Occasional interruptions of firewall database connections

Configure persistent connections between security zones using the CLI.
1. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command in the system view to create an advanced ACL.
The persistent connection function can use only the advanced ACLs. Therefore, acl-number must range from 3000 to 3999.
2. Run the rule [ rule-id ] { deny | permit } protocol [ source { source-address source-wildcard | any | address-set address-set-name } | source-port { operator port1 [ port2 ] | port-set port-set-name } | destination { destination-address destination-wildcard | any | address-set address-set-name } | destination-port { operator port1 [ port2 ] | port-set port-set-name } | precedence precedence | time-range time-name | tos tos | icmp-type icmp-type icmp-code | logging ] * command to create a rule to define a data flow for which you need to establish a persistent connection. You must set the action to permit.
The source and destination addresses must be as specific as possible to minimize the impact on system performance.
3. Run the quit command to return to the system view.
4. Run the firewall interzone [ vpn-instance vpn-instance-name ] zone-name1 zone-name2 command to access the interzone view.
Run the long-link acl-number { inbound | outbound } command to enable the persistent connection function for the security interzone.
To save system resources, the USG sets a threshold for the total number of persistent connections. If the number of persistent connections reaches the threshold, the device processes subsequent persistent connections as common connections.
The ACL rules applied in the inbound and outbound interzone directions can be different.
If you reconfigure the persistent connections, the new configuration overrides the original one.
After you configure the persistent connection function in the interzone, you can change the referenced ACL. After that, the persistent connection takes effect on the data flows that match the new ACL.
5. (Optional) Run the firewall session long-link-limit max-number command to set the maximum number of connections allowed by the persistent connection function.
By default, the number of connections allowed by the persistent connection function is the maximum number that is half the maximum number of sessions allowed by the USG.
6. (Optional) Run the firewall long-link aging-time time command in the system view to configure the aging time of a persistent connection.
The default aging time of a persistent connection is 168 hours. The aging time applies to all persistent connections."

Scroll to top