Limitations and Precautions for Security Policy

Hardware Requirements

The security policy function is supported by all models.

License Requirements

The security policy function is not license-controlled.

Address Types Supported by Security Policies

• Individual IP address
• Individual MAC address

  All models except USG6680E and USG6712E/6716E support the MAC address.

• IP address segment
• Address group
  

  The MAC address configured in the policy relies on the across-Layer-3 MAC identification function or the firewall ARP entries are learned.

  • If the FW works at Layer 2 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions.
  • If the FW works at Layer 3 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions through ARP learning.
  • If the FW connects to an intranet through a Layer-3 network device, configure across-Layer-3 MAC identification on the FW and then use MAC addresses as matching conditions.

Configuration of Security Policies for Off-Line Detection

• When the FW is deployed in off-line mode for detection, set the detection interface to a Layer 2 interface. Configure the off-line detection function at the detection interface so that the FW detects but does not forward traffic.
• In the content security check on the traffic:

  When the FW has only one interface to receive mirroring traffic or has multiple interfaces to receive mirroring traffic but applies the same security policy to the traffic, you can add the interface or interfaces to any security zone and set the source and destination security zones to any.

  When the FW has multiple interfaces to receive mirroring traffic and applies different security policies to the interfaces, you must add the interfaces to different security zones and set the source and destination security zones of each security policy to the security zone where the corresponding interface resides.

Precautions of Policy Backup-based Acceleration

• The policy backup-based acceleration function is disabled by default , except for the USG6680E and USG6712E/6716E.

  Only the USG6000E (not including USG6680E and USG6712E/6716E ) supports the configuration of policy backup-based acceleration on the web UI. In addition, you can configure this function on the web UI only after this function is enabled or the number of configured policies reaches 100.

  The FW rapidly matches policies by querying indexes. If a policy is created, modified, or deleted, its index is re-created. The FW uses the policy acceleration or policy backup-based acceleration function to generate indexes.

  • If the policy backup-based acceleration function is disabled on the FW, the policy acceleration function is used by default to generate indexes. After a policy is modified, the new policy immediately takes effect on all traffic passing through the FW. However, the FW queries policies in non-acceleration mode during the acceleration hold-off period, resulting in degraded performance. The default hold-off period is 60s. After the hold-off period ends, the index is generated, and the FW accelerates policy query (index matching).
  • If the policy backup-based acceleration function is enabled on the FW, after a policy is modified, the FW backs up the current index and uses the backup index for policy matching before the new index is generated. In this case, the new policy does not take effect immediately. If no modification is made to the policy during the acceleration hold-off period (60s by default), the FW starts to generate a new policy index after the hold-off period, and the new policy takes effect after the new index is generated.
• Determine whether to enable the policy backup-based acceleration function based on the actual situation.
  • When a large number of policies exist (such as over 100 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes (around 2 minutes, with the specific time being subject to the number of policy rules).
  • When a small number of policies exist, disable the policy backup-based acceleration function.

Other Limitations and Precautions

• The FW has multiple types of policies, include the security policy, traffic policy, authentication policy, audit policy, quota control policy, PBR, proxy policy, encrypted traffic inspection policy, NAT policy, PCP policy, DNS transparent proxy policy, SACG interworking policy, flow probe policy. Multiple types of policies (except traffic policies) share and preempt these specifications. In addition, virtual systems also preempt the policy specifications of the entire device (the policy specifications of virtual systems can be those of the entire device).
• User authentication is not triggered for the traffic initiated by the access device or the device. Therefore, the user-based security policy does not take effect for the traffic initiated by the access device or the device.
• Domain name matching falls into exact matching and suffix matching. Suffix matching has the following requirements:

  Wildcard characters in domain names can only be asterisks (*). In addition, a domain name can contain only one asterisk and must start with it. A domain name supports two to four periods (.) that cannot be consecutive and cannot end with a period. That is, the format must be *.X.X, *.X.X.X, or *.X.X.X.X.

  DNS request and response packets must pass through the FW. Otherwise, the FW cannot learn the mappings between domain names and IP addresses.

• Policy matching logs can be viewed and exported in Web based on hard disks or SD cards, and the situation varies according to device model. For details, see

  Limitations and Precautions for Logs.

• Performing content security check (including intrusion prevention, antivirus or application identification) on traffic affects the performance of the FW. Therefore, configure security policies to reference only desired content security profiles.
• If you use Firefox 13.0 or an earlier version, advanced search of security policies by adding search items is not supported. You are advised to use Firefox of a later version or use another browser.
• If you run the ip binding vpn-instance command to bind an interface to a VPN instance and configure a security policy for the security zone where the interface resides, do not use the MAC address as the matching condition of the security policy. Otherwise, the policy may fail to be matched, and traffic forwarding is abnormal.
• If across-virtual system packets, packets processed by NAT64, VPN encapsulated packets, or TCP proxy packets are blocked, the FW does not send feedback packets even if it is configured so.
• When the action of the security policy is deny, a predefined application is referenced by the security policy as a matching condition, and the predefined application is associated with an application, you must also reference the associated application of the predefined application in the security policy. The service cannot be completely blocked. Application association will result in the failure of related functions in the application association. For example, if the action of a security policy is deny, the application MSN_VoIP is referenced by the security policy as a matching condition, the security policy must also reference the associated application MSN_IM. In this case, the associated application MSN_IM will be unavailable.
  

  The application association configuration is checked only when a single application is referenced in a security policy. If the security policy references an application group, category, or sub-category, the application association configuration will not be checked.