Aspf Inspections - HP MSR Series Configuration Manual

•
Destination zone—A security zone for which the first packet of a traffic flow is destined.
For information about security zones, see Fundamentals Configuration Guide.

ASPF inspections

This section introduces the basic idea of ASPF inspection on application layer and transport layer
protocols.
Application layer protocol inspection
As shown in
The ASPF application layer protocol inspection allows return packets from the external network to
the internal network.
Figure 135 Application layer protocol inspection
ASPF inspects all application layer sessions as follows:
•
For a single-channel protocol, the inspection process is simple.
ASPF creates a session entry immediately after it detects the session's first packet sent to the
external network, and ASPF removes the entry when the connection is terminated.
The session entry helps record outgoing packets and their return packets. It can maintain the
session status and determine whether state transitions of the session are correct. All packets
that match a session entry can pass through the packet-filter firewall.
•
For a multichannel protocol, ASPF creates session entries, and one or more associated entries
to associate the sessions initiated by the same application layer protocol. Associated entries
are created during the protocol negotiation and are removed after the negotiation. ASPF uses
the associated entries to match the first packets of the sessions. All packets of the sessions
matching the associated entries can pass through the packet-filter firewall.
The following uses FTP to explain the process of multichannel application layer protocol inspection.
Figure 135, ACLs on the edge device deny incoming packets to the internal network.
440