Configuring a Traffic Policy

This section describes how to configure a traffic policy. A traffic policy specifies bandwidth management objects and references a traffic profile.

Prerequisites

A bandwidth management object is determined on the basis of traffic attributes, such as source security zone or inbound interface, destination security zone or outbound interface, source address or region, destination address or region, user, service, application, URL categories, schedule, and DSCP value.
A traffic profile to be referenced by a traffic policy has been configured.

Context

In case of hierarchical policies, the FW matches traffic with policies from top to bottom as displayed on the UI. The policy matching stops when the traffic matches all conditions of one policy in a traffic profile.
Traffic is always matched with a parent policy before matching child policies.
If the traffic matches no policy, the processes the packet based on the default bandwidth policy.

The FW has a default traffic policy with all the matching conditions setting to "any" and the action setting to not limit.

The MAC address configured in the policy relies on the across-Layer-3 MAC identification function or the firewall ARP entries are learned.

If the FW works at Layer 2 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions.
If the FW works at Layer 3 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions through ARP learning.
If the FW connects to an intranet through a Layer-3 network device, configure across-Layer-3 MAC identification on the FW and then use MAC addresses as matching conditions. For the description of across-Layer-3 MAC identification, see Across-Layer-3 MAC Identification.

Procedure

Access the traffic policy view from the system view.
traffic-policy
Optional: Enable the public IP address matching function in the traffic policy view.
- Enable the public IP address matching function in the source NAT scenario.
  
  public-ip source match enable
- Enable the public IP address matching function in the NAT server scenario.
  
  public-ip destination match enable
- This function takes effect only on the public IP addresses after Source NAT or before NAT Server. Determine whether you need to use public IP address as the matching condition of the traffic policy.
- This function changes only the traffic policy matching mechanism. In actual scenarios, you must set a specific public IP address as the source/destination IP address of a traffic policy.
Create a traffic policy rule and access the traffic policy rule view.
rule name rule-name [ parent parent-rule-name ]

The parent parameter specifies a parent policy for the policy rule to be configured. The parent policy must already exist.

After creating a traffic policy rule, run the rule rename old-name new-name command to rename that policy rule.
Optional: Configure the traffic policy rule description.
description description

Policy functions must be clearly described so that an administrator can easily query and maintain the policy rules.
Optional: Configure a tag for the policy.
add tag tag-name

After policies reference tags, you can query policies based on tags and delete, move, enable, or disable policies in batches based on query results. For the tag description and configuration, see Tag.

Configure matching conditions in the policy rule.

A packet is considered to match a traffic policy only if the packet matches all the conditions in the traffic policy. A matching condition may specify multiple traffic attributes. A packet that matches any of the traffic attributes in the matching condition is considered to match the condition.

Policies must be configured from the most specific to the least specific.

Function	Command
Specify a source security zone or inbound interface. Either a source security zone or an inbound interface can be specified. If both commands are run, the latter command overrides the previous one.	source-zone zone-name &<1-6> ingress-interface interface-type interface-number
Specify a destination security zone or outbound interface. Either a destination security zone or an outbound interface can be specified. If both commands are run, the latter command overrides the previous one.	destination-zone zone-name &<1-6> egress-interface interface-type interface-number
Specify a source IP address or region.	source-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| ipv6-address ipv6-prefix-length [ description description ] \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } [ description description ] \| geo-location geo-location-name &<1-6> \| geo-location-set geo-location-set-name &<1-6> \| mac-address &<1-6> \| domain-set domain-set-name &<1-6> \| any } source-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } } [ description description ] NOTE: If the traffic limiting mode is per-IP CAR, the PC to limit traffic rate has multiple IP addresses, and all traffic from these IP addresses to the destination network passes through the FW, you need to add all the IP addresses to the traffic policy. Otherwise, traffic limiting might be inaccurate. For example, a PC accesses the Internet using IP addresses 10.3.1.1 and 10.3.2.1, and the maximum downstream bandwidth of the PC must be limited to 1 Mbit/s. You need to set both 10.3.1.1 and 10.3.2.1 as the source address matching condition in the traffic policy and reference the traffic profile with the downstream bandwidth limit set to 1 Mbit/s.
Specify a destination IP address or region.	destination-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| ipv6-address ipv6-prefix-length [ description description ] \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } [ description description ] \| geo-location geo-location-name &<1-6> \| geo-location-set geo-location-set-name &<1-6> \| mac-address &<1-6> \| domain-set domain-set-name &<1-6> \| any } destination-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } } [ description description ]
Specify a user, user group or security-group.	user { username user-name &<1-6> \| user-group user-group-name &<1-6> \| security-group security-group-name &<1-6> \| any }
Specify an application.	application { any \| app app-name &<1-6> \| app-group app-group-name &<1-6> \| category category-name [ sub-category sub-category-name &<1-6> ] \| label label-name &<1-6> \| software software-name &<1-6> }
Specify a URL category.	url { pre-defined { category { name category-name \| category-id } \| sub-category { name sub-category-name \| sub-category-id } } \| user-defined sub-category sub-category-name \| any }
Configure a service (by referencing a service or service group).	service { service-name &<1-6> \| any } service-exclude service-name &<1-6>
Configure a service (by referencing a TCP/UDP/SCTP port or IP-layer protocol).	service protocol { { 17 \| udp } \| { 6 \| tcp } \| { 132 \| sctp } } [ source-port { source-port \| start-source-port to end-source-port } &<1-64> \| destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64> ] ^* service protocol { 1 \| icmp } [ icmp-type { icmp-name \| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service protocol { 58 \| icmpv6 } [ icmpv6-type { icmpv6-name \| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service protocol protocol-number service-exclude protocol { { 17 \| udp } \| { 6 \| tcp } \| { 132 \| sctp } } [ source-port { source-port \| start-source-port to end-source-port } &<1-64> \| destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64> ] ^* service-exclude protocol { 1 \| icmp } [ icmp-type { icmp-name \| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service-exclude protocol { 58 \| icmpv6 } [ icmpv6-type { icmpv6-name \| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service-exclude protocol protocol-number
Specify the validity period of a policy.	time-range time-range-name
Set a DSCP priority.	dscp { dscp-value &<1-8> \| any }

Specify an action in the traffic policy rule.
action { qos profile profile-name | no-qos }

Follow-up Procedure

After completing the configuration, you can run the following commands to modify parameters:

Run the rule move rule-name1 { { after | before } rule-name2 | up | down | top | bottom } command in the traffic policy view to arrange policies in a different order.
Run the rule copy rule-name new-rule-name command in the traffic policy view to copy a policy rule.
Run the enable or disable command in the traffic policy rule view to enable or disable the policy rule.

After completing the configuration, you can use the following commands to view the logs on packet discarding based on the traffic policy:

Run the traffic-policy discard packet log enable command in the system view to enable the sending of logs on packet discarding based on traffic policies.

This function is disabled by default.
Run the traffic-policy discard packet log interval interval command in the system view to set the interval for sending the logs on packet discarding based on traffic policies.

The default interval is five minutes.

The logs on packet discarding based on traffic policies are sent to and output by the information center. For description of the information center, see Logs.