HP VPN Firewall Appliances Attack Protection Configuration Guide
72
ASPF configuration task list
Task Remarks
Configuring port mapping Optional.
Enabling ASPF for an interzone instance Required.
Configuring port mapping
Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping.
• General port mapping—Refers to a mapping of a user-defined port number to an application layer
protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of which
is port 8080 are regarded as HTTP packets.
• Host port mapping—Refers to a mapping of a user-defined port number to an application layer
protocol for packets to some specific hosts. For example, you can establish a host port mapping so
that all TCP packets using port 8080 sent to the network segment 10.110.0.0 are regarded as HTTP
packets. The address range of hosts can be specified by means of a basic ACL.
To configure port mapping:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD view.
switchto vd vd-name
This step is required for non-default VDs.
For information about VD, see System
Management and Maintenance Configuration
Guide.
3. Configure mapping
between the port and the
application protocol.
port-mapping
application-name port
port-number [ acl
acl-number ]
Not configured by default.
The application layer protocols supported by this
function include FTP, GTP, H323, HTTP, RTSP,
SCCP, SIP, SMTP, SQLNET.
Enabling ASPF for an interzone instance
An interzone instance specifies the service traffic for security inspection by specifying a source zone and
a destination zone. The source zone refers to the zone where the network device receives the first packet
of the service traffic, and the destination zone refers to the zone out of which the network device sends
the first packet. You can enable ASPF for an interzone instance to inspect the specified service traffic.
To enable ASPF for an interzone instance:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a non-default VD.
3. Enter interzone instance view.
interzone source
source-zone-name destination
destination-zone-name
N/A