Configuring TCP Idle Timeout Action

To configure the TCP Idle timeout action, use the following configuration:

configure 
   active-charging service service_name 
      fw-and-nat policy policy_name 
         firewall tcp-idle-timeout-action { drop | reset } 
         end 

NOTES:

  • firewall tcp-idle-timeout-action { drop | reset } —Specify the Stateful Firewall action to be taken on TCP idle timer expiry.

    • drop —Subscriber flow will be cleared or dropped without sending a reset on TCP timeout expiry.

    • reset —Specify to send a reset on TCP timeout expiry. This is the default value.

  • The firewall tcp-idle-timeout-action reset CLI command is applicable only to firewall.

  • UPF does not support flow mapping.

Along with the preceding service configuration, the following configuration is the default CLI behavior of various Firewall-related CLI within the service.

Dos-Protection:
      Source-Route                      			: Disabled
      Win-Nuke                          			: Disabled
      Mime-Flood                        			: Disabled
      FTP-Bounce                        			: Disabled
      IP-Unaligned-Timestamp            			: Disabled
      Seq-Number-Prediction             			: Disabled
      TCP-Window-Containment            			: Disabled
      Teardrop                          			: Disabled
      UDP Flooding                      			: Disabled
      ICMP Flooding                     			: Disabled
      SYN Flooding                      			: Disabled
      Port Scan                         			: Disabled
      IPv6 Extension Headers Limit      			: Disabled
      IPv6 Hop By Hop Options           			: Disabled
      Hop By Hop Router Alert Option    			: Disabled
      Hop By Hop Jumbo Payload Option   			: Disabled
      Invalid Hop By Hop Options        			: Disabled
      Unknown Hop By Hop Options        			: Disabled
      IPv6 Destination Options          			: Disabled
      Invalid Destination Options       			: Disabled
      Unknown Destination Options       			: Disabled
      IPv6 Nested Fragmentation         			: Disabled

    Max-Packet-Size:
      ICMP                       				: 65535
      Non-ICMP                   				: 65535
    Flooding:
      ICMP limit                 				: 1000
      UDP limit                  				: 1000
      TCP-SYN limit              				: 1000
      Sampling Interval          				: 1

    TCP-SYN Flood Intercept:
      Mode                       				: None
      Max-Attempts               				: 5
      Retrans-timeout            				: 60
      Watch-timeout              				: 30
    Mime-Flood Params:
      HTTP Header-Limit          				: 16
      HTTP Max-Header-Field-Size 				: 4096

    No Firewall Ruledef Match Action:
      Uplink Action              				: permit
      Downlink Action            				: deny

    TCP RST Message Threshold					: Disabled
    ICMP Dest-Unreachable Threshold				: Disabled
    Action upon receiving TCP SYN packet with ECN/CWR Flag set   	: Permit
    Action upon receiving a malformed packet		: Deny
    Action upon IP Reassembly Failure			: Deny
    Action upon receiving an IP packet with invalid Options	: Permit
    Action upon receiving a TCP packet with invalid Options	: Permit
    Action upon receiving an ICMP packet with invalid Checksum: Deny
    Action upon receiving a TCP packet with invalid Checksum: Deny
    Action upon receiving an UDP packet with invalid Checksum: Deny
    Action upon receiving an ICMP echo packet with id zero	: Permit
    TCP Stateful Checks	: Enabled
    First Packet Non-SYN Action: Drop
    ICMP Stateful Checks: Enabled
    TCP Partial Connection Timeout: 30