No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



  • Whether the ISP address set includes all required IP addresses affects the implementation of intelligent uplink selection and smart DNS. Therefore, collect common addresses in each ISP address set as many as possible.

  • In a multi-egress scenario, PBR intelligent uplink selection cannot be used together with the IP spoofing attack defense or Unicast Reverse Path Forwarding (URPF) function. If the IP spoofing attack defense or URPF function is enabled, the FW may discard packets.

  • A license is required to use smart DNS. In addition, smart DNS is available only after required components are loaded through the dynamic loading function.

  • The virtual server IP address used in server load balancing cannot be the same as any of the following ones:

    • Public IP address of the NAT server (global IP address)

    • IP addresses in the NAT address pool

    • Gateway IP address

    • Interface IP addresses of the FW

  • The real server IP address used in server load balancing cannot be the same as any of the following ones:

    • Virtual server IP address

    • Public IP address of the NAT server (global IP address)

    • Internal server IP address of the NAT server (inside IP)

  • After you configure server load balancing, configure IP addresses for real servers, but not the IP address of the virtual server, when configuring security policies and the routing function.

  • After you configure the NAT address pool and NAT server, configure black-hole routes to addresses in the address pool and the public address of the NAT server to prevent routing loops.

  • Only the audit administrator can configure the audit function and view audit logs.

  • You can view and export audit logs on the web UI only from the device that has an available disk installed.

  • On networks with different forward and return packet paths, the audit log contents may be incomplete.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16812

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next