No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Solution Overview

Solution Overview

SCG Overview

The Service Control Gateway (SCG) is a wireless comprehensive gateway product developed by Huawei. The SCG provides not only service-based charging and bandwidth control but also WAP/HTTP service awareness and conversion, access control, Ad insertion, and malicious URL filtering. Figure 6-1 shows the position of the SCG on the network. Terminal users access the SCG over the bearer network of a carrier, and the SP/CP provides services for terminal users through the SCG. The FWs are deployed on the uplink and downlink sides of the SCG and provide NAT, interzone isolation, and border protection functions.

Figure 6-1  Application of the firewall in the SCG scenario


The SCG works in explicit or transparent proxy mode based on WAP/HTTP service awareness.

  • Explicit proxy (WAPGW)

    The SCG provides gateway services. In this mode, service access users must set the SCG address as the gateway address on their clients. After receiving a user request, the SCG translates the user address into the SCG address and connects to the Internet.

  • Transparent proxy (Proxy)

    The SCG is similar to a router and does not provide gateway services. In this mode, service access users do not need to set gateway addresses on their clients. User requests are routed to the SCG through network devices. After receiving a user request, the SCG uses the client IP address to connect to the Internet. This implementation prevents denial of services or verification code input due to duplicate or intensive user addresses after NAT in explicit proxy mode.

Traffic Models

The GGSN and uplink FW establish a GRE tunnel. The GGSN sends service traffic through the GRE tunnel to the uplink FW to access the SCG. The SCG performs WAP/HTTP service awareness and translation and sends the traffic to the downlink FW. The downlink FW performs NAT and sends the traffic to the Internet.


The GGSN sends user information to the RADIUS server for authentication. If the authentication succeeds, the RADIUS server sends the user information to the FW at the uplink side.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16760

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next