USG2210 limit the bandwidth failed

Publication Date:  2012-09-13 Views:  108 Downloads:  0
Issue Description
Siniffer can’t look over the configuration limit number of USG2110.

Connect the PC 61.*.*.*. got the name of client.

[8:09:23] - [28] user AN [61.*.*.*] connected
[8:09:23] - [28] ANONYMOUS: current directory: E:\ftp\
[8:09:23] - [28] ANONYMOUS: current directory: E:\ftp\
[8:09:33] - [28] ANONYMOUS: current directory: E:\ftp\360\
[8:09:36] - [28] ANONYMOUS: current directory: E:\ftp\360\antivirus\
[8:09:41] - [28] ANONYMOUS: current directory: E:\ftp\360\antivirus\
[8:09:41] - [28] ANONYMOUS: start download E:\ftp\360\antivirus\360sd-upd.exe
[8:10:03] - [28] ANONYMOUS: file download succeeded: E:\ftp\360\antivirus\360sd-upd.exe (518.63 K/S - 11 683 616 bytes)
Alarm Information
none
Handling Process
1、 According to the information captured and screen captured, judged that the speed hasn’t arrived at the value of current limiting
2、Check the configuration
firewall car-class 1 2000000
firewall conn-class 1 10

acl number 3002
rule 5 permit tcp source 10.0.0.0 0.0.0.255
rule 10 permit tcp source 10.0.3.0 0.0.0.255

firewall zone trust
set priority 85
add interface Ethernet0/0/1
ip-car enable
ip-conn tcp inzone 1 acl-number 2000
ip-car inzone 1 acl-number 2000
ip-car outzone 1 acl-number 2000
ip-car inzone filter acl-number 3002
ip-car outzone filter acl-number 3002
ip-conn inzone filter acl-number 3002
ip-conn outzone filter acl-number 3002

3、Found out that the limit connect number is aim at the TCP, not aim at the others. So change the limit aim at the IP.
rule 5 permit tcp source 10.0.0.0 0.0.0.255,change it as:rule 5 permit ip source 10.0.0.0 0.0.0.255

4、Change the configuration, current limiting succeeded.
Root Cause
For the current limiting of IP-CAR., if we aim at a protocol, only this protocol will be limited. So in the application in fact, we should aim at IP.
Suggestions
Current limiting for the firewall, is aim at the P2P, the limiting will be effective only when the file mode matching to the protocol version. So normally we use the mode IP-CAR to do the current limiting, it is very effective to limit the connect number or bandwidth.

END