Background: I would like to configure USG6625E firewall to filter some unwanted attack. I have already activated threat protection license on the device. I am using layer-2 in-line deployment and VLAN to separate the 2 ISP. Both two pair interfaces are in an untrusted zone. One security policy with default intrusion prevention “outside_firewall” profile enabled.
I have the following questions:
Are they any performance issues on this type setup? Should I enable hardware fast forwarding on this device? (note: daily traffic is around 100 gig)
From my past experience with TippingPoint IDS we should be able to have different filters set upstream and downstream traffic. I would like to configure it as shown in the table below.
Untrust | Trust | Act as downstream with one security policy |
Trust | Untrust | Act as upstream with one security policy |
(Notes: Just one comment. I can not get huawei NIP 6xxx series device due import restriction in our area)
Please provide any guidelines on the above or best practice configurations.
