Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
71727374757677787980
74
Ste
p
Command
Remarks
4. Enable ASPF for the interzone
instance.
firewall aspf enable [ icmp-error
drop | tcp syn-check ]
Disabled by default.
For more information about security zones, see Access Control Configuration Guide.
96BDisplaying ASPF
Task Command
Remarks
Display the port mapping
information.
display port-mapping [ application-name |
port port-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
97BASPF configuration example
187BNetwork requirements
Configure ASPF on the firewall to allow access from internal users to the remote server, deny access from
the external network to the internal users, and drop non-SYN TCP first packets from the internal network
to the external network.
Figure 52 Network diagram
188BConfiguration procedure
# Add interface GigabitEthernet 0/1 and GigabitEthernet 0/2 to zone Trust and Untrust, respectively.
<Firewall> system-view
[Firewall] zone name Trust
[Firewall-zone-Trust] import interface gigabitethernet 0/1
[Firewall-zone-Trust] quit
[Firewall] zone name Untrust
[Firewall-zone-Untrust] import interface gigabitethernet 0/2
[Firewall-zone-Untrust] quit
# Create an interzone instance, with the source zone being Trust and the destination zone being Untrust.
[Firewall] interzone source Trust destination Untrust
# Enable ASPF for the interzone instance.
[Firewall-interzone-trust-untrust] firewall aspf enable tcp syn-check