R2511-HP MSR Router Series Security Command Reference(V5)
403
Examples
# Create an ASPF policy and enter the corresponding ASPF policy view.
<Sysname> system-view
[Sysname] aspf-policy 1
[Sysname-aspf-policy-1]
detect
Use detect to configure ASPF detection for the application layer protocol or transport layer protocol.
Use undo detect to restore the default.
Syntax
detect protocol [ java-blocking acl-number ] [ aging-time seconds ]
undo detect protocol
Default
The timeout period for an application layer protocol is 3600 seconds, the ESP-based timeout period is 30
seconds, the TCP-based timeout period is 3600 seconds, and the UDP-based timeout period is 30
seconds.
Views
ASPF policy view
Default command level
2: System level
Parameters
protocol: Name of a protocol supported by the ASPF. Application layer protocols include BOOTP, FTP,
H323, HTTP, HTTPS, IKE, RTSP, SMTP, SSH, VAM, and transport layer protocols include ESP, TCP, and
UDP.
java-blocking acl-number: Blocks the Java Applets of packets to the specified network segment,
applicable to HTTP only. The acl-number argument refers to a basic IPv4 ACL number in the range of
2000 to 2999.
aging-time seconds: Configures the idle timeout period for the application layer protocol, in seconds.
The value range is 5 to 43200.
Usage guidelines
If the protocol type is HTTP, Java blocking is allowed.
If application layer protocol detection and general TCP/UDP detection are both enabled, application
layer protocol detection is given priority over general TCP/UDP detection.
ASPF uses timeouts to manage the session status information of a protocol so as to determine when to
terminate the status information management of a session or when to delete a session that cannot be
established. As a global configuration, the setting of a timeout applies to all sessions to protect system
resources from being maliciously seized.
A protocol idle timeout setting specified using the detect command has priority over a timeout setting
specified using the aging-time command.