Due to the ACL configured error, causes USG2130 applying P2P current-limiting has no effect

Publication Date:  2012-11-24 Views:  162 Downloads:  0
Issue Description
A site customers use USG2130 firewall equipment according to the internal network PC set the P2P current-limiting function, but has no effect;
Networking is as follows: PC-----USG2130---internet
The PC is in trust region, and internet is in untrust area;
Alarm Information
Handling Process
1, check USG2130 version, it is V100R003C01SPC007, which is the latest version at present and supports P2P current limiting;
2, check the customer's P2P model file, it is the latest version
3, check the basic configuration of P2P current limiting, no problem;
4, check the P2P limiting corresponded ACL, found the customer configured current limiting has only a ACL matching, ACL defined an ACL in the article to the source destination address, configuration is as follows:
rule 0 permit ip source
the P2P current limiting of inter-domain is:
p2p-car 3030 class 0 outbound
p2p-car 3030 class 0 inbound
From the above configurations can find the problem.
The inbound and outbound in P2P limiting flow just mean the upstream and downstream flow, cannot transform the source address to destination address according to flow, so the need to add an ACL for outbound, designated it as the destination address:,
After modified the configuration is as follows::
ACL 3030
rule 0 permit ip source
ACL 3040
rule 0 permit ip destination
the P2P current limiting of inter-domain is:
p2p-car 3030 class 0 outbound
p2p-car 3040 class 0 inbound
Root Cause
Analysis the reasons are as follows:
1. The firewall version is too low, does not support P2P function.
2. P2P model file hasn’t been updated to the latest version.
3. Hasn’t specified the needed current-limiting application protocol when configuring P2P.
4. ACL configuration error.
Need to understand the difference between “inbound,outbound” in p2p current limiting and “inbound,outbound” in inter-domain packet filtering.