Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
73
Ste
p
Command
Remarks
4. Enable ASPF for the interzone
instance.
firewall aspf enable [ icmp-error
drop | tcp syn-check ]
Disabled by default.
For more information about security zones, see Access Control Configuration Guide..
Displaying ASPF
Task Command
Remarks
Display the port mapping
information.
display port-mapping [ application-name |
port port-number ] [ vd vd-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
ASPF configuration example
Network requirements
Configure ASPF on the firewall to allow access from internal users to the remote server, deny access from
the external network to the internal users, and drop non-SYN TCP first packets from the internal network
to the external network.
Figure 52 Network diagram
Configuration procedure
# Add interface GigabitEthernet 0/1 and GigabitEthernet 0/2 to zone Trust and Untrust, respectively.
<Firewall> system-view
[Firewall] zone name Trust
[Firewall-zone-Trust] import interface gigabitethernet 0/1
[Firewall-zone-Trust] quit
[Firewall] zone name Untrust
[Firewall-zone-Untrust] import interface gigabitethernet 0/2
[Firewall-zone-Untrust] quit
# Create an interzone instance, with the source zone being Trust and the destination zone being Untrust.
[Firewall] interzone source Trust destination Untrust
# Enable ASPF for the interzone instance.
[Firewall-interzone-trust-untrust] firewall aspf enable tcp syn-check