3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

101

102

103

104

105

106

107

108

109

110

Configuring ASPF 107

Cautions about ASPF

Configuration

If you use the detect, aging-time, or port-mapping command to modify the

ASPF policy applied on the interface, or use the firewall aspf aspf-policy-number

{ inbound | outbound } command to modify the policy applied on the interface,

the modifications take effect on the sessions subsequently established, but not on

any existing session. To inconsistency between the session and the ASPF policy,

you can clear the session manually. But be cautious because this operation will

interrupt the existing session.

ASPF Configuration

Example

Network requirements

Configure an ASPF detection policy on the firewall to detect the FTP and HTTP

traffic passing the firewall. Requirement: If the packet is a returned packet of FTP

and HTTP connections initiated by internal network users, permit it to pass the

firewall and enter the internal network. For other packets, deny them. In addition,

this detection policy can rule out Java Applets in HTTP packets from the server

202.0.0.1. This example can be applied in the case when local user needs to

access remote network service.

Tab le 99 Display and debug ASPF

Operation Command

Display all ASPF configurations and

current traced and detected

sessions

display aspf all

Display application detection policy

and interface configuration of

access list

display aspf interface

Display the configuration of a

specific detection policy

display aspf policy aspf-policy-number

Display sessions currently traced and

detected by ASPF

display aspf session [ verbose ]

Display the session table on the

firewall

display firewall session table

Display the session timeout values

of various protocols

display firewall session aging-time

Display port mapping information.

display port-mapping [ application-name | port

port-number ]

Enable ASPF debugging function

debugging aspf { all | verbose | events | ftp | h323 |

rtsp | session | smtp | tcp | timers | udp }

Disable ASPF debugging function

undo debugging aspf { all | verbose | events | ftp |

h323 | rtsp | session | smtp | tcp | timers | udp }

Enable HTTP debugging function

debugging aspf http { java-blocking |

activex-blocking } { all | error | event | filter | packet }

Disable HTTP debugging function

undo debugging aspf http { java-blocking |

activex-blocking } { all | error | event | filter | packet }

Reset firewall session table reset firewall session table