National Research and Education Network
Education Cloud Data Center
Multi-Channel HD Telemedicine Solution
Over The Top/Multi-Tenant Data Center (OTT/MTDC)
Internet Exchange Point (IXP)
Internet Access Provider (IAP)
Design & Simulation
Planning & Analytics
Oil & Gas IoT
HPC & Operations Management
Digital Urban Rail
Retail Cloud Platform
Enterprise Data Center
Enterprise Cloud Communications
Network Management System
Buy from Huawei
If you want to get more information about your project, you can submit your information and we will contact you as soon as possible.
If your company has signed an eDeal contract with Huawei, please buy your required product/solution via the link below.
Buy from resellers
Search for a nearby reseller and get direct contact information.
Become a Partner
Resources and Support
Huawei Authorized Learning Partner
Huawei Authorized Information and Network Academy
Customer is having the following topology. He opened a ticket because although he enabled service-manage https onVLANIF202 on both firewalls, he was able to connect via WebUI only to Firewall B.
Active device configuration:
ip address 192.168.202.247 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.202.254 active
service-manage https permit
service-manage ping permit
ip address 10.255.1.28 255.255.255.248
vrrp vrid 2 virtual-ip 10.255.1.30 active
service-manage ping permit
We have set traffic statistics on Firewall A and we have seen that Firewall A drops the packets because service-manage policy is missing.
Service-manage policy, requires that if the inbound interface is not the managed interface, you need to add service-manage also on inbound interface of the service packets.
Although we fixed the problem, customer still wanted explanation why Firewall A needs service manage on GI 0/0/1 + Vlanif202 and on Firewall B is enough to put only on Vlanif202.
1. Customer want to access FW_A.
a) Packet flow:
- Packet arrives at router. Router looks at the IP routing table . Next hop is 10.255.1.3
- Since the next hop is 10.255.1.30, Packet arrives at FW_A ( he controls the Virtual IP of the group
- The destination is 192.168.202.247, which is the physical address of Vlaif202 of Fw_A
- Inbound interface of packets is Gi 0/0/1,
- Destination is 192.168.202.247 => you need to put service-manage on both
b) Packet flow:
- Packet arrives at router. Router looks at the IP routing table . Next hop is 10.255.1.30 ( same as first case )
- Packets arrive again at Fw_A but this time, the destination of the packets is physical IP address of Vlaif202 on Fw_B
- Fw_A looks in the routing table and sees that the destination is not him, but a host on the same VLAN202.
- He forwards the packets in the VLAN202, because he knows the 192.168.202.248 is in same VLAN
Conclusion: Fw_B receives the packets from Fusion_A
- Inbound interface:Vlan202
- Destination Vlanif ip address => you need to put service-manage only on Vlanif since this is also inbound+destination
Customer needs to add service-manage permit https on both Gi 0/0/1 interfaces on both firewalls. Even if on firewall B is not needed, in case firewall A goes out of service, he will be unable to connect to firewall B.