Contents

ASPF commands· 1

aspf apply policy (interface view) 1

aspf apply policy (zone pair view) 1

aspf icmp-error reply· 2

aspf log sending-realtime enable· 3

aspf policy· 4

detect 4

display aspf all 6

display aspf interface· 7

display aspf policy· 8

display aspf session· 8

icmp-error drop· 13

reset aspf session· 13

tcp syn-check· 14

 

ASPF commands

aspf apply policy (interface view)

Use aspf apply policy to apply an ASPF policy to an interface.

Use undo aspf apply policy to remove an ASPF policy application from an interface.

Syntax

aspf apply policy aspf-policy-number { inbound | outbound }

undo aspf apply policy aspf-policy-number { inbound | outbound }

Default

No ASPF policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.

inbound: Applies the ASPF policy to incoming packets.

outbound: Applies the ASPF policy to outgoing packets.

Usage guidelines

To inspect the traffic through an interface, you must apply a configured ASPF policy to that interface.

Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.

You can apply an ASPF policy to both the inbound and outbound directions of an interface.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply ASPF policy 1 to the outbound direction of GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] aspf apply policy 1 outbound

Related commands

aspf policy

display aspf all

display aspf interface

aspf apply policy (zone pair view)

Use aspf apply policy to apply an ASPF policy to a zone pair.

Use undo aspf apply policy to remove an ASPF policy application from a zone pair.

Syntax

aspf apply policy aspf-policy-number

undo aspf apply policy aspf-policy-number

Default

The system applies the predefined ASPF policy to a zone pair when the zone pair is created.

Views

Zone pair view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.

Usage guidelines

With the predefined policy, ASPF inspects FTP packets and packets of all transport layer protocols, but it does not perform ICMP error message check or the TCP SYN packet check.

The predefined ASPF policy cannot be modified. To change the ASPF policy application, define an ASPF policy and apply it to the zone pair.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Apply an ASPF policy to a zone pair.

<Sysname> system-view

[Sysname] security-zone name trust

[Sysname-security-zone-Trust] import interface gigabitethernet 1/0

[Sysname-security-zone-Trust] quit

[Sysname] security-zone name untrust

[Sysname-security-zone-Untrust] import interface gigabitethernet 2/0

[Sysname-security-zone-Untrust] quit

[Sysname] zone-pair security source trust destination untrust

[Sysname-zone-pair-security-Trust-Untrust] aspf apply policy 1

Related commands

aspf policy

display aspf all

zone-pair security

aspf icmp-error reply

Use aspf icmp-error reply to enable the device to send ICMP error messages upon packet dropping by interzone policies applied to zone pairs.

Use undo aspf icmp-error reply to restore the default.

Syntax

aspf icmp-error reply

undo aspf icmp-error reply

Default

The device does not send ICMP error messages when the device drops packets that do not match interzone policies applied to zone pairs.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Typically, to reduce useless packets transmitted over the network and save bandwidth, do not use this command.

However, you must use this command when you use traceroute because ICMP error messages in this situation are required.

Examples

# Enable ICMP error message sending upon packet dropping by interzone policies applied to zone pairs.

<Sysname> system-view

[Sysname] aspf icmp-error reply

aspf log sending-realtime enable

Use aspf log sending-realtime enable to enable real-time log sending mode.

Use undo aspf log sending-realtime enable to disable real-time log sending mode.

Syntax

aspf log sending-realtime enable

undo aspf log sending-realtime enable

Default

Real-time log sending mode is disabled. Logs are cached before they are sent.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Real-time log sending mode takes effect only on logs sent by the object policy and packet filtering features.

The device supports the following log sending modes:

·     Cache log sending mode—When the first packet of a flow matches a policy, the device generates a log and caches it and starts a five-minute timer at the same time. If the log matches traffic within five minutes, the device sends the log when the timer expires. If the log does not match any traffic within five minutes, the device deletes the log. The device stops generating logs if the number of cached logs reaches the upper limit.

·     Real-time log sending mode—When the first packet of a flow matches a policy, the device sends a log immediately. For a policy that permits specific packets, the device sends only one log for a flow that matches the policy. For a policy that denies specific packets, the device sends a log for each packet of a flow that matches the policy. The number of logs is not limited.

For more information about logging configuration of the object policy and packet filtering features, see Security Configuration Guide, and ACL and QoS Configuration Guide.

Examples

# Enable real-time log sending mode.

<Sysname> system-view

[Sysname] aspf log sending-realtime enable

Related commands

rule rule-id logging (object policy view)

rule rule-id logging (ACL and QoS Command Reference)

aspf policy

Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.

Use undo aspf policy to remove an ASPF policy.

Syntax

aspf policy aspf-policy-number

undo aspf policy aspf-policy-number

Default

No ASPF policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256.

Examples

# Create ASPF policy 1 and enter its view.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1]

Related commands

display aspf all

display aspf policy

detect

Use detect to configure ASPF inspection for an application layer protocol.

Use undo detect to restore the default.

Syntax

detect { { ftp | h323 | sccp | sip } | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }

undo detect { ftp |  gtp | h323 | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

Default

ASPF inspects only transport layer protocols and application protocol FTP.

Views

ASPF policy view

Predefined user roles

network-admin

Parameters

ftp: Specifies FTP, an application layer protocol.

gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.

h323: Specifies H.323 protocol stack, application layer protocols.

ils: Specifies Internet Locator Service (ILS), an application layer protocol.

mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.

nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.

pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.

rsh: Specifies Remote Shell (RSH), an application layer protocol.

rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.

sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.

sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.

sqlnet: Specifies SQLNET, an application layer protocol.

tftp: Specifies TFTP, an application layer protocol.

xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.

Usage guidelines

This command is required to ensure successful data connections for multichannel protocols when either of the following conditions exists:

·     The ALG feature is disabled in other service modules (such as NAT).

·     Other service modules with the ALG feature (such as DPI) are not configured.

This command is optional for multichannel protocols if ALG is enabled in other service modules (such as NAT) or if other service modules with the ALG feature are configured.

Application protocols supported by this command (except TFTP) are multichannel protocols.

Repeat the detect command to configure ASPF inspection for multiple application protocols.

ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.

This command configures ASPF inspection for application protocols.

Examples

# Configure ASPF inspection for FTP packets.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] detect ftp

Related commands

display aspf policy

display aspf all

Use display aspf all to display the configuration of all ASPF policies and their applications.

Syntax

display aspf all

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of all ASPF policies and their applications.

<Sysname> display aspf all

ASPF policy configuration:

  Policy default:

    ICMP error message check: Disabled

    Inspected protocol

      FTP

  Policy number: 1

    ICMP error message check: Disabled

    TCP SYN packet check: Disabled

    Inspected protocol

      FTP

 

Interface configuration:

  GigabitEthernet1/0

    Inbound policy : 1

    Outbound policy: none

 

Zone-pair security application:

  Source Trust destination Untrust

    Apply ASPF policy: default

Table 1 Command output

Field	Description
Policy default	Predefined ASPF policy.
ICMP error message check	Whether ICMP error message check is enabled.
TCP SYN packet check	Whether TCP SYN check is enabled.
Inspected protocol	Protocols to be inspected by ASPF.
Interface configuration	Interfaces where ASPF policy is applied.
Inbound policy	Inbound ASPF policy number.
Outbound policy	Outbound ASPF policy number.
Zone-pair security application	Informaiton about zone-pair security application.
Source XXX destination XXX	Source zone and destination zone.
Apply ASPF policy	Number of ASPF policy applied to the zone pair.

 

Related commands

aspf apply policy

aspf policy

display aspf policy

display aspf interface

Use display aspf interface to display ASPF policy application on interfaces.

Syntax

display aspf interface

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display ASPF policy application on interfaces.

<Sysname> display aspf interface

Interface configuration:

  GigabitEthernet1/0

    Inbound policy : 1

    Outbound policy: none

Table 2 Command output

Field	Description
Interface configuration	Interfaces where ASPF policy is applied.
Inbound policy	Inbound ASPF policy number.
Outbound policy	Outbound ASPF policy number.

 

Related commands

aspf apply policy

aspf policy

display aspf policy

Use display aspf policy to display the configuration of an ASPF policy.

Syntax

display aspf policy { aspf-policy-number | default }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument is 1 to 256.

default: Specifies the predefined ASPF policy.

Examples

# Display the configuration of ASPF policy 1.

<Sysname> display aspf policy 1

ASPF policy configuration:

  Policy number: 1

    ICMP error message check: Disabled

    TCP SYN packet check: Enabled

Table 3 Command output

Field	Description
ICMP error message check	Whether ICMP error message check is enabled.
TCP SYN packet check	Whether TCP SYN check is enabled.
Inspected protocol	Protocols to be inspected by ASPF.

 

Related commands

aspf policy

display aspf session

Use display aspf session to display ASPF sessions.

Syntax

In standalone mode:

display aspf session [ ipv4 | ipv6 ] [ verbose ]

In IRF mode:

display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4: Displays IPv4 ASPF sessions.

ipv6: Displays IPv6 ASPF sessions.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ASPF sessions for all member devices. (In IRF mode.)

verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.

Examples

# (In standalone mode.) Display brief information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4

Slot 0:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

 

Total sessions found: 2

# (In IRF mode.) Display brief information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

 

Total sessions found: 2

# (In standalone mode.) Display detailed information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4 verbose

Slot 0:

Initiator:

  Source       IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

Responder:

  Source       IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet2/0

  Source security zone: DestZone

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

Responder:

  Source      IP/port: 192.168.1.55/1792

  Destination IP/port: 192.168.1.18/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet2/0

  Source security zone: DestZone

State: ICMP_REQUEST

Application: OTHER

Start time: 2011-07-29 19:12:33  TTL: 55s

Initiator->Responder:          1 packets         60 bytes

Responder->Initiator:          0 packets          0 bytes

 

Total sessions found: 2

# (In IRF mode.) Display detailed information about IPv4 ASPF sessions.

<Sysname> display aspf session ipv4 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.18/1877

  Destination IP/port: 192.168.1.55/22

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

Responder:

  Source      IP/port: 192.168.1.55/22

  Destination IP/port: 192.168.1.18/1877

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: GigabitEthernet2/0

  Source security zone: DestZone

State: TCP_SYN_SENT

Application: SSH

Start time: 2011-07-29 19:12:36  TTL: 28s

Initiator->Responder:         1 packets         48 bytes

Responder->Initiator:         0 packets          0 bytes

 

Initiator:

  Source      IP/port: 192.168.1.18/1792

  Destination IP/port: 192.168.1.55/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0

  Source security zone: SrcZone

Responder:

  Source      IP/port: 192.168.1.55/1792

  Destination IP/port: 192.168.1.18/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet2/0

  Source security zone: DestZone

State: ICMP_REQUEST

Application: OTHER

Start time: 2011-07-29 19:12:33  TTL: 55s

Initiator->Responder:         1 packets         6048 bytes

Responder->Initiator:         0 packets          0 bytes

 

Total sessions found: 2

Table 4 Command output

Field	Description
Initiator	Session information from initiator to responder.
Responder	Session information from responder to initiator.
Source IP/port	Source IP address and port number.
Destination IP/port	Destination IP address and port number.
DS-Lite tunnel peer	‌ IP address of the DS-Lite tunnel peer. If the session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN-instance/VLAN ID/Inline ID	·     VPN-instance—MPLS L3VPN instance where the session is initiated. ·     VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. ·     Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no MPLS L3VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field.
Protocol	Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite. Number in parentheses represents the protocol number.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
State	Protocol status of the session.
Application	Application layer protocol, including FTP. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Start time	Establishment time of the session.
TTL	Remaining lifetime of the session, in seconds.
Initiator->Responder	Number of packets and bytes from initiator to responder.
Responder->Initiator	Number of packets and bytes from responder to initiator.

 

Related commands

reset aspf session

icmp-error drop

Use icmp-error drop to enable ICMP error message check and drop faked messages.

Use undo icmp-error drop to disable ICMP error message check.

Syntax

icmp-error drop

undo icmp-error drop

Default

ICMP error message check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information. If the information does not match the connection, ASPF drops the message.

Examples

# Enable ICMP error message check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] icmp-error drop

Related commands

aspf policy

display aspf policy

reset aspf session

Use reset aspf session to clear ASPF session statistics.

Syntax

In standalone mode:

reset aspf session [ ipv4 | ipv6 ]

In IRF mode:

reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ipv4: Clears IPv4 ASPF session statistics.

ipv6: Clears IPv6 ASPF session statistics.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ASPF session statistics for all member devices. (In IRF mode.)

Usage guidelines

If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.

Examples

# Clear all ASPF session statistics.

<Sysname> reset aspf session

Related commands

display aspf session

tcp syn-check

Use tcp syn-check to enable TCP SYN check.

Use undo tcp syn-check to disable TCP SYN check.

Syntax

tcp syn-check

undo tcp syn-check

Default

TCP SYN check is disabled.

Views

ASPF policy view

Predefined user roles

network-admin

Usage guidelines

TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.

When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.

Examples

# Enable TCP SYN check for ASPF policy 1.

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] tcp syn-check

Related commands

aspf policy