Configuring global ASPF through the CLI on the USG6000

31

To simplify configurations, the USG6000 series supports configuring the global ASPF function. Enabling the global ASPF function equals to enabling the interzone and intrazone ASPF functions. The global ASPF function and interzone/intrazone ASPF function are logically ORed. Select one of them as required.
For example, configure the global ASPF function to detect FTP traffic.
system-view
[sysname] firewall detect ftp

Other related questions:
Configuring intrazone ASPF through the CLI on the USG6000
The USG6000 series supports configuring the intrazone ASPF function through the CLI. For example, enable the ASPF function for the FTP protocol in the Trust zone. system-view [sysname] firewall zone trust [sysname-zone-trust] detect ftp The protocol types that can be detected in the intrazone view include DNS, FTP, H.323, ILS, MGCP, MMS, MSN, NetBIOS, PPTP, QQ, RTSP, SIP, and SQL.NET.

Configuring global NAT ALG through the CLI on the USG6000
To simplify configurations, the USG6000 series supports configuring the global NAT ALG function. Enabling the global ASPF function equals to enabling the interzone and intrazone NAT ALG functions. The global NAT ALG function and interzone/intrazone NAT ALG function are logically ORed. Select one of them as required. For example, configure the global NAT ALG function to detect FTP traffic. system-view [sysname] firewall detect ftp

Configuring interzone ASPF for detecting well-known protocols through the CLI on the USG6000
The USG6000 series supports configuring interzone ASPF through the CLI. When the packets of the multi-channel protocol require forwarding, you need to configure ASPF in interzones. The same command is available to both the ASPF function and the NAT ALG function. Therefore, if the ASPF function is already configured in interzones, no extra configuration is required. You can run the detect command in interzones to enable both functions. For example, enable the ASPF function for the FTP protocol in the interzone between the Trust zone and the Untrust zone. system-view [sysname] firewall interzone trust untrust [sysname-interzone-trust-untrust] detect ftp For details, see the USG6000 series product documentation.

Configuring interzone ASPF for detecting user-defined protocols through the CLI on the USG6000
The ASPF function of the USG6000 series supports detecting both well-known and user-defined protocols. When configuring the ASPF function for user-defined protocols, define a basic or an advanced ACL rule first to match traffic. The action in the rule must be set to permit for the device to implement application-layer inspection on the traffic. If you set the rule action to deny, the device does not generate the triplet server map entry for the traffic. And multi-channel protocol traffic for which the triplet server map entry is not generated cannot be properly forwarded. For example, configure the user-defined ASPF function in the inbound direction of the Trust-Untrust interzone to detect the TFTP protocol. Considering that the control channel port of the TFTP server is 69, the matched port in ACL3000 is 69. system-view [sysname] acl 3000 [sysname-acl-adv-3000] rule permit udp destination-port eq 69 [sysname-acl-adv-3000] quit [sysname] firewall interzone trust untrust [sysname-interzone-trust-untrust] detect user-defined 3000 inbound

Configuring intrazone NAT ALG through the CLI on the USG6000
The USG6000 series supports configuring intrazone NAT ALG through the CLI. For example, enable the NAT ALG function for the FTP protocol in the Trust zone. system-view [sysname] firewall zone trust [sysname-zone-trust] detect ftp For details, see the USG6000 series product documentation.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top