Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-AAA commands
- 03-User identification commands
- 04-Password control commands
- 05-Public key management commands
- 06-PKI commands
- 07-SSH commands
- 08-SSL commands
- 09-ASPF commands
- 10-APR commands
- 11-Session management commands
- 12-Connection limit commands
- 13-Object group commands
- 14-Security policy commands
- 15-Attack detection and prevention commands
- 16-ARP attack protection commands
- 17-ND attack defense commands
- 18-uRPF commands
- 19-Crypto engine commands
- 20-Trusted access control commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-ASPF commands | 85.76 KB |
Contents
ASPF commands
aspf apply policy
Use aspf apply policy to apply an ASPF policy to a zone pair.
Use undo aspf apply policy to remove an ASPF policy application from a zone pair.
Syntax
aspf apply policy aspf-policy-number
undo aspf apply policy aspf-policy-number
Default
The system applies the predefined ASPF policy to a zone pair when the zone pair is created.
Views
Zone pair view
Predefined user roles
network-admin
context-admin
Parameters
aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.
Usage guidelines
With the predefined policy, ASPF inspects FTP packets and packets of all transport layer protocols, but it does not perform ICMP error message check or the TCP SYN packet check.
The predefined ASPF policy cannot be modified. To change the ASPF policy application, define an ASPF policy and apply it to the zone pair.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply an ASPF policy to a zone pair.
<Sysname> system-view
[Sysname] security-zone name trust
[Sysname-security-zone-Trust] import interface gigabitethernet 1/0/1
[Sysname-security-zone-Trust] quit
[Sysname] security-zone name untrust
[Sysname-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Sysname-security-zone-Untrust] quit
[Sysname] zone-pair security source trust destination untrust
[Sysname-zone-pair-security-Trust-Untrust] aspf apply policy 1
Related commands
aspf policy
display aspf all
zone-pair security
aspf icmp-error reply
Use aspf icmp-error reply to enable the device to send ICMP error messages upon packet dropping by interzone policies applied to zone pairs.
Use undo aspf icmp-error reply to restore the default.
Syntax
aspf icmp-error reply
undo aspf icmp-error reply
Default
The device does not send ICMP error messages when the device drops packets that do not match interzone policies applied to zone pairs.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Typically, to reduce useless packets transmitted over the network and save bandwidth, do not use this command.
However, you must use this command when you use traceroute because ICMP error messages in this situation are required.
Examples
# Enable ICMP error message sending upon packet dropping by interzone policies applied to zone pairs.
<Sysname> system-view
[Sysname] aspf icmp-error reply
aspf policy
Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.
Use undo aspf policy to remove an ASPF policy.
Syntax
aspf policy aspf-policy-number
undo aspf policy aspf-policy-number
Default
No ASPF policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256.
Examples
# Create ASPF policy 1 and enter its view.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1]
Related commands
display aspf all
display aspf policy
detect
Use detect to configure ASPF inspection for an application layer protocol.
Use undo detect to restore the default.
Syntax
detect { dns [ action { drop | logging } * ] | { ftp | h323 | http | sccp | sip | smtp } [ action drop ] | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }
undo detect { dns | ftp | gtp | h323 | http | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | smtp | sqlnet | tftp | xdmcp }
Default
ASPF inspects only transport layer protocols and application protocol FTP.
Views
ASPF policy view
Predefined user roles
network-admin
context-admin
Parameters
dns: Specifies DNS, an application layer protocol.
ftp: Specifies FTP, an application layer protocol.
gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.
h323: Specifies H.323 protocol stack, application layer protocols.
http: Specifies HTTP, an application layer protocol.
ils: Specifies Internet Locator Service (ILS), an application layer protocol.
mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.
nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.
pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.
rsh: Specifies Remote Shell (RSH), an application layer protocol.
rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.
sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.
sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.
smtp: Specifies SMTP, an application layer protocol.
sqlnet: Specifies SQLNET, an application layer protocol.
tftp: Specifies TFTP, an application layer protocol.
xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.
action: Specifies an action on the packets that do not pass the protocol status validity check. If you do not specify an action, ASPF does not perform the protocol status validity check, and it only maintains connection status information.
drop: Drops the packets that do not pass the protocol status validity check.
logging: Generates log messages for packets that do not pass the protocol status validity check.
Usage guidelines
This command is required to ensure successful data connections for multichannel protocols when either of the following conditions exists:
· The ALG feature is disabled in other service modules (such as NAT).
· Other service modules with the ALG feature (such as DPI) are not configured.
This command is optional for multichannel protocols if ALG is enabled in other service modules (such as NAT) or if other service modules with the ALG feature are configured.
Application protocols supported by this command (except HTTP, SMTP, and TFTP) are multichannel protocols.
Repeat the detect command to configure ASPF inspection for multiple application protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.
This command configures ASPF inspection for application protocols. ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP. The device deals with packets with invalid protocol status according to the actions you have specified. To configure protocol status validity check for an application protocol, you must specify the action keyword.
Examples
# Configure ASPF inspection for FTP packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect ftp
# Configure ASPF inspection for DNS packets, drop packets that fail protocol status validity check and generate log messages for these packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect dns action drop logging
Related commands
display aspf policy
display aspf all
Use display aspf all to display the configuration of all ASPF policies and their applications.
Syntax
display aspf all
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display the configuration of all ASPF policies and their applications.
<Sysname> display aspf all
ASPF policy configuration:
Policy default:
ICMP error message check: Disabled
Inspected protocol Action
FTP None
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Disabled
Inspected protocol Action
FTP None
Zone-pair security application:
Source Trust destination Untrust
Apply ASPF policy: default
Table 1 Command output
|
Field |
Description |
|
Policy default |
Predefined ASPF policy. |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Action |
Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-). |
|
Zone-pair security application |
Information about zone-pair security application. |
|
Source XXX destination XXX |
Source zone and destination zone. |
|
Apply ASPF policy |
Number of ASPF policy applied to the zone pair. |
Related commands
aspf apply policy
aspf policy
display aspf policy
display aspf policy
Use display aspf policy to display the configuration of an ASPF policy.
Syntax
display aspf policy { aspf-policy-number | default }
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument is 1 to 256.
default: Specifies the predefined ASPF policy.
Examples
# Display the configuration of ASPF policy 1.
<Sysname> display aspf policy 1
ASPF policy configuration:
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Enabled
Inspected protocol Action
FTP Drop
HTTP None
RSH -
Table 2 Command output
|
Field |
Description |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Action |
Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-). |
Related commands
aspf policy
display aspf session
Use display aspf session to display ASPF sessions.
Syntax
display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv4: Displays IPv4 ASPF sessions.
ipv6: Displays IPv6 ASPF sessions.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ASPF sessions for all member devices.
verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.
Examples
# Display brief information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Total sessions found: 2
# Display detailed information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DestZone
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 6048 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
Table 3 Command output
|
Field |
Description |
|
Initiator |
Session information from initiator to responder. |
|
Responder |
Session information from responder to initiator. |
|
Source IP/port |
Source IP address and port number. |
|
Destination IP/port |
Destination IP address and port number. |
|
DS-Lite tunnel peer |
IP address of the DS-Lite tunnel peer. If the session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN-instance/VLAN ID/Inline ID |
· VPN-instance—MPLS L3VPN instance where the session is initiated. · VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. · Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no MPLS L3VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field. |
|
Protocol |
Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite. Number in parentheses represents the protocol number. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
State |
Protocol status of the session. |
|
Application |
Application layer protocol, including FTP and DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Establishment time of the session. |
|
TTL |
Remaining lifetime of the session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from initiator to responder. |
|
Responder->Initiator |
Number of packets and bytes from responder to initiator. |
Related commands
reset aspf session
icmp-error drop
Use icmp-error drop to enable ICMP error message dropping.
Use undo icmp-error drop to disable ICMP error message dropping.
Syntax
icmp-error drop
undo icmp-error drop
Default
ICMP error message dropping is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
An ICMP error message carries information about the corresponding connection. ICMP error message dropping verifies the information. If the information does not match the connection, ASPF drops the message.
Examples
# Enable ICMP error message dropping for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] icmp-error drop
aspf policy
display aspf policy
reset aspf session
Use reset aspf session to clear ASPF session statistics.
Syntax
reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
ipv4: Clears IPv4 ASPF session statistics.
ipv6: Clears IPv6 ASPF session statistics.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ASPF session statistics for all member devices.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.
Examples
# Clear all ASPF session statistics.
<Sysname> reset aspf session
display aspf session
tcp syn-check
Use tcp syn-check to enable TCP SYN check.
Use undo tcp syn-check to disable TCP SYN check.
Syntax
tcp syn-check
undo tcp syn-check
Default
TCP SYN check is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.
When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.
Examples
# Enable TCP SYN check for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] tcp syn-check
Related commands
aspf policy
