R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101
78
ASPF configuration
NOTE:
The firewall supports ASPF configuration only in the web interface.
ASPF policy overview
Application Specific Packet Filter (ASPF) applications are based on zone management and session
management. Zone management is an independent common module. It does not concern service packet
processing; it only maintains information relevant to zones and provides policy interfaces for other
modules. The session management module simplifies the design of function modules such as Network
Address Translation (NAT), ASPF, Application Level Gateway (ALG), attack defense, and connection
number limit modules. It is responsible for processing kinds of session information, aging sessions based
on session states, and providing the uniform interfaces for the function modules.
ASPF policies are configured between zones. When used for packet processing, they use information
provided by the session management module, such as whether the connection status is correct, whether
a packet is an initial one, and whether a packet is an ICMP error packet. Based on information provided
by the session management module and ASPF policies, ASPF applications determine which packets are
allowed to pass.
ASPF is often used to cooperate with the static packet filter function. In some cases, ASPF cannot
determine whether packets are allowed to pass, and it is the static packet filter function that makes the
decision. For example, whether broadcast packets are allowed to pass is determined by the static packet
filter function based on ACLs or default inter-zone priorities.
Configuring ASPF
After logging in to the Web interface, select Firewall > Session Table > Advanced from the navigation
tree, and then click the ASPF tab to enter the ASPF policy list page, as shown in Figure 63. T
hen, click Add
to enter the page for adding an ASPF policy, as shown in Figure 64.
Figure 63 ASPF policy list