conntrack

system conntrack

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Connection tracking engine options

system conntrack app-detect

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Application detection

system conntrack app-detect app-id-storage

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Select Application ID storage mode

Instances:

Unique

system conntrack app-detect app-id-storage chained

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

All detected Application ID are stored for the traffic session

system conntrack app-detect app-id-storage override

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Only highest layer Application ID is stored for the traffic session (default behavior)

system conntrack app-detect debug

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Show more verbose log messages

system conntrack app-detect dictionary <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• u32 – Priority of the dictionary, affects in the search order

Instances:

Unique

system conntrack app-detect dictionary <u32> custom

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Custom application dictionary defined in CLI

system conntrack app-detect dictionary <u32> custom app-id <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Custom Application ID

Values:

• u32 – USER-Defined Selector ID number (0-65535)

Instances:

Multiple

system conntrack app-detect dictionary <u32> custom app-id <u32> fqdn <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• txt – FQDN or hostname pattern of custom Application ID

Instances:

Multiple

system conntrack app-detect dictionary <u32> custom app-id <u32> name <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• txt – Name of custom Application ID

system conntrack app-detect dictionary <u32> filename <file>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• file – Name of local application dictionary file

system conntrack app-detect dictionary <u32> remote

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Application dictionary hosted on a remote server

Required:

Required:

Required:

system conntrack app-detect dictionary <u32> remote alarm

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Alarm triggered according to remote server status

system conntrack app-detect dictionary <u32> remote alarm connection-error <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Alarm triggered when error detected in the connection to the remote server

Reference:

system alarm <txt>

system conntrack app-detect dictionary <u32> remote encrypted-key <password>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• password – Encrypted key to connect to the application dictionary server

system conntrack app-detect dictionary <u32> remote encrypted-url <password>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• password – Application dictionary server encrypted url

system conntrack app-detect dictionary <u32> remote key <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• txt – Key to connect to the application dictionary server

system conntrack app-detect dictionary <u32> remote local-address <ipv4>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Bind to local IP address

Values:

• ipv4 – IPv4 address

Local IP address:

system conntrack app-detect dictionary <u32> remote local-interface <ifc>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• ifc – Bind to local interface

system conntrack app-detect dictionary <u32> remote local-vrf <id>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Bind to local Virtual Routing and Forwarding domain name

Reference:

system vrf <id>

system conntrack app-detect dictionary <u32> remote mark <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• u32 – Choose a specific number to mark remote dictionary traffic

system conntrack app-detect dictionary <u32> remote property

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Classification property retrieved from remote dictionary

Instances:

Unique

system conntrack app-detect dictionary <u32> remote property category

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Retrieve category from remote dictionary

system conntrack app-detect dictionary <u32> remote property reputation

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Retrieve reputation from remote dictionary

system conntrack app-detect dictionary <u32> remote ssl-allow-insecure

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Do not verify the authenticity of the SSL certificate and do not check hostname match

system conntrack app-detect dictionary <u32> remote url <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Values:

• txt – Application dictionary server url

system conntrack app-detect dictionary <u32> remote vrf-mark <id>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Choose a specific VRF to mark remote dictionary traffic

Reference:

system vrf <id>

system conntrack app-detect dns

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

DNS detection

system conntrack app-detect dns-host

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

DNS query hostname detection

system conntrack app-detect dns-host disable-continuous-resolution

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable continuous resolution of FQDNs to update application IDs

system conntrack app-detect dns-host max-cnames <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Size of DNS CNAME cache

Values:

• u32 – Number of entries allowed in DNS CNAME cache (1-10000)

system conntrack app-detect enable_dict_match_priv_ip

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Allow matches of private ip addresses on no custom dictionaries

system conntrack app-detect http

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

HTTP detection

system conntrack app-detect http-host

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

HTTP Host header detection

system conntrack app-detect http-referer

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

HTTP Referer header detection

system conntrack app-detect http-url

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

HTTP request URL detection

system conntrack app-detect http-user-agent

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

HTTP User-Agent header detection

system conntrack app-detect ip-cache

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Ip-cache configuration

system conntrack app-detect ip-cache blacklist

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Allow to exclude an IP from the ip-cache when App-Id is flapping

system conntrack app-detect ip-cache timeout <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

[Not recommended to set] IP cache entry timeout in seconds.

Values:

• u32 – Timeout in seconds (1-86400)

system conntrack app-detect refresh-flow-appid

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Refresh flow appid when fqdn’s appid is different than ip-cache’s one

system conntrack app-detect ssl

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

SSL/TLS detection

system conntrack app-detect ssl-host

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

SSL/TLS certificate host detection

system conntrack disable

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable connection tracking

system conntrack expect-table-size <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Size of connection tracking expect table

Values:

• u32 – Number of entries allowed in connection tracking expect table (1-50000000)

system conntrack hash-size <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Hash size for connection tracking table

Values:

• u32 – Size of hash to use for connection tracking table (1-50000000)

system conntrack logging

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Log conntrack events

system conntrack logging events <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Specify events to capture

Values:

• new – NEW events

• update – UPDATE events

• destroy – DESTROY events

• all – all the previously events

Instances:

Multiple

system conntrack logging identity <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Specify the identity name of the log entries

Values:

• txt – Identity name (1-92)

system conntrack logging log-level <txt>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Specify log level to use (The events will be displayed with the specified level format)

Values:

• err – Error messages

• warning – Warning messages

• notice – Messages for further investigation

• info – Informational messages

• debug – Debug messages

system conntrack modules

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Connection tracking modules settings

system conntrack modules ftp

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

FTP connection tracking settings

system conntrack modules ftp disable

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable FTP connection tracking

system conntrack modules h323

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

H.323 connection tracking settings

system conntrack modules h323 disable

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable H.323 connection tracking

system conntrack modules pptp

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

PPTP connection tracking settings

system conntrack modules pptp disable

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable PPTP connection tracking

system conntrack modules sip

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

SIP connection tracking settings

system conntrack modules sip disable

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable SIP connection tracking

system conntrack modules sip enable-indirect-media

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Option to support for indirect media streams

system conntrack modules sip enable-indirect-signalling

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Option to support for indirect signalling streams

system conntrack modules sip port <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Port number that SIP traffic is carried on

Values:

• u32 – SIP port number (1-65535)

Instances:

Multiple

system conntrack modules tftp

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TFTP connection tracking settings

system conntrack modules tftp disable

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Disable TFTP connection tracking

system conntrack replace-clash

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Enable replace-clash feature

system conntrack table-size <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Size of connection tracking table

Values:

• u32 – Number of entries allowed in connection tracking table (1-50000000)

system conntrack tcp

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP options

system conntrack tcp half-open-connections <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Maximum number of TCP half-open connections

Values:

• u32 – Number of connections (1-2147483647)

system conntrack tcp max-retrans <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP maximum retransmit attempts

Values:

• u32 – Generic connection timeout in seconds (1-2147483647)

system conntrack tcp no-loose

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Do not track previously established connections

system conntrack timeout

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Connection timeout options

system conntrack timeout icmp <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

ICMP timeout in seconds

Values:

• u32 – ICMP timeout in seconds (1-21474836)

system conntrack timeout other <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

Generic connection timeout in seconds

Values:

• u32 – Generic connection timeout in seconds (1-21474836)

system conntrack timeout tcp

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP connection timeout options

system conntrack timeout tcp close <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP CLOSE timeout in seconds

Values:

• u32 – TCP CLOSE timeout in seconds (1-21474836)

system conntrack timeout tcp close-wait <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP CLOSE-WAIT timeout in seconds

Values:

• u32 – TCP CLOSE-WAIT timeout in seconds (1-21474836)

system conntrack timeout tcp established <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP ESTABLISHED timeout in seconds

Values:

• u32 – TCP ESTABLISHED timeout in seconds (1-21474836)

system conntrack timeout tcp fin-wait <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP FIN-WAIT timeout in seconds

Values:

• u32 – TCP FIN-WAIT timeout in seconds (1-21474836)

system conntrack timeout tcp last-ack <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP LAST-ACK timeout in seconds

Values:

• u32 – TCP LAST-ACK timeout in seconds (1-21474836)

system conntrack timeout tcp syn-recv <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP SYN-RECEIVED timeout in seconds

Values:

• u32 – TCP SYN-RECEIVED timeout in seconds (1-21474836)

system conntrack timeout tcp syn-sent <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP SYN-SENT timeout in seconds

Values:

• u32 – TCP SYN-SENT timeout in seconds (1-21474836)

system conntrack timeout tcp time-wait <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

TCP TIME-WAIT timeout in seconds

Values:

• u32 – TCP TIME-WAIT timeout in seconds (1-21474836)

system conntrack timeout udp

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

UDP timeout

system conntrack timeout udp other <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

UDP generic timeout in seconds

Values:

• u32 – UDP generic timeout in seconds (1-21474836)

system conntrack timeout udp stream <u32>

AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE SDE-11k

UDP stream timeout in seconds

Values:

• u32 – UDP stream timeout in seconds (1-21474836)