beautypg.com

Configuring aspf, Overview – H3C Technologies H3C SecPath F1000-E User Manual

Page 113

background image

103

Configuring ASPF

The ASPF configuration is available only in the Web interface.

Overview

Application Specific Packet Filter (ASPF) applications are based on zone management and session
management. Zone management is an independent common module. It does not concern service packet

processing; it only maintains information relevant to zones and provides policy interfaces for other

modules. The session management module simplifies the design of function modules such as Network

Address Translation (NAT), ASPF, Application Level Gateway (ALG), attack defense, and connection
number limit modules. It is responsible for processing kinds of session information, aging sessions based

on session states, and providing the uniform interfaces for the function modules.
ASPF policies are configured between zones. When used for packet processing, they use information

provided by the session management module, such as whether the connection status is correct, whether
a packet is an initial one, and whether a packet is an ICMP error packet. Based on information provided

by the session management module and ASPF policies, ASPF applications determine which packets are

allowed to pass.
ASPF is often used to cooperate with the static packet filter function. In some cases, ASPF cannot

determine whether packets are allowed to pass, and it is the static packet filter function that makes the
decision. For example, whether broadcast packets are allowed to pass is determined by the static packet

filter function based on ACLs or default inter-zone priorities.

Configuring ASPF

1.

Select Firewall > Session Table > Advanced from the navigation tree.

2.

Click the ASPF tab.

Figure 102 ASPF policy list

3.

Click Add.
The page for adding an ASPF policy appears, as shown in

Figure 103

.