HP ProCurve 7102dl Reference Manual page 396

SROS Command Line Interface Reference Guide
ip firewall
Use the ip firewall command to enable SROS security features including access control policies and lists,
Network Address Translation (NAT), and the stateful inspection firewall. Use the no form of this
command to disable the security functionality.
Note
Disabling the SROS security features (using the no ip firewall command) does not affect
security configuration. All configuration parameters will remain intact, but no security
data processing will be attempted.
Regarding the use of IKE negotiation for VPN with ip firewall enabled, there can be up to
six channel groups with 2-8 interfaces per group. Dynamic protocols are not yet supported
(only static). A physical interface can be a member of only one channel-group.
Syntax Description
No subcommands.
Default Values
By default, all SROS security features are disabled.
Functional Notes
This command enables firewall processing for all interfaces with a configured policy class. Firewall
processing consists of the following functions:
Attack Protection: Detects and discards traffic that matches profiles of known networking exploits or
attacks.
Session Initiation Control: Allows only sessions that match traffic patterns permitted by access-control
policies to be initiated through the router.
Ongoing Session Monitoring and Processing: Each session that has been allowed through the router is
monitored for any irregularities that match patterns of known attacks or exploits. This traffic will be
dropped. Also, if NAT is configured, the firewall modifies all traffic associated with the session according to
the translation rules defined in NAT access-policies. Finally, if sessions are inactive for a user-specified
amount of time, the session will be closed by the firewall.
Application Specific Processing: Certain applications need special handling to work correctly in the
presence of a firewall. SROS uses ALGs (application-level gateways) for these applications.
The SROS includes several security features to provide controlled access to your network. The following
features are available when security is enabled (using the ip firewall command):
1. Stateful Inspection Firewall
The SROS (and your unit) act as an application-level gateway and employ a stateful inspection firewall that
protects an organization's network from common cyber attacks including TCP syn-flooding, IP spoofing, ICMP
redirect, land attacks, ping-of-death, and IP reassembly problems. In addition, further security is added with
use of Network Address Translation (NAT) and Port Address Translation (PAT) capability.
5991-2114 © Copyright 2007 Hewlett-Packard Development Company, L.P.
Global Configuration Mode Command Set
394