To protect the internal network, you can apply an ASPF in the outbound direction of the external
interfaces or in the inbound direction of the internal interfaces of the device.
ASPF inspections
This section introduces the basic idea of ASPF inspection on application layer and transport layer
protocols.
Application layer protocol inspection
As shown in
ASPF application layer protocol inspection allows return packets from the external network to the internal
network.
Figure 82 Application layer protocol inspection
ASPF inspects all application layer sessions as follows:
For a single-channel protocol, the inspection process is simple.
•
ASPF creates a session entry immediately after it detects the session's first packet sent to the
external network, and ASPF removes the entry when the connection is terminated.
The session entry helps record outgoing packets and their return packets. It can maintain the
session status and determine whether state transitions of the session are correct. All packets that
match a session entry can pass through the packet-filter firewall.
For a multi-channel protocol, ASPF creates session entries, and one or more associated entries to
•
associate the sessions initiated by the same application layer protocol. Associated entries are
created during the protocol negotiation and are removed after the negotiation. ASPF uses the
associated entries to match the first packets of the sessions. All packets of the sessions matching the
associated entries can pass through the packet-filter firewall.
The following uses FTP to explain the process of multi-channel application layer protocol inspection.
Figure
82, ACLs on the edge device deny incoming packets to the internal network. The
288