345
Hardware Feature compatibility
MSR20-1X No
MSR20 Yes
MSR30 Yes
MSR50 Yes
MSR1000 Yes
Two concepts are distinguished in ASPF policy: internal interface and external interface.
If the device is connected to both the internal network and the Internet, and employs ASPF to protect
the internal servers, the interface connected to the internal network is the internal interface and the
one connected to the Internet is the external interface.
If both ASPF and ACL-based packet-filter firewall are applied to the external interface, access to the
internal network from the Internet is denied. The response packet can pass ASPF when internal
network users access the Internet.
To monitor the traffic through an interface, you must apply the configured ASPF policy to that
interface.
Make sure a connection initiation packet and the corresponding return packet are based on the same
interface, because it is based on interfaces that an ASPF stores and maintains the application layer
protocol status.
To apply an ASPF policy on an Interface:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Apply an ASPF policy to the
interface.
firewall
aspf
aspf-policy-number
{
inbound
|
outbound
}
Not applied by default.
Enabling the session logging function for ASPF
ASPF provides an enhanced session logging function, which can record the information of each
connection, including the duration, source and destination addresses of the connection, the port
used by the connection and number of bytes transmitted.
To enable the session logging function of ASPF:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter ASPF policy view.
aspf-policy
aspf-policy-number N/A
3. Enable the session logging
function of the ASPF.
log enable
Optional.
Disabled by default.
Configuring port mapping
Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping.
To Next Page
Loading...
Need help?
General
