Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
361362363364365366367368369370
351
Ste
p
Command
Remarks
4. Configure ASPF inspection for
application layer and
transport layer protocols.
detect protocol [ java-blocking
acl-number ] [ aging-time seconds ]
Optional.
The default timeouts are as follows:
3600 seconds for application
layer protocols.
3600 seconds for TCP; and 30
seconds for UDP.
Applying an ASPF policy to an interface
The following matrix shows the feature and router compatibility:
Feature MSR900 MSR93X
MSR20-1
X
MSR20 MSR30 MSR50
MSR100
0
ASPF policy
application to an
interface
Yes Yes No Yes Yes Yes Yes
Two concepts are distinguished in ASPF policy: internal interface and external interface.
If the device is connected to both the internal network and the Internet, and employs ASPF to protect the
internal servers, the interface connected to the internal network is the internal interface and the one
connected to the Internet is the external interface.
If both ASPF and ACL-based packet-filter firewall are applied to the external interface, access to the
internal network from the Internet is denied. The response packet can pass ASPF when internal network
users access the Internet.
To monitor the traffic through an interface, you must apply the configured ASPF policy to that interface.
Make sure a connection initiation packet and the corresponding return packet are based on the same
interface, because it is based on interfaces that an ASPF stores and maintains the application layer
protocol status.
To apply an ASPF policy on an Interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Apply an ASPF policy to the
interface.
firewall aspf aspf-policy-number
{ inbound | outbound }
Not applied by default.
Enabling the session logging function for ASPF
ASPF provides an enhanced session logging function, which can record the information of each
connection, including the duration, source and destination addresses of the connection, the port used by
the connection and number of bytes transmitted.
To enable the session logging function of ASPF: