Configuring a Traffic Policy

This section describes how to configure a traffic policy. A traffic policy specifies bandwidth management objects and references a traffic profile.

Prerequisites

A bandwidth management object is determined on the basis of traffic attributes, such as source security zone or inbound interface, destination security zone or outbound interface, source address or region, destination address or region, user, service, application, URL categories, schedule, and DSCP value.
A traffic profile to be referenced by a traffic policy has been configured.

Context

In case of hierarchical policies, the FW matches traffic with policies from top to bottom as displayed on the UI. The policy matching stops when the traffic matches all conditions of one policy in a traffic profile.
Traffic is always matched with a parent policy before matching child policies.
If the traffic matches no policy, the processes the packet based on the default bandwidth policy.

The FW has a default traffic policy with all the matching conditions setting to "any" and the action setting to not limit.

The MAC address configured in the policy relies on the across-Layer-3 MAC identification function or the firewall ARP entries are learned.

If the FW works at Layer 2 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions.
If the FW works at Layer 3 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions through ARP learning.
If the FW connects to an intranet through a Layer-3 network device, configure across-Layer-3 MAC identification on the FW and then use MAC addresses as matching conditions. For the description of across-Layer-3 MAC identification, see Across-Layer-3 MAC Identification.

Procedure

Choose Policy > Bandwidth Management > Traffic Policy.
Click Add.

Specify the policy name, policy description, and the parent policy.

Parameter	Description
Name	Name of a traffic policy. Enter a unique name for the traffic policy.
Description	Description of a traffic policy. Describe the traffic policy in a way that helps administrators understand the function of the traffic policy and enables easy policy query and maintenance.
Tag	The tag identifies and categorizes the policy. You can query policies based on tags and delete, move, enable, or disable policies in batches based on the query results. For the tag description and configuration, see Tag.
Parent Policy	Name of the parent policy to which a traffic policy belongs. The parent policy must be an existing traffic policy.

Configure traffic policy matching conditions.

A packet is considered to match a traffic policy only if the packet matches all the conditions in the traffic policy. A matching condition may specify multiple traffic attributes. A packet that matches any of the traffic attributes in the matching condition is considered to match the condition.

Configure traffic policies in descending order of precision, from the most specific to the least specific.

Parameter	Description
Source Type	Source information type, which can be Source Zone or Inbound interface.
Source Zone	Name of a security zone that sends traffic. You need to configure this parameter only if you set Source Type to Source Zone.
Inbound Interface	Name of an interface that receives traffic. You need to configure this parameter only if you set Source Type to Inbound interface.
Destination Type	Destination information type, which can be Destination Zone or Outbound interface.
Destination Zone	Name of a security zone that receives traffic. You need to configure this parameter only if you set Destination Type to Destination Zone.
Outbound Interface	Name of an interface that sends traffic. You need to configure this parameter only if you set Destination Type to Outbound interface.
Source Address/Region	Source IP addresses in traffic. Address and address group: You can specify an IP address, a MAC address, or a continuous IP segment. You can also incorporate MAC address sets, discontinuous IP addresses, and continuous IP address that cannot be represented by network or subnet masks in to an address group. For details, see Address and Address Group. NOTE: To exclude an address or address group (source address or source addresses of traffic) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert , and then click OK. Domain group: You can specify a domain group to set the IP addresses of some specific domain names as the policy matching conditions. For details, see Domain Group. NOTE: When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. Region and region group: You can specify a region or region group as a match condition of a policy. For details, see Region and Region Group. You can manually enter IP/MAC addresses or select an existing address object from the drop-down list. The icons in the drop-down list are described as follows: represents an address. represents an address group. represents a domain group. or national flags represent a country or region. User-defined regions are displayed on top of predefined regions. Region is a group of addresses classified by region. represents a region group. When there are multiple available options, you can select Address or Region from the drop-down list, improving the configuration efficiency. When only Address is selected, the drop-down list displays all optional addresses, address groups, and domain groups. When only Region is selected, the drop-down list displays all optional regions and region groups. NOTE: If the traffic limiting mode is per-IP CAR, the PC to limit traffic rate has multiple IP addresses, and all traffic from these IP addresses to the destination network passes through the FW, you need to add all the IP addresses to the traffic policy. Otherwise, traffic limiting might be inaccurate. For example, a PC accesses the Internet using IP addresses 10.3.1.1 and 10.3.2.1, and the maximum downstream bandwidth of the PC must be limited to 1 Mbit/s. You need to set both 10.3.1.1 and 10.3.2.1 as the source address matching condition in the traffic policy and reference the traffic profile with the downstream bandwidth limit set to 1 Mbit/s.
Destination Address/Region	The destination address, destination address group, destination domain group, destination region, or destination region group of traffic. If the attribute of a packet matches one of the previous values, the packet meets this condition. Destination addresses and regions define the hosts and servers that can be accessed. NOTE: When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. The destination configuration is similar to source configuration. When there are multiple available options, you can select Address or Region from the drop-down list, improving the configuration efficiency. When only Address is selected, the drop-down list displays all optional addresses, address groups, and domain groups. When only Region is selected, the drop-down list displays all optional regions and region groups. NOTE: To exclude an address or address group (destination address or destination addresses) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert , and then click OK.
User	Name of a user that sends traffic. The value can be a User, User Group, or Security Group. You can reference local users, user groups, or security groups or create new ones. If the server has a great number of users, user groups, or security groups and only some of them need to be imported to the FW to implement policy control, select Server Import from the matching conditions of User, online query and import the desired users, user groups, or security groups, and then reference them in policies. NOTE: Only the AD and AD LDAP servers support online query and import of users, user groups, or security groups. Before that, you need to configure a server import policy in the New User Authentication Options and associate an authentication domain with the configured server import policy. The server import policy determines the target groups, online query path, and filtering parameter. However, the import type configured in the server import policy does not take effect in this function. The user name (cn value) on the server is suggested to be the same as the login name (sAMAccountName value). A policy can reference a maximum of 64 users, user groups, or security groups. Select Import from Server from the matching conditions of User. If Type is set to User, the device will imports only the names of users, not the user groups or security groups to which the users belong.
Service	The protocol type of the traffic. Services can be predefined or user-defined. Predefined services are well-known services, such as HTTP, FTP, and Telnet. You can also define services as needed. User-defined services are configured by specifying information such as port number. User-defined services fall into three types and the configuration methods are described as follows: For TCP/UDP/SCTP packets, you must specify the source and destination ports. For ICMP packets, you must specify the ICMP message type and code. For IP packets, you must specify the protocol number in the IP header. You can also create a service group and add predefined and user-defined services to the group. For details, see Service and Service Group. NOTE: To exclude a service or service group (service or service group of traffic) from policy matching, select the service or service group from the available service area, select it in the selected service area and click Invert , and then click OK.
Application	Application of the traffic. A service may be used by multiple applications. Therefore, applications are more fine-grained than services. Applications can be predefined or user-defined. You can also create an application group and add predefined and user-defined applications to the group. In addition, you can reference an application label to control traffic that matches the label or reference software to control traffic that matches this type of software. For details on applications, application groups, application labels, and software, see Application and Application Group. NOTE: The FW supports the fuzzy search function, which helps you rapidly search a needed application. To search an application, perform the following steps: Click Multiple. Enter an application name or a part of the application name. Click . The application with the specified name appears in the drop-down list. Select the needed application name and add the application.
URL categories	Select or create a URL category. URL categories are classified into predefined and user-defined ones. You can use predefined categories or create user-defined categories based on Configuring User-defined URL Categories.
Time Range	Validity period of a traffic policy.
DSCP Value	DSCP priority carried in packets.

Specify actions and reference a traffic profile.

Parameter	Description
Action	Action that is taken to process traffic. The value can be Limit or None.
Traffic Profile	Name of a traffic profile. You need to configure this parameter only if you set Action to Limit.

Parameter

Description

Action

Action that is taken to process traffic.

The value can be Limit or None.

Traffic Profile

Name of a traffic profile.

You need to configure this parameter only if you set Action to Limit.

The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured traffic policy matching conditions to permit traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic.

Click OK.

Follow-up Procedure

After configuring a traffic policy, you can choose Policy > Bandwidth Management > Traffic Policy and click in the traffic policy list to monitor policy-matching traffic in real time. On the monitoring page, you can select to monitor upstream, downstream, or total traffic. The system displays comparison of traffic before and after rate limit and the current traffic rate, indicating whether the traffic policy takes effect.

All models except USG6680E and USG6712E/6716E support this function.

After the hardware fast forwarding function is enabled using the hardware fast-forwarding enable command, the button is not displayed on the web UI if traffic limiting is not configured globally based on the upstream or downstream bandwidth. That is, the traffic matching the traffic policy is not monitored in real time.

When each IP address or user traffic limit of the traffic profile is configured, if the hardware fast forwarding function is disabled, the rate before rate limit is displayed as the rate of the traffic received by the system on the traffic monitoring page. If the hardware fast forwarding function is enabled, the rate before rate limit is displayed on the traffic monitoring page as the rate after rate limiting for each IP address or user. For example, the system receives traffic at a rate of 100 Mbps. If the traffic matches the bandwidth policy, the rate decreases to 90 Mbps after rate limiting for each user or IP address. The final rate is 50 Mbps after overall rate limiting.

If the hardware fast forwarding function is disabled, the rates before and after rate limit are 100 Mbps and 50 Mbps, respectively.
If the hardware fast forwarding function is enabled, the rates before and after rate limit are 90 Mbps and 50 Mbps, respectively.

If bandwidth management does not take effect, modify traffic policy parameters or traffic profile parameters. For information about how to modify the traffic profile parameters, see Configuring a Traffic Profile.