No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Users Access Web Pages at a Low Speed After SA Is Enabled on the USG5210

Publication Date:  2015-10-13 Views:  88 Downloads:  0
Issue Description
A customer uses a USG5120HSR as the egress gateway to control access behavior of intranet users. The requirements are as follows:

All hosts can access HTTP/HTTPS services. Some hosts can access the QQ service.

After SA is enabled, HTTP access becomes very slow, but the QQ access speed can meet the requirement. Key configurations are as follows:

sa
whole-packet-search enable all
relation-detection enable
update rule-base server domain sec.huawei.com
#
app-set hjzx_im
category IM application QQ_IM
category IM application AliTalk_IM
category IM application QQ_Common
category IM application QQ_Transfer
app-set inter_boss
category Web_Browsing application HTTP
category Web_Browsing application HTTPS
#
sa-policy hjzx_qq
policy default action deny
rule 0
rule enable
action permit
rule app-set hjzx_im
sa-policy inter_boss
policy default action deny
rule 0
rule enable
action permit
rule app-set inter_boss
#
policy interzone trust untrust outbound
policy 0
description allowing some IP addresses of the call center to access the QQ service
action permit
policy logging
policy session traffic statistic logging enable
policy service service-set qq
policy source address-set hjzx_qq
policy sa hjzx_qq
policy ips inter
policy av inter
policy 1
action permit
policy logging
policy session traffic statistic logging enable
policy service service-set inter_boss
policy destination address-set inter_boss
policy sa inter_boss
policy ips inter
policy av inter
Handling Process
Step 1 Change the action of the default policy to permit. The client can access HTTP services.

Step 2 Compare the session entries with the default policy actions being deny and permit.

The session table is as follows when the default policy action is deny:

253281  http  [HTTP_Text]  VPN:public --> public
Zone: trust--> untrust  PolicyID: 1  TTL: 00:02:00  Left: 00:01:54
Output-interface: GigabitEthernet0/0/3  NextHop: 210.12.168.60  MAC: b4-b5-2f-63-35-34
<--packets:5 bytes:3128   -->packets:4 bytes:482
10.1.4.80:51994[210.12.168.48:3081]-->210.12.168.60:80(Block)

The session table is as follows when the default policy action is permit:

252421  http  VPN:public --> public
Zone: trust--> untrust  PolicyID: default  TTL: 00:10:00  Left: 00:09:54
Output-interface: GigabitEthernet0/0/3  NextHop: 210.12.168.60  MAC: b4-b5-2f-63-35-34
<--packets:1 bytes:52   -->packets:2 bytes:92
10.1.4.80:51795[210.12.168.48:3079]-->210.12.168.60:80

The comparison result shows that the protocol is HTTP when the action is deny, and the subcategories are http_text and http_image (not listed here).
Root Cause
After SA is enabled, accurate application matching is not set. Related applications are not matched and then blocked when users access HTTP services.
Solution
Add the application subcategories http_text and http_image.
Suggestions
When configuring SA for a specific category of applications, you can compare session tables to identify application subcategories.

END