Configuring interzone packet filtering on the USG6000 series


Conditions and actions for configuring packet filtering

Other related questions:
Configure the traffic-filter command to filter packets
On Eth2/0/0, you can configure packet filtering based on an ACL that permits packets with source IP address as follows: system-view [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 0 [Huawei-acl-adv-3000] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] traffic-filter inbound acl 3000

Configuring interzone NAT ALG through the CLI on the USG6000
The USG6000 series supports configuring interzone NAT ALG through the CLI. For example, enable the NAT ALG function for the FTP protocol in the interzone between the Trust zone and the Untrust zone. system-view [sysname] firewall interzone trust untrust [sysname-interzone-trust-untrust] detect ftp For details, see the USG6000 series product documentation.

Configuring MAC filtering on the USG6000
The method of configuring MAC address-based filtering is as follows: In the configuration of the security policy matching condition, set the source address/area or destination address/area to the MAC address for MAC address-based filtering.

Matching priority of firewall packet-filter and policy interzone on the USG9000
policy interzone has a higher priority.

How to configure packet filtering on S series switches
For details about packet filtering configuration examples on S series switches (except the S1700), see "Example for Configuring a Traffic Policy to Limit Access Between Network Segments" in Typical QoS Configuration. Configurations on different models are the same, and configurations on the S series fixed switches, S7700 and S9700 are used as examples. Note: This configuration example does not apply to the S2700SI.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top