Applying an ASPF policy to a zone pair
You can apply an ASPF policy to a zone pair to inspect traffic from the source zone to the destination zone. ASPF compares all packets with session entries. If a packet that is permitted by packet filtering does not match any existing session entries, ASPF creates a new session entry.
ASPF for a zone pair takes effect only when it functions with a packet filter:
The packet filter allows only solicited access from the source zone to the network that the destination zone connects.
The ASPF policy compares the packets against session entries and allows matching packets from the source zone to the destination zone. The policy also allows return packets from the destination zone to the source zone.
To apply an ASPF policy to a zone pair:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter zone pair view. | zone-pair security source source-zone-name destination destination-zone-name | For information about configuring a zone pair, see Fundamentals Command Reference. |
3. Apply an ASPF policy to the zone pair. | aspf apply policy aspf-policy-number | By default, the predefined ASPF policy is applied to the zone pair. With the predefined policy, ASPF inspects FTP packets and packets of all transport layer protocols, but it does not perform ICMP error message check or TCP SYN packet check. |