Applying an ASPF policy to an interface
The following matrix shows the feature and hardware compatibility:
Hardware | Feature compatibility |
|---|---|
MSR900 | Yes |
MSR93X | Yes |
MSR20-1X | No |
MSR20 | Yes |
MSR30 | Yes |
MSR50 | Yes |
MSR1000 | Yes |
Two concepts are distinguished in ASPF policy: internal interface and external interface.
If the device is connected to both the internal network and the Internet, and employs ASPF to protect the internal servers, the interface connected to the internal network is the internal interface and the one connected to the Internet is the external interface.
If both ASPF and ACL-based packet-filter firewall are applied to the external interface, access to the internal network from the Internet is denied. The response packet can pass ASPF when internal network users access the Internet.
To monitor the traffic through an interface, you must apply the configured ASPF policy to that interface.
Make sure a connection initiation packet and the corresponding return packet are based on the same interface, because it is based on interfaces that an ASPF stores and maintains the application layer protocol status.
To apply an ASPF policy on an Interface:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Apply an ASPF policy to the interface. | firewall aspf aspf-policy-number { inbound | outbound } | Not applied by default. |