Got it
Huawei Enterprise Support Community
Community Forums Security
[Troubleshooting]traffic ...

[Troubleshooting]traffic policy does not take effect

60 0 0 0 0
View the author 1#

Fault Symptom

In enterprises, to prevent employees from watching movies or playing games during work hours. The bandwidth of the company is limited by the firewall. However, the traffic policy does not take effect after the rate limit is configured. The terminal rate displayed on the firewall still exceeds the upper limit.


Handling Approach

  1. Check the configuration of the traffic profile and traffic policy.

  2. Check whether the DSCP is configured.

  3. Check whether some or all services do not take effect.

  4. Check whether the firewall has dual egresses.

  5. Check whether intelligent traffic steering is configured.

  6. Check whether the NAT server is configured on the firewall.       

  7. Check whether SSL VPN is configured on the firewall.

  8. Check whether the session matches the traffic policy on the firewall.

  9. Check the firewall version and patch information.

 

Handling Procedure

  1. Check the configuration of the traffic profile and traffic policy. If the bandwidth limit of the terminal policy does not take effect, you are advised to check whether the traffic policy is correctly configured. For example, check whether rate limiting is configured on the interface and whether the bandwidth policy normally invokes the traffic profile.


    security


  2. Check whether DSCP is configured. The purpose of checking this point separately is because of many errors. This is because the DSCP command is configured in the traffic policy. As a result, rate limiting does not take effect. The DSCP is used to mark traffic. If the traffic of the following terminals is not sent to the firewall with a tag, the traffic policy configuration does not take effect.



    security


  3. Check whether some or all services do not take effect. This step is used to check whether the bandwidth policy configuration is based on the configuration. If some services do not take effect, check whether the bandwidth policy is correctly configured based on the fault symptom. Alternatively, check whether the bandwidth policy contains some services that do not take effect.


  4. Check whether the firewall is configured with dual egresses. If dual egresses are configured, add the security zone where the two egresses reside to the destination security zone where the bandwidth policy resides. The traffic policy cannot match the destination security zone where the destination traffic resides. As a result, the traffic policy does not take effect.


  5. Check whether the intelligent traffic steering is configured. The purpose of this step is the same as that of the previous step. When dual egresses are configured, users often configure them together with intelligent uplink selection. For example, load balancing is configured so that interfaces on both sides share some traffic. As a result, the rate limit takes effect only for some users or IP addresses. The other part of the traffic cannot take effect.


  6. Check whether the NAT server is configured on the firewall. If the NAT server is configured, the traffic from the Internet to the intranet will be sent to the server first. If the NAT server is configured, you need to configure the address for bandwidth limit as the address after mapping. If the address before mapping is configured, the rate limit does not take effect. However, if we configure source NAT translation, we need to configure the address before translation.



    security


  7. Check whether SSL VPN is configured on the firewall. The purpose of checking SSL VPN is if SSL VPN is configured. Therefore, the bandwidth policy takes effect only for each IP address/user. If we want to limit the overall bandwidth, it will not take effect. This problem is caused by the firewall feature and cannot be avoided by running configuration commands. In addition, when bandwidth management is used together with VPN services, it is recommended that the source and destination IP addresses of the traffic policy be precisely the source and destination IP addresses of packets before VPN tunnel encapsulation. Otherwise, the configured bandwidth management function does not take effect when it is used with VPN services other than L2TP, SSL VPN, and GRE over MPLS.



    security


  8. Check whether the session matches the traffic policy on the firewall. After the preceding basic configurations are checked, the bandwidth policy still cannot take effect. Then, you can run the display firewall session table verbose command to view the session table information of the firewall. Check whether the source and destination IP addresses and security zones in the session table are consistent with those configured in the bandwidth policy.


    security


  9. Check the version and patch information of the firewall. If all the preceding steps have been performed, the problem cannot be detected. It is recommended that you check the firewall version and patch information and check whether the firewall version causes the bandwidth policy to take effect. In this step, contact the TAC center for assistance. You can ask the TAC engineers to check the version information.


    security

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Precautions for the Firewall Hot Standby Function
Next: What is authentication-based attacks
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.