HP MSR2000/3000/4000 Router Series Security Configuration Guide
250
You can apply both ASPF and packet filtering to implement packet filtering. For example, you can apply
a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the
outbound direction of the external interface. The application denies unsolicited access from the external
network to the internal network and allows response packets from external to the internal network.
Check that a connection initiation packet and the corresponding response packet pass through the same
interface, because an ASPF stores and maintains the application layer protocol status based on
interfaces.
To apply an ASPF policy on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Apply an ASPF policy to the
interface.
aspf policy aspf-policy-number
{ inbound | outbound }
By default, no ASPF policy is
applied to the interface.
Displaying and maintaining ASPF
Execute display commands in any view and reset commands in user view.
Task Command
Display the configuration of all ASPF policies
and their applications to interfaces.
display aspf all
Display ASPF policy applications to interfaces.
display aspf interface
Display the configuration of a specific ASPF
policy.
display aspf policy aspf-policy-number
Display ASPF sessions. display aspf session [ ipv4 | ipv6] [ verbose ]
Clear ASPF session statistics. reset aspf session [ ipv4 | ipv6 ]
ASPF configuration examples
ASPF FTP application inspection configuration example
Network requirements
To allow local users on the internal network to access the FTP server on the external network and protect
the internal network against external network attacks, configure an ASPF policy on Router A to inspect
the FTP traffic flows passing through Router A. Only return packets for FTP connections initiated by users
on the internal network are permitted to pass through Router A and get into the internal network. All other
types of packets from the external network to the internal network are blocked.