No traffic between security zones

Created: Oct 13, 2019 17:29:05Latest reply: Oct 17, 2019 20:23:25 258 9 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi,

I have an USG6300 and can't enable traffic between security zones even after added security to autorize comunications. I've read about interzone communications in documentation but I don't know how to set them up. My software version is V100R001C30SPC100.

Regards

  • x
  • convention:

Featured Answers
chenhui
Admin Created Oct 14, 2019 02:05:05 Helpful(0) Helpful(0)

@raycaloo hello,
if the you are sure about the validity of the security policy configuration, you are kindly advised to check whether the interfaces were added into the security zones.
  • x
  • convention:

All Answers
wissal
wissal MVE Created Oct 13, 2019 19:41:36 Helpful(0) Helpful(0)

Hello,

Please refer to the link below to find the answer for your issue:

Thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
chenhui
chenhui Admin Created Oct 14, 2019 02:05:05 Helpful(0) Helpful(0)

@raycaloo hello,
if the you are sure about the validity of the security policy configuration, you are kindly advised to check whether the interfaces were added into the security zones.
  • x
  • convention:

raycaloo
raycaloo Created Oct 14, 2019 18:08:57 Helpful(0) Helpful(0)

Hello,
The interfaces are in right zones but something strange is that only the default security policy is applied. When I create a security policy to permit any any and switch default policy to deny, I have no internet traffic even the preview is permit any. When I turn the default do permit, the Internet traffic starts again. I looks strange for me.
Does anybody knows where the problem is ?
  • x
  • convention:

chenhui
chenhui Admin Created Oct 15, 2019 01:00:39 Helpful(0) Helpful(0)

Posted by raycaloo at 2019-10-14 18:08 Hello,The interfaces are in right zones but something strange is that only the default security poli ...
Well, it's kindly advised you to check the matching sequence of the two security polices, whether the customized security policy will be matched before the default policy.
Else, will you please uoload the corresponding configuration, so that we could help to locate the problem.(NOTICE: please erase the private information before uploading the configuration, such as public IP address)
  • x
  • convention:

Peterhof
Peterhof Created Oct 15, 2019 04:17:14 Helpful(0) Helpful(0)

Hello!
If you are able to enter the web interface of the USG after applying the policies you can use Monitor/Diagnose/Packet Tracer to check packets flow and look where they stopped.
  • x
  • convention:

I%20am%20an%20IT%20engineer%20in%20the%20State%20Museum%20Reserve%20Peterhof.%20My%20job%20is%20keeping%20alive%20our%20network%2C%20servers%20and%20storages%20solutions%20and%20also%20preparing%20for%20purchasing%20new%20equipment%20and%20server%20software.
raycaloo
raycaloo Created Oct 15, 2019 11:22:09 Helpful(0) Helpful(0)

these are the results of certain show commands

  1. </div>
  2. <div>
  3. <pre>[fw]display zone
  4. #
  5. trust
  6. priority is 85
  7. interface of the zone is (5):
  8. GigabitEthernet0/0/0
  9. GigabitEthernet0/0/1
  10. GigabitEthernet0/0/3.1
  11. GigabitEthernet0/0/6
  12. Vlanif900
  13. #
  14. untrust
  15. priority is 5
  16. interface of the zone is (2):
  17. GigabitEthernet0/0/3.2
  18. GigabitEthernet0/0/4
  19. #
  20. [fw]display security-policy all
  21. 11:17:42 2019/10/15
  22. Total:2
  23. RULE ID RULE NAME STATE ACTION HITTED
  24. -------------------------------------------------------------------------------
  25. 0 default enable permit 300575
  26. 17 Internet enable permit 0
  27. -------------------------------------------------------------------------------
  28. [fw]display interface GigabitEthernet0/0/6
  29. 11:28:04 2019/10/15
  30. GigabitEthernet0/0/6 current state : UP
  31. Line protocol current state : UP
  32. GigabitEthernet0/0/6 current firewall zone : trust
  33. Description : Huawei, USG6300 series, GigabitEthernet0/0/6 Interface, Route Port
  34. The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
  35. Internet Address is 172.16.0.114/30
  36. IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 88cf-986f-8ced
  37. Media type is twisted pair, loopback not set, promiscuous mode not set
  38. Unknown-speed mode, unknown-duplex mode, link type is auto negotiation
  39. QoS max-bandwidth : 1000000 Kbps
  40. Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
  41. Output queue : (Frag queue : Size/Length/Discards) 0/1000/0
  42. Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
  43. Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
  44. Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
  45. Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
  46. Input: 1076157 packets, 235749606 bytes
  47. 1076125 unicasts, 2 broadcasts, 30 multicasts, 0 pauses
  48. 0 overruns, 0 runts, * jumbos, 0 FCS errors
  49. * length errors, 0 code errors, * align errors
  50. 0 fragment errors, 0 giants, 0 jabber errors
  51. * dribble condition detected, 0 other errors
  52. Output: 1311718 packets, 1578797049 bytes
  53. 77743 unicasts, 184 broadcasts, 0 multicasts, 0 pauses
  54. 0 underruns, 0 runts, * jumbos, 0 FCS errors
  55. * fragment errors, 0 giants, * jabber errors
  56. 0 collisions, 0 late collisions
  57. 0 ex. collisions, 0 deferred, 0 other errors
  58. [fw]display interface g0/0/4
  59. 11:30:40 2019/10/15
  60. GigabitEthernet0/0/4 current state : UP
  61. Line protocol current state : UP
  62. GigabitEthernet0/0/4 current firewall zone : untrust
  63. Description : Huawei, USG6300 series, GigabitEthernet0/0/4 Interface, Route Port
  64. The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
  65. Internet Address is 192.168.40.1/26
  66. IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 88cf-986f-8ceb
  67. Media type is twisted pair, loopback not set, promiscuous mode not set
  68. Unknown-speed mode, unknown-duplex mode, link type is auto negotiation
  69. QoS max-bandwidth : 100000 Kbps
  70. Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
  71. Output queue : (Frag queue : Size/Length/Discards) 0/1000/0
  72. Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
  73. Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
  74. Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
  75. Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
  76. Input: 1592309 packets, 1815631647 bytes
  77. 1471246 unicasts, 46113 broadcasts, 74950 multicasts, 0 pauses
  78. 0 overruns, 0 runts, * jumbos, 0 FCS errors
  79. * length errors, 0 code errors, * align errors
  80. 0 fragment errors, 0 giants, 0 jabber errors
  81. * dribble condition detected, 0 other errors
  82. Output: 1035955 packets, 230158893 bytes
  83. 1035953 unicasts, 2 broadcasts, 0 multicasts, 0 pauses
  84. 0 underruns, 0 runts, * jumbos, 0 FCS errors
  85. * fragment errors, 0 giants, * jabber errors
  86. 0 collisions, 0 late collisions
  87. 0 ex. collisions, 0 deferred, 0 other errors<br />
Copy the code

  • x
  • convention:

chenhui
chenhui Admin Created Oct 16, 2019 01:11:30 Helpful(0) Helpful(0)

Posted by raycaloo at 2019-10-15 11:22these are the results of certain show commands

Hello, 
as your upload information, the over 300,000 packets hit the default security-policy, while none packet hit the security-policy Internet. you are kindly advised to check the matching rules of the corresponding security policy.
No traffic between security zones-3082860-1

Else, both the interface speed and duplex mode are unknown, you'd better check if the interface works fine.
No traffic between security zones-3082860-2

Another question, the action of the default security policy is permit, and the all the security policy action are permit, so all the traffic wouldn't be discarded because of the security policy theoretically. And both the interface speed and duplex mode are unknown, you can try ping from the directly connected PC to the firewall, to check if the interface works normal(the ping service should be enabled first)

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

moahmedZakaria
moahmedZakaria Created Oct 16, 2019 01:38:09 Helpful(0) Helpful(0)

If you are able to enter the web interface of the USG after applying the policies you can use Monitor/Diagnose/Packet Tracer to check packets flow and look where they stopped.
  • x
  • convention:

raycaloo
raycaloo Created Oct 17, 2019 20:23:25 Helpful(0) Helpful(0)

Hi all
The problem is solved. The error went from my network configuration.
Thanks for help
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login