Configure the ASPF firewall on an AR router

2

The application specific packet filter (ASPF) firewall can detect and filter FTP, HTTP, SIP, and RTSP packets on the application layer.
The ASPF firewall filters packets on the application layer based on status. This firewall can detect application layer session information that attempts to pass the firewall, and prevent packets that do not match rules from passing the firewall.
After the ActiveX Blocking is configured, the ASPF will block the ActiveX that is transmitted over HTTP, preventing users from installing insecure or malicious controls. After the Java Blocking is configured, the ASPF will block requests that are sent in order to obtain programs containing the Java Applet from web pages.
In the system view:
1. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view.
2. In V200R006 and earlier versions, run the detect aspf { all | ftp | http [ activex-blocking | java-blocking ] | rtsp | sip } command to configure the ASPF firewall.
In V200R007, run the detect aspf { ftp | rtsp | sip } command to configure the ASPF firewall.
Most of the application layer protocols have bidirectional interaction processes. Therefore, during ASPF configuration, ignore directions, and the router automatically checks the status of inbound and outbound packets.
By default, the ASPF firewall is not configured for the interzone.
3. Check the configuration result.
Run the display firewall interzone [ zone-name1 zone-name2 ] command to query ASPF information about the interzone.

Other related questions:
Which protocols does the ASPF firewall of an AR router support
The ASPF firewall of an AR router supports the following protocols: - File Transfer Protocol (FTP) - Hyper Text Transport Protocol (HTTP) - Internet Control Message Protocol (ICMP) - Session Initiation Protocol (SIP) - Real Time Streaming Protocol (RTSP) - Transmission Control Protocol (TCP) - Trivial File Transfer Protocol (TFTP) - User Datagram Protocol (UDP)

Configure security features of a virtual firewall on an AR router
The procedure of configuring security features for a virtual firewall is the same as that of configuring for a common firewall. Each firewall must be separately deployed to meet different firewall service requirements. Security features that can be configured include: packet filtering firewall, ASPF, port mapping, session table aging time, and attack defense. Before configuring the following features, specify a VPN instance: manually adding a blacklist/whitelist and configuring ICMP/SYN/UDP flooding defense. The configured features take effect to the firewall only according to the specified VPN instance. For details about the command for configuring security features of a virtual firewall, see the URL: The AR router configures the security features of the virtual firewall .

Configure VPN instances on an AR router to configure virtual firewalls
A virtual firewall is implemented by configuring a VPN instance. A VPN instance corresponds to one virtual firewall. Before configuring a virtual firewall, create a VPN instance first, and then bind an interface with the VPN instance. Interfaces that have the same VPN instance belong to a same virtual firewall, and security policies can be deployed separately for the virtual firewall. Operation procedure Run the system-view command to access the system view. Run the ip vpn-instance vpn-instance-name to create a VPN instance and access the VPN instance view. (Optional) Run the description description-information command to record the descriptive information of the VPN instance. Run the route-distinguisher route-distinguisher command to configure a routing label for the VPN instance. After a VPN instance is created, specify a routing label for the VPN instance; otherwise, subsequent configuration cannot be performed. Run the interface interface-type interface-number command to access the interface view. Run the ip binding vpn-instance vpn-instance-name command to bind an interface with the VPN instance. Bind an interface with the VPN instance, and then configure an IP address for the interface. Otherwise, the configured IP address will be deleted, and you will need to reconfigure an IP address for the interface. Run the ip address ip-address { mask | mask-length } command to configure an IP address for the interface.

Configure the basic firewall functions on an AR router
The basic firewall functions of an AR router include: creating a security zone and adding interfaces into the security zone, creating an interzone and enabling the firewall functions in the interzone, configuring session table aging time, and checking the configuration result. For details about the configuration, see the following content: [Creating a security zone and adding interfaces into the security zone on an AR router] Create a security zone and add interfaces into the security zone on an AR router. [Enabling the firewall functions on an AR router] Enable the firewall functions on an AR router. [Configuring session table aging time of the firewall on an AR router] Configure session table aging time of the firewall on an AR router. For details about configuration of basic firewall functions on AR series routers, see the URL: AR router configuration firewall basic functions.

Configure VRRP on an AR router and connect the router to a firewall for external network access
The roadmap of configuring VRRP on an AR router and connecting the router to a firewall for external network access is as follows: 1. Configure VRRP on an AR router to implement two-node backup, and configure a virtual IP address. 2. Add the Layer 2 interface of a firewall on the intranet side to the same VLAN, and configure a VLANIF address. 3. Add the physical interface and VLANIF interface of the firewall to a security zone, and configure an inter-zone policy. 4. Configure the next hop for the route from the firewall to the intranet as a VRRP virtual IP address so that a normal link can be switched over to if an active link is interrupted. For details about the configuration, see the URL: Example for Connecting the AR to the Firewall Through VRRP.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top