firewall hash-gene

Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this command.

There are not many sessions on the FW; source and destination addresses are fixed (such as IPSec tunnels); and the source and destination addresses are planned following certain rules. As a result, service traffic is not evenly distributed among CPUs based on their source addresses or their source and destination addresses. In this case, you need to add a hash gene to balance CPU selection, so that service traffic can be evenly distributed to CPUs.

In dual-device hot backup scenarios, if hash factors are configured to take effect immediately, services are interrupted for a short period of time. After the device is restarted, the hash factors on the active and standby nodes are inconsistent during the two-node cluster switchover. As a result, sessions cannot be correctly backed up, and services are interrupted for a short period of time.

When the hash genechange takes effect, NAT, IPSec, and forwarding services are interrupted for a short period of time. After the sessions of these services are re-established, the services are restored.

The hash gene is a numerical value for the hash algorithm used to select CPU. If the source and destination addresses of packets are random, using the default value is recommended.

The modification of the hash factor takes effect immediately. As a result, different packets of the same connection may be sent to different CPUs for processing, affecting services. Therefore, modify the hash factor during off-peak hours.