Configuration Sequence Matters
After receiving a packet, the firewall matches the packet based on the sequence of security policies in the security policy list. Once a security policy is matched, the firewall stops matching. Therefore, the sequence of security policies is very important. If the same security policies are arranged in different sequences, the matching results may be different and the device performance may be affected.
Security policies with accurate matching conditions take precedence. The security policy that is configured with the most accurate matching conditions based on the minimum authorization rule must be placed at the top of the list. The security policies with accurate matching conditions must be placed preceding the security policies with general matching conditions. General matching conditions of security policies need to be gradually refined or disabled.
Security policies that are frequently matched take precedence. If a security policy is frequently matched, much traffic matches the security policy. Quickening matching major traffic with security policies can significantly improve device performance. This is especially evident in high-load environments.
After ensuring that high-hit-rate security policies will not shadow low-hit-rate security policies, place the high-hit-rate security policies preceding the low-hit-rate security policies.
You are advised to configure security policies in the following sequence:
Anti-spoofing security policy. If the access traffic from the public network uses a private IP address, the traffic is pretended to be initiated by an internal device. Such traffic must be denied. Huawei firewalls provide the IP spoofing attack defense function (which can be configured using the firewall defend ip-spoofing enable command). However, this function can be applied to limited scenarios only. You can use security policies to prevent IP spoofing attacks.
Security policy that allows authorized user services, for example, a security policy that allows HTTP traffic for internal network users to access external web services.
Security policy that allows authorized management services, for example, a security policy that allows SNMP traffic for the firewall to send SNMP traps to the NMS.
Security policy that blocks unauthorized traffic. For unauthorized services, you can configure a blocking security policy to quickly discard the service traffic, improving the matching speed.
Security policy that blocks suspicious traffic. Administrators need to keep observing suspicious traffic. Therefore, logs need to be recorded when the traffic is blocked so that the administrators can analyze and adjust security policy actions in a timely manner.
The default security policy will deny all traffic that is not explicitly permitted. However, it takes time for such traffic to match the default security policy at the end of the security policy list, which will severely affect device performance. Therefore, you must configure a security policy to deny the known traffic that needs to be blocked.
There are two methods to adjust the sequence of security policies. One is to use the Move menu on the security policy list page. You can also run the rule move rule-name1 { { after | before } rule-name2 | up | down | top | bottom } command to achieve the same effect.
The other method is to directly drag a security policy. You can select a security policy and drag it to the desired position.
