H3C MSR Series Command Reference Manual page 835
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
rsh: Specifies Remote Shell (RSH), an application layer protocol.
rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.
sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.
sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.
smtp: Specifies SMTP, an application layer protocol.
sqlnet: Specifies SQLNET, an application layer protocol.
tftp: Specifies TFTP, an application layer protocol.
xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.
action: Specifies an action on the packets that do not pass the protocol status validity check. If you
do not specify an action, ASPF does not perform the protocol status validity check, and it only
maintains connection status information.
drop: Drops the packets that do not pass the protocol status validity check.
logging: Generates log messages for packets that do not pass the protocol status validity check.
Usage guidelines
This command is required to ensure successful data connections for multichannel protocols when
either of the following conditions exists:
•
The ALG feature is disabled in other service modules (such as NAT).
•
Other service modules with the ALG feature (such as DPI) are not configured.
This command is optional for multichannel protocols if ALG is enabled in other service modules or
other service modules with the ALG feature are configured.
Application protocols supported by this command (except HTTP, SMTP, and TFTP) are multichannel
protocols.
Repeat the detect command to configure ASPF inspection for multiple application protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable. The
supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and
DCCP.
This command configures ASPF inspection for application protocols. ASPF inspection supports
protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and
SMTP. The device deals with packets with invalid protocol status depending on the actions you have
specified. To configure protocol status validity check for an application protocol, you must specify the
action keyword.
Examples
# Configure ASPF inspection for FTP packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect ftp
# Configure ASPF inspection for DNS packets, drop packets that fail protocol status validity check,
and generate log messages for these packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect dns action drop logging
Related commands
display aspf policy
812
Advertisement
Table of Contents
