Configuring interzone ASPF for detecting user-defined protocols through the CLI on the USG6000

The ASPF function of the USG6000 series supports detecting both well-known and user-defined protocols.
When configuring the ASPF function for user-defined protocols, define a basic or an advanced ACL rule first to match traffic. The action in the rule must be set to permit for the device to implement application-layer inspection on the traffic. If you set the rule action to deny, the device does not generate the triplet server map entry for the traffic. And multi-channel protocol traffic for which the triplet server map entry is not generated cannot be properly forwarded.
For example, configure the user-defined ASPF function in the inbound direction of the Trust-Untrust interzone to detect the TFTP protocol. Considering that the control channel port of the TFTP server is 69, the matched port in ACL3000 is 69.
[sysname] acl 3000
[sysname-acl-adv-3000] rule permit udp destination-port eq 69
[sysname-acl-adv-3000] quit
[sysname] firewall interzone trust untrust
[sysname-interzone-trust-untrust] detect user-defined 3000 inbound

Scroll to top