Got it
Huawei Enterprise Support Community
Community Forums Security
How Do You Add "Allow Any...

How Do You Add "Allow Any" Rule in PBR

Created: Dec 23, 2021 04:21:15Latest reply: Dec 23, 2021 11:41:53 269 7 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

So that any rules that are not in the PBR will fall back to the global routing table?

I tried any any but still need to select an outgoing interface. 

0.0.0.0 as next hop also cannot work.

Need your help.


I am using USG6600E firewall.



Like (0) Dislike (0) Favorite(0) Share Report
Previous: Licenses description for USG6330.
Next: Comparison and Differences Between IPS vs IDS vs Firewall vs WAF
Featured Answers

Best answer

(0) (0)
chenhui
Admin Created Dec 23, 2021 11:41:53

Posted by ClarenceEemont at 2021-12-23 08:12 Hi,Can you give a screenshot of how you do the "no pbr" rule?We have a problem of inter vlan routi ...

Hi, 

Please refer to the example:

[FW] policy-based-route
[FW-policy-pbr] rule name A_1
[FW-policy-pbr-rule-A_1] ingress-interface GigabitEthernet 0/0/1
[FW-policy-pbr-rule-A_1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-A_1] destination-address 10.2.0.0 16
[FW-policy-pbr-rule-A_1] action no-pbr


View more
  • x
  • convention:

ClarenceEemont
ClarenceEemont Created Dec 25, 2021 04:32:17 (0) (0)
Hi chenhui,

Noted on the config but can it be done using GUI?
Another thing: let say I do health check on wan interface.
There is PBR policy with this wan interface.
So when this interface go down, the PBR policy gets invalidated.
Then the firewall will go on to the next PBR rule and eventually the global routing table.
Am I right to say that?
Thanks!  
chenhui
chenhui Reply ClarenceEemont  Created Dec 25, 2021 06:01:14 (0) (0)
Hi,
Please refer to (https://support.huawei.com/hedex/hdx.do?docid=EDOC1100149308&id=EN-US_TASK_0189673412&lang=en) for the GUI configuration.
For the second question, yes, you are right. But you are suggested to configure a BFD or NQA to monitor the link and bind the PBR rule with the BFD monitor result to switch the PBR rule dynamic.  

Recommended answer

(0) (0)
chenhui
Admin Created Dec 23, 2021 06:12:19

Posted by ClarenceEemont at 2021-12-23 04:45 I have rules in my PBR.For those rules that dont match the PBR, I want it to go to the global rout ...
Hi,
No, you don't have to configure extra rules to redirect the traffic to the global routing table. By default, the traffic that mismatches the PBR rules will be guided by the global routing table.
If you want to add the extra rules, you just need to configure an extra rule at the bottom of the PBR and set the action the no-pbr.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
chenhui
chenhui Admin Created Dec 23, 2021 04:25:19

Hi,
What do you mean any any? The matching rules?
Can you specify your question more detailed?
View more
  • x
  • convention:
(0) (0)
3#
ClarenceEemont
ClarenceEemont Created Dec 23, 2021 04:45:05

Posted by chenhui at 2021-12-23 04:25 Hi, What do you mean any any? The matching rules? Can you specify your question more detailed?
I have rules in my PBR.
For those rules that dont match the PBR, I want it to go to the global routing table.
I believe need a permit "any any" rule to make this happen because have implicit deny.
How to add this rule?
View more
  • x
  • convention:
(0) (0)
4#
chenhui
chenhui Admin Created Dec 23, 2021 06:12:19

Posted by ClarenceEemont at 2021-12-23 04:45 I have rules in my PBR.For those rules that dont match the PBR, I want it to go to the global rout ...
Hi,
No, you don't have to configure extra rules to redirect the traffic to the global routing table. By default, the traffic that mismatches the PBR rules will be guided by the global routing table.
If you want to add the extra rules, you just need to configure an extra rule at the bottom of the PBR and set the action the no-pbr.
View more
  • x
  • convention:
(0) (0)
5#
ClarenceEemont
ClarenceEemont Created Dec 23, 2021 08:12:38

Posted by chenhui at 2021-12-23 06:12 Hi,No, you don't have to configure extra rules to redirect the traffic to the global routing table ...
Hi,
Can you give a screenshot of how you do the "no pbr" rule?

We have a problem of inter vlan routing not working after PBR is applied. We suspect it is because there we need to add a default rule after the PBR.

Can you advice on this also?
View more
  • x
  • convention:
(0) (0)
6#
chenhui
chenhui Admin Created Dec 23, 2021 11:41:53

Posted by ClarenceEemont at 2021-12-23 08:12 Hi,Can you give a screenshot of how you do the "no pbr" rule?We have a problem of inter vlan routi ...

Hi, 

Please refer to the example:

[FW] policy-based-route
[FW-policy-pbr] rule name A_1
[FW-policy-pbr-rule-A_1] ingress-interface GigabitEthernet 0/0/1
[FW-policy-pbr-rule-A_1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-A_1] destination-address 10.2.0.0 16
[FW-policy-pbr-rule-A_1] action no-pbr


View more
  • x
  • convention:

ClarenceEemont
ClarenceEemont Created Dec 25, 2021 04:32:17 (0) (0)
Hi chenhui,

Noted on the config but can it be done using GUI?
Another thing: let say I do health check on wan interface.
There is PBR policy with this wan interface.
So when this interface go down, the PBR policy gets invalidated.
Then the firewall will go on to the next PBR rule and eventually the global routing table.
Am I right to say that?
Thanks!  
chenhui
chenhui Reply ClarenceEemont  Created Dec 25, 2021 06:01:14 (0) (0)
Hi,
Please refer to (https://support.huawei.com/hedex/hdx.do?docid=EDOC1100149308&id=EN-US_TASK_0189673412&lang=en) for the GUI configuration.
For the second question, yes, you are right. But you are suggested to configure a BFD or NQA to monitor the link and bind the PBR rule with the BFD monitor result to switch the PBR rule dynamic.  
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.