R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101
79
Figure 64 Add an ASPF policy
Table 39 ASPF policy configuration items
Item Descri
p
tion
Source Zone Select a zone on the current virtual device as the source zone.
Dest Zone
Select a zone on the current virtual device or a shared zone as the
destination zone.
Discard ICMP error packets
Select this check box to specify to discard ICMP error packets or deselect
this check box to allow ICMP error packets to pass.
Discard non-SYN initial TCP
packets
Select this check box to discard initial TCP packets that are not SYN packets
or deselect this check box to allow those packets to pass.
ASPF configuration example
Network requirements
Interfaces GE 0/1, GE 0/2, and GE 0/3 of the firewall belong to Zone 1, and interfaces GE 1/1, GE
1/2, and GE1/3 belong to Zone 2. Configure an ASPF policy between Zone 1 and Zone 2 to deny
ICMP error packets and permit initial TCP packets that are not SYN packets.
Figure 65 Network diagram for ASPF configuration
Configuration procedure
1. Configure Zone 1 and Zone 2. For more information, see the chapter “Zone configuration.”
2. Configure an ASPF policy.