No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Forbid P2P Traffic by Using P2P-Car on the Firewall

Publication Date:  2012-07-24 Views:  38 Downloads:  0
Issue Description
The pattern file is activated, and its version is 1.2.2.4B. The customer wants to forbid all P2P traffic, such as Thunder and BT traffic. After the P2P traffic control is configured on the Web page, the download speed of Thunder and BT still can reach nearly 2 Mbps.
Alarm Information
None.
Handling Process
Do as follows through commands:
Enable the P2P-Car traffic control function in global mode:
[USG2210]firewall p2p-car default-permit
[USG2210]firewall p2p-detect default-permit
[USG2210]firewall p2p-detect behavior enable
[USG2210]firewall p2p-detect packet-number 5    # Configure P2P behavior detection, and set the number of packets to be detected to more than 5
Add P2P traffic control protocols
[USG2210]firewall p2p-car include BT
[USG2210]firewall p2p-car include PPLIVE
[USG2210]firewall p2p-car include THUNDER
[USG2210]firewall p2p-car include EDEM
[USG2210]firewall p2p-car include FEIDIAN
[USG2210]firewall p2p-car include QQLIVE
[USG2210]firewall p2p-car include CCIPTV
[USG2210]firewall p2p-car include GNUTELLA
[USG2210]firewall p2p-car include KAZAA
[USG2210]firewall p2p-car include PPSTREAM
[USG2210]firewall p2p-car include COOLSTREAMING
[USG2210]firewall p2p-car include DC
[USG2210]firewall p2p-car include KUGOO
[USG2210]firewall p2p-car include ORINNOAVBT
[USG2210]firewall p2p-car include PPGOU
[USG2210]firewall p2p-car include POCO            
[USG2210]firewall p2p-car include BAIBAO
[USG2210]firewall p2p-car include MAZE
[USG2210]firewall p2p-car include TVANTS
[USG2210]firewall p2p-car include UUSEE
[USG2210]firewall p2p-car include VAGAA
[USG2210]firewall p2p-car include BBSEE
[USG2210]firewall p2p-car include QQDOWNLOAD
[USG2210]firewall p2p-car include MYSEE
[USG2210]firewall p2p-car include FILETOPIA
[USG2210]firewall p2p-car include SOULSEEK
[USG2210]firewall p2p-car include SOPCAST
[USG2210]firewall p2p-car include TVU
[USG2210]firewall p2p-car include BEARSHARE
[USG2210]firewall p2p-car include KOOWO
[USG2210]firewall p2p-car include FENGXING
[USG2210]firewall p2p-car include PPFILM
[USG2210]firewall p2p-car include DOPOOL
[USG2210]firewall p2p-car include FLASHGET
[USG2210]firewall p2p-car include PP365
[USG2210]firewall p2p-car include BAIDUXIABA
[USG2210]firewall p2p-car include QINGYL
[USG2210]firewall p2p-car include FS2YOU
[USG2210]firewall p2p-car include TVKOO           
[USG2210]firewall p2p-car include SPEEDYTUDOU
[USG2210]firewall p2p-car include PP365_DOWNLOAD
[USG2210]firewall p2p-car include QVOD
[USG2210]firewall p2p-car include SINATV
[USG2210]firewall p2p-car include HTTP_STREAMING
[USG2210]firewall p2p-car include HTTP_DOWNLOAD
Set the default traffic control rate of P2P-class 0 to 0.
[USG2210]p2p-class 0
[USG2210-p2p-class-0]cir default 0
Set the aging time for the associate table.
[USG2210]firewall p2p-car relation-table aging-time 30
Set the scope of the P2P traffic control.
[USG2210]acl number 3300
[USG2210-acl-adv-3000]description for_p2p-car
[USG2210-acl-adv-3000]rule 5 permit ip source 10.0.3.0 0.0.0.255
Configure the interzone traffic control policy.
[USG2210]firewall interzone trust untrust
[USG2210-interzone-trust-untrust]p2p-car 3300 class 0 inbound            
[USG2210-interzone-trust-untrust]p2p-car 3300 class 0 outbound
[USG2210-interzone-trust-untrust]p2p-detect enable
[USG2210-interzone-trust-untrust]p2p-detect mode default
[USG2210-interzone-trust-untrust]p2p-detect mode behavior
Root Cause
1. The version of the P2P application software is the latest, which is not within the restriction scope of the pattern file.
2. The configuration on the Web page is incomplete.
Suggestions
Advantages of preceding configurations:
1. The firewall first performs the in-depth detection. If no P2P packet is detected, it continues to perform the behavior detection. Dual detection is more reliable, but exhausts more resources.
2. If the configuration of the interzone P2P detection is invalid due to incomplete configuration and the global P2P detection is enabled, the firewall still selects class 0 for P2P traffic control.
For the Web configuration of P2P-Car, see the attachment.

END