HP VPN Firewall Appliances Attack Protection Configuration Guide
70
inspection requires a full match between the packets returned to the external interface of the ASPF and
the packets previously sent out from the external interface of ASPF, namely a perfect match of the source
and destination address and port number. Otherwise, the return packets will be blocked. Therefore, for
multi-channel application layer protocols like FTP and H.323, the deployment of TCP detection without
application layer detection will lead to failure of establishing a data connection.
Configuring an IPv6 packet-filter firewall
IPv6 packet-filter firewall can be configured only at the CLI.
IPv6 packet-filter firewall configuration task list
Task Remarks
Enabling the IPv6 firewall function Required.
Configuring the default filtering action of the IPv6 firewall Optional.
Configuring packet filtering on an interface Required.
Enabling the IPv6 firewall function
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the IPv6 firewall function.
firewall ipv6 enable Disabled by default.
Configuring the default filtering action of the IPv6 firewall
The default filtering action configuration is used for the firewall to determine whether to permit a data
packet to pass or deny the packet when there is no appropriate criterion for judgment.
To configure the default filtering action of the IPv6 firewall:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the default filtering
action of the firewall.
firewall ipv6 default { deny |
permit }
Optional.
permit (permit packets to pass the
firewall) by default.
Configuring packet filtering on an interface
When an ACL is applied to an interface, the time range-based filtering will also work at the same time.
In addition, you can specify separate access rules for inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines rules based on the
Layer 3 source IP addresses only to analyze and process data packets.