HP VPN Firewall Appliances Attack Protection Configuration Guide
71
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules
according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP
source and destination ports, and so on.
An advanced ACL supports the following match modes:
• Normal match—Matches Layer 3 information. Non-layer 3 information is ignored. The default
mode is normal match mode.
• Exact match—Matches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the
match information of the subsequent fragments. The exact match mode is not supported on the
device.
You can neither enable packet filtering on an interface in an aggregation group, nor add an interface
with packet filtering enabled to an aggregation group.
Configuring IPv6 packet filtering on an interface
IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet
filtering in the inbound or outbound direction of an interface so that the interface filters packets that
match the IPv6 ACL rules.
To configure IPv6 packet filtering on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure IPv6 packet filtering
on an interface.
firewall packet-filter ipv6
{ acl6-number | name acl6-name }
{ inbound | outbound }
IPv6 packets are not filtered by
default.
You can apply only one IPv6 ACL
in one direction of an interface for
packet filtering.
4. Display the packet filtering
statistics of the IPv6 firewall.
display firewall ipv6 statistics { all
| interface interface-type
interface-number } [ | { begin |
exclude | include }
regular-expression ]
Available in any view.
5. Clear the packet filtering
statistics of the IPv6 firewall.
reset firewall ipv6 statistics { all |
interface interface-type
interface-number }
Available in user view.
Configuring an ASPF
ASPF can be configured at the CLI and in the Web interface. This section describes only the CLI
configuration for ASPF. For ASPF configuration in the Web interface, see Access Control Configuration
Guide.