Configuring Control of Protocol Packets Based on Security Policies

This section describes the configuration related to security policy-based control of protocol packets.

Context

By default, security policies control only unicast packets but not broadcast or multicast packets. Broadcast and multicast packets are directly forwarded. However, there are some exceptions:

After the Layer-2 multicast packet filtering function is enabled, the FW executes security policies for all Layer-2 multicast packets except for Layer-2 ND multicast packets, including the multicast packets that traverse or are sent by the FW.
For security purposes, unicast packets of some basic network protocols are by default controlled by the security policies and default security policies. To enable the device to quickly access the network, you can disable the security policy control function for unicast packets of basic protocols so that the unicast packets of these protocols are not controlled by security policies and default security policies. For details about the involved basic network protocols, see Security Policy Exceptions.

Configuration on the Web UI

Choose Policy > Security Policy > Security Policy.
Click Configuration in the security policy list, and enable or disable the basic protocol packet filtering function.
Click OK.

Configuration on the CLI

Access the system view.
system-view
Configure the security policy control for protocol packets.
- Configure the security policy control for Layer 2 multicast packets.
  
  firewall l2-multicast packet-filter enable
- Configure the security policy control for unicast packets of basic protocols.
  firewall packet-filter basic-protocol enable