R0106-HP MSR Router Series Security Configuration Guide(V7)
364
ASPF inspections
This section introduces the basic idea of ASPF inspection on application layer and transport layer
protocols.
Application layer protocol inspection
As shown in Figure 107, ACLs on the edge device deny incoming packets to the internal network. The
ASPF application layer protocol inspection allows return packets from the external network to the internal
network.
Figure 107 Application layer protocol inspection
ASPF inspects all application layer sessions as follows:
• For a single-channel protocol, the inspection process is simple.
ASPF creates a session entry immediately after it detects the session's first packet sent to the
external network, and ASPF removes the entry when the connection is terminated.
The session entry helps record outgoing packets and their return packets. It can maintain the
session status and determine whether state transitions of the session are correct. All packets that
match a session entry can pass through the packet-filter firewall.
• For a multi-channel protocol, ASPF creates session entries, and one or more associated entries to
associate the sessions initiated by the same application layer protocol. Associated entries are
created during the protocol negotiation and are removed after the negotiation. ASPF uses the
associated entries to match the first packets of the sessions. All packets of the sessions matching the
associated entries can pass through the packet-filter firewall.
The following uses FTP to explain the process of multi-channel application layer protocol inspection.