policy accelerate standby enable
Function
The policy accelerate standby enable command enables the standby accelerated policy search function.
The undo policy accelerate standby enable command disables the standby accelerated policy search function.
Usage Guidelines
By default, the standby accelerated policy search function is disabled, except for the USG6680E and USG6712E/6716E.
Application Scenario
The FW indexes policies and uses a certain acceleration algorithm to ensure that the policy-matching speed is not compromised due to the increase of policies. However, it takes time to index policies, and the more policies to be indexed, the longer time it will take.
If the standby accelerated policy search function is disabled, and policies are frequently created, modified, or deleted, the FW does not have enough time to index the policies and matches packets rule by rule, which compromises the policy matching speed and packet processing performance.
The standby accelerated policy search function temporarily backs up the created, modified or deleted policies and indexes them separately. In this process, the FW uses the original index for policy-matching, which ensures processing performance. Because the FW uses the original index for policy-matching, the created, modified or deleted policies do not take effect immediately. In normal cases, new indexes are generated after the policy acceleration delay (which can be set through the policy accelerate delay command and is 60 seconds by default). It takes around 2 minutes to generate indexes, and the specific time is subject to the number of policies. After that, the matching is based on new policies.
Configuration Impact
Policy Creation/Modification/Deletion |
Impacts on Sessions |
|
|---|---|---|
Existing Sessions |
New Sessions |
|
Address condition/security zone/user condition/application condition modification |
Takes effect with a delay |
Takes effect with a delay |
Service condition/time range/interface modification |
Takes effect with a delay |
Takes effect immediately |
Action/data filtering/policy matching log/session log/user-defined persistent connection/session aging time modification |
Takes effect with a delay |
Takes effect immediately |
Rule deletion |
Takes effect with a delay |
Takes effect immediately |
Example
# Enable the standby accelerated policy search function.
<sysname> system-view [sysname] policy accelerate standby enable Info: After this function is enabled, security policy rules do not take effect immediately after they are configured. Instead, they take effect after policy acceleration is complete. Policy acceleration takes about 2 minutes, depending on the number of policy rules. You can run the display policy accelerate status command to view the policy acceleration status.