View] System configuration view
[Use Cases]
sonic(config)# stateful-packet-inspection timeout udp 10stateful-packet-inspection user-defined-timeout {
Section titled “stateful-packet-inspection user-defined-timeout {”[Command] **stateful-packet-inspection user-defined-timeout {tcp|udp|icmp|other}**ip-address l4 port time
[Purpose] Users can set custom timeout parameters for specific protocol types, destination addresses, and L4 port numbers.
[Parameter]
| Parameter | Description |
|---|---|
| time | Unit: seconds (Range: 1-262144) |
[View] System configuration view
[Use Cases]
sonic(config)# stateful-packet-inspection user-defined-timeout tcp 2.3.4.5 23 19