Restrictions on the use of port mirroring on the USG9000 series

1

The restrictions and precautions on the use of mirroring on the USG9000 series are as follows:

Restrictions:
? Only the LPUK, LPUN, and LPU-100C support port mirroring.
? BFD and HRP packets cannot be mirrored.
? The action in the ACL rule referenced by port mirroring must be permit, and the address set configuration is not supported.
? Traffic mirroring cannot be configured in VLANs.
? If an Eth-Trunk interface or subinterface on an LPU-100C is configured as the mirroring port, packets can be mirrored only to the first member interface. Traffic load balancing cannot be implemented.
Precautions:
? Service interfaces cannot be used as the observing port. The observing port cannot serve as a service interface.
? The mirroring port and the observing port cannot be the same port.
? Different transmission rates cause failure to completely receive all mirrored packets. To prevent this problem, ensure that the transmission rates of the observing port and mirroring port are the same.
? The port mirroring function consumes CPU resources on firewalls, degrades service processing performance, and even affects services. Therefore, disable this function soon after using it.

Other related questions:
Does the USG9000 series supports cross-board port mirroring?
The USG9000 series does not support the configuration of cross-board port mirroring

Whether the USG9000 series supports cross-board port mirroring
The USG9000 series does not support cross-board port mirroring.

Restrictions on using hot standby together with NAT on the USG9000 series
Restrictions on using hot standby together with NAT: 1. When hot standby runs together with NAT, the upstream and downstream service interfaces of the active and standby devices must be Layer 3 interfaces. 2. In the load balancing networking, if you configure only one NAT address pool and do not configure port translation in the address pool-based source NAT policy, the two firewalls may translate the source IP addresses of traffic from different hosts to the same IP address, causing address conflicts. 3. In load balancing mode, if a NAT address pool is required on both NGFWs, you must run hrp nat ports-segment primary on one NGFW and hrp nat ports-segment secondary on the other NGFW to prevent port conflicts during NAT.

Software restrictions of hot standby on the USG9000 series
Software restrictions of hot standby: 1. The software versions on the active and standby devices must be the same. 2. The BootROM versions on the active and standby devices must be the same. 3. The hash board selection modes and hash factors on the active and standby devices must be the same. 4. In hot standby deployment, the consistency between the active and standby device configurations is checked every 24 hours. It is required that the security policies, NAT policies, traffic policies, audit policies, and PBRs on the active and standby devices be exactly the same. The configuration sequences between policies must also be the same. 5. You are advised to use the initial configuration file on both devices. 6. The service interfaces and heartbeat interfaces used by active and standby devices must be the same. 7. The interfaces on the same slot of the active and standby devices must be added to the same security zone. 8. The interfaces with vrrp virtual-mac enable configured cannot function as the heartbeat interfaces. 9. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL. 10. The MTU of the heartbeat interfaces must be set to 1500. 11. When hot standby is used together with the virtual system, you need to ensure that the VSYS names and IDs on the active and standby devices are the same.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top