< Home

Configuring the Policy Backup-based Acceleration Function

When the policy backup-based acceleration function is enabled, the previous index can be used for policy matching after a policy is modified. This ensures high processing performance.

Context

The FW generates indexes for multiple policies and uses a certain acceleration algorithm to implement fast matching of security policies. If a policy is created, modified, or deleted, its index is re-created:

  • If the policy backup-based acceleration function is disabled on the FW, the policy acceleration function is used by default to generate indexes. After a policy is modified, the new policy immediately takes effect on all traffic passing through the FW. However, in the acceleration hold-off period (60s by default), rules are matched one by one. As a result, the policy matching speed decreases greatly, and processing performance is affected. After the hold-off period ends, the index is generated, and the FW accelerates policy query (index matching).
  • If the policy backup-based acceleration function is enabled on the FW, after a policy is modified, the FW backs up the current index and uses the backup index for policy matching before the new index is generated, ensuring high processing performance. In this case, the new policy does not take effect immediately. If no modification is made to the policy during the acceleration hold-off period (60s by default), the FW starts to generate a new policy index after the hold-off period, and the new policy takes effect after the new index is generated.

Determine whether to enable the policy backup-based acceleration function based on the actual situation.

  • When a large number of policies exist (such as over 100 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes (around 2 minutes, with the specific time being subject to the number of policy rules).

  • When a small number of policies exist, disable the policy backup-based acceleration function.

The policy backup-based acceleration function is disabled by default, except for the USG6680E and USG6712E/6716E.

Configuration on the Web UI

  1. Choose Policy > Security Policy > Security Policy.
  2. Click Configuration in the security policy list and enable the policy backup-based acceleration function.

    You can check the status of the policy backup-based acceleration function on the UI, including whether this function is enabled and whether the acceleration is in process.

    All models except USG6635E/6655E, USG6680E and USG6712E/6716E support the configuration of policy backup-based acceleration on the web UI. In addition, you can configure this function on the web UI only after this function is enabled or the number of configured policies reaches 100.

  3. Click OK.

Configuration on the CLI

  1. Access the system view.

    system-view

  2. Configure policy backup-based acceleration.

    policy accelerate standby enable

  3. Optional: Set the delay for enabling policy acceleration after policy creation, modification, or deletion

    policy accelerate delay delay-time

    By default, the policy acceleration function will be enabled in a delay of 60s after policy creation, modification, or deletion. You can use this command to set the delay.

Parent Topic: Configuring a Security Policy
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >