F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

33B

Configuring an ASPF

ASPF can be configured at the CLI and in the Web interface. This section describes only the CLI

configuration for ASPF. For ASPF configuration in the Web interface, see Access Control Configuration

Guide.

93BASPF configuration task list

Task Remarks

340H

Configuring port mapping Optional.

341H

Enabling ASPF for an interzone instance Required.

94BConfiguring port mapping

Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping.

• General port mapping—Refers to a mapping of a user-defined port number to an application layer

protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of which

is port 8080 are regarded as HTTP packets.

• Host port mapping—Refers to a mapping of a user-defined port number to an application layer

protocol for packets to some specific hosts. For example, you can establish a host port mapping so

that all TCP packets using port 8080 sent to the network segment 10.110.0.0 are regarded as HTTP

packets. The address range of hosts can be specified by means of a basic ACL.

To configure port mapping:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Configure mapping

between the port and the

application protocol.

port-mapping

application-name port

port-number [ acl

acl-number ]

Not configured by default.

At present, the application layer protocols

supported by this function include FTP, GTP,

H323, HTTP, RTSP, SCCP, SIP, SMTP, SQLNET.

95BEnabling ASPF for an interzone instance

An interzone instance specifies the service traffic for security inspection by specifying a source zone and

a destination zone. The source zone refers to the zone where the network device receives the first packet

of the service traffic, and the destination zone refers to the zone out of which the network device sends

the first packet. You can enable ASPF for an interzone instance to inspect the specified service traffic.

To enable ASPF for an interzone instance:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view. switchto vd vd-name Required for a non-default VD.

3. Enter interzone instance view.

interzone souce souce-zone-name

destination destination-zone-name

N/A