R0106-HP MSR Router Series Security Configuration Guide(V7)
367
You can apply both ASPF and packet filter to implement packet filtering. For example, you can apply a
packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the
outbound direction of the external interface. The application denies unsolicited access from the external
network to the internal network and allows return packets from external to the internal network.
Check that a connection initiation packet and the corresponding return packet pass through the same
interface, because an ASPF stores and maintains the application layer protocol status based on
interfaces.
To apply an ASPF policy on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Apply an ASPF policy to the
interface.
aspf apply policy
aspf-policy-number { inbound |
outbound }
By default, no ASPF policy is
applied to the interface.
Displaying and maintaining ASPF
Execute display commands in any view and reset commands in user view.
Task Command
Display the configuration of all ASPF policies
and their applications to interfaces.
display aspf all
Display ASPF policy applications to interfaces.
display aspf interface
Display the configuration of a specific ASPF
policy.
display aspf policy aspf-policy-number
Display ASPF sessions. display aspf session [ ipv4 | ipv6] [ verbose ]
Clear ASPF session statistics. reset aspf session [ ipv4 | ipv6 ]
ASPF configuration examples
ASPF FTP application inspection configuration example
NOTE:
Support for this configuration example depends on the device model.
Network requirements
Configure an ASPF policy on Router A to inspect the FTP traffic flows passing through Router A. Only
return packets for FTP connections initiated by users on the internal network are permitted to pass through
Router A and get into the internal network. All other types of packets from the external network to the
internal network are blocked.