The firewall enables DPI function service exception
- 0 Followed
- 0Collected ,143Browsed
Problem Description
Once the on-site firewall enables DPI, service interruption occurs. Normal operation resumes upon disabling it.
Process Analysis
Checking DPI logs revealed no relevant interception logs, indicating the traffic did not hit any DPI policies
debug ip info ,debug ip packet,debug aspf packet,debug securit-policy packet ip
It was found that after enabling DPI, packets were actually dropped by the NAT module
The internal network port is configured with NAT hairpin
The external network port is configured with outbound and NAT server
Solution
R&D investigation found that global NAT was also configured on-site.
nat global-policy
rule name GlobalPolicyRule_1
description GuideNat
source-zone Trust
destination-zone Untrust
action snat easy-ip
Therefore, R&D concluded that after enabling the DPI function, the packet tags sent to the device were altered, causing global NAT to take effect while NAT hairpin failed.
Solution:
Do not configure both global NAT and interface NAT on the firewall.Especially when NAT hairpin is required, it is recommended to use interface NAT.
Currently, after removing global NAT on-site, the service operates normally.