Configuring an ASPF policy
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an ASPF policy and enter its view. | aspf-policy aspf-policy-number | By default, no ASPF policies exist. |
3. (Optional.) Configure ASPF inspection for application layer protocols. | detect { { dns [ action { drop | logging } * ] | ftp | h323 | http | sccp | sip | smtp } [ action drop ] | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp } | By default, ASPF inspection for application protocols is not configured. ASPF inspection for transport layer protocols is always enabled and is not configurable. ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP. ASPF deals with packets with invalid protocol status depending on the specified actions. To configure protocol status validity check for an application protocol, specify the action keyword. This command is required to ensure the successful establishment of data connections for multichannel application layer protocols. Apart from HTTP, SMTP, and TFTP, application layer protocols supported by this command are all multichannel application layer protocols. |
4. (Optional.) Enable ICMP error message check. | icmp-error drop | By default, ICMP error message check is disabled. ASPF does not drop faked ICMP error messages. |
5. (Optional.) Enable TCP SYN check. | tcp syn-check | By default, TCP SYN check is disabled. ASPF does not drop the non-SYN packet when it is the first packet to establish a TCP connection. |