03-Firewall Configuration

Firewall Configuration Security Volume
Operation Manual Table of Contents
Table of Contents
1 Firewall Configuration...............................................................................................................................1-1
Firewall Overview....................................................................................................................................1-2
Packet Filtering Firewall ..................................................................................................................1-2
ASPF ...............................................................................................................................................1-3
Configuring a Packet Filter Firewall ........................................................................................................1-7
Packet Filtering Firewall Configuration Task List ............................................................................1-7
Enabling the Firewall Function ........................................................................................................1-7
Configuring the Default Filtering Action of the Firewall ...................................................................1-8
Enabling Fragment Inspection.........................................................................................................1-9
Configuring the High and Low Watermarks for Fragment Inspection ...........................................1-10
Configuring Packet Filtering on an Interface .................................................................................1-11
Configuring Ethernet Frame Filtering ............................................................................................1-12
Displaying and Maintaining a Packet Filtering Firewall .................................................................1-13
Packet Filtering Firewall Configuration Example...........................................................................1-13
Configuring an ASPF ............................................................................................................................1-15
ASPF Configuration Task List .......................................................................................................1-15
Enabling the Firewall Function ......................................................................................................1-15
Configuring an ASPF Policy ..........................................................................................................1-16
Applying an ASPF Policy to an Interface.......................................................................................1-17
Enabling the Session Logging Function for ASPF ........................................................................1-17
Configuring Port Mapping..............................................................................................................1-18
Displaying and Maintaining an ASPF ............................................................................................1-18
ASPF Configuration Example I......................................................................................................1-19
ASPF Configuration Example II.....................................................................................................1-21
Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd
Operation Manual 1 Firewall Configuration
Support for some features varies by router model, as shown below.

Support of the AR series routers for features:
Feature AR 19-1X/19-0X AR 19 AR 29 AR 49
Enabling fragment
Yes Yes Yes Yes
inspection
Configuring the
high and low
watermarks for Yes Yes Yes Yes
Configuring a fragment
packet filter inspection
firewall Configuring IPv6
packet filtering on Yes Yes Yes Yes
an interface
Configuring
Ethernet frame Yes Yes Yes Yes
filtering
Enabling the
session logging Yes Yes Yes Yes
Configuring an function for ASPF
ASPF
Configuring port
Yes Yes Yes Yes
mapping
z For command support information, refer to the command manual of this module.
z All the models of the AR series routers are centralized devices.
z Refer to the AR Series Routers Interface Card and Interface Module Manual for interface support
of the AR series routers.
1 Firewall Configuration
The term "router" in this document refers to a router in a generic sense or a Layer 3 switch running a
routing protocol.
When configuring a firewall, go to these sections for information you are interested in:
Huawei Proprietary and Confidential 1-1

1 Firewall Configuration Operation Manual
z Firewall Overview
z Configuring a Packet Filter Firewall
z Configuring an ASPF
Firewall Overview
A firewall can block unauthorized accesses from the Internet to a protected network while allowing
internal network users to access the Internet through WWW or to send/receive E-mails. A firewall can
also be used to control access to the Internet, for example, to permit only specific hosts within the
organization to access the Internet. Many of today’s firewalls offer some other features, such as identity
authentication and security processing (encryption) of information.
Another application of firewall is to protect mainframes and important resources (such as data) on the
internal network. Any access to protected data must be first filtered by the firewall, even if such an
access is initiated by a user within the internal network.
Presently, the device mainly implements three categories of firewalls:
z Access control list (ACL) based packet filtering,
z Application Specific Packet Filter (ASPF),
z Address translation.
For details about address translation, refer to NAT Configuration in the Security Volume. This chapter
will focus on ACL-based packet filtering firewall and ASPF.
Packet Filtering Firewall
Introduction to Packet Filtering Firewall
A packet filtering firewall implements IP packet specific filtering. For each IP packet to be forwarded, the
firewall first obtains the header information of the packet, including the number of the upper layer
protocol carried by the IP layer, the source address, destination address, source port number, and
destination port number of the packet. Then, it compares the obtained header information against the
preset ACL rules and processes the packet according to the comparison result.
Support for fragment filtering
Support for this feature depends on the device model.
The current packet filtering firewall supports fragment inspection and filtering. It checks:
1-2 Huawei Proprietary and Confidential
z Packet type, which can be non-fragmented packet, first fragment, or non-first fragment.
z Layer 3 information of the packet, for matching against basic ACL rules and advanced ACL rules
without information of Layer 3 and above.
z Upper layer Information, for matching against advanced ACL rules containing information of Layer
3 and above.
For advanced ACL rules that provide for exact match, the packet filtering firewall needs to record the
information of Layer 3 and above carried in each first fragment. When subsequent fragments arrive, the
firewall uses the information saved to implement exact match with each match condition of an ACL rule.
If exact match is enabled, the efficiency of packet filtering will be slightly declined. The more the match
items, the lower the packet filtering efficiency. So, you can specify a high watermark value to limit the
maximum number of match entries to be processed by the firewall.
For details about ACL, refer to ACL Configuration in the Security Volume.
ASPF
A packet filtering firewall is a static firewall. Presently, a packet filtering firewall cannot solve the
following issues:
z For multi-channel application layer protocols, such as File Transfer Protocol (FTP) and H.323, the
values of some security policy parameters are unpredictable.
z Some attacks from the transport layer and application layer, such as TCP SYN flooding and
malicious Java applets, cannot be detected.
z ICMP attacks cannot be prevented because some faked ICMP error messages from the network
cannot be recognized.
z For a TCP connection, it is required to transmit a SYN packet as the first packet. Any non-SYN
packet which is the first packet over the TCP connection will be dropped. In this scenario, if a
packet filtering firewall is deployed in a network, the non-SYN packets of existing TCP connections
passing the firewall for the first time will be dropped, therefore, breaking the existing TCP
connections.
ASPF was proposed to address these issues. An ASPF implements application layer and transport
specific, namely status-based, packet filtering. An ASPF can detect application layer protocols including
FTP, Hyper Text Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Real Time Streaming
Protocol (RTSP), and H.323 (Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and
UDP.
ASPF functions
An ASPF provides the following main functions:

z An ASPF can check the application layer information of packets, such as the protocol type and port
number, and monitor the connection-oriented application layer protocol status. It maintains the

status information of each connection, and based on such information, determines whether to
permit a packet to go through the firewall into the internal network, thus defending the internal
network against attacks.
z An ASPF supports transport layer protocol information detection, namely general TCP and UDP
detection. It can determine whether to permit a TCP/UDP packet to pass through the firewall and
get into the internal network based on the packet’s source and destination addresses and port
numbers.
Other functions of an ASPF:
z In addition to filtering packets based on connection status, an ASPF can also inspect the contents
of application layer packets, and perform Java blocking for untrusted sites, protecting the network
against malicious Java applets.
z An ASPF supports enhanced session logging. It can record the information of each connection,
including the duration, source and destination addresses and port numbers of the connection, and
number of bytes transmitted.
z An ASPF supports Port to Application Mapping (PAM), allowing you to specify port numbers other
than the standard ones for application layer protocols.
z An ASPF supports ICMP error message inspection. A normal ICMP error message carries
information about the corresponding connection. If the information does not match the connection,
the ASPF will, for example, discard the packet as configured.
z An ASPF supports first packet inspection for TCP connection. If the first packet over a TCP
connection is not a SYN packet, the ASPF will, for example, discard the packet as configured.
At the border of a network, an ASPF can work in coordination with a packet filtering firewall to provide
the network with a security policy that is more comprehensive and better satisfies the actual needs.
Support for Java blocking depends on the device model.
Basic concepts of ASPF
1) Java blocking
Java blocking is a feature for blocking malicious Java applets, which are transported by HTTP. With the
Java blocking feature enabled, when a user attempts to get a program containing Java applets from a
Web page, the ASPF will process the response, so as to block the Java applets.
2) PAM
While application layer protocols use the standard port numbers for communication, PAM allows you to
define a set of new port numbers for different applications, and provides some mechanisms for you to
maintain and use the configuration information of the user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port mapping.

z General port mapping: A mapping of a user-defined port number to an application layer protocol. If
port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are regarded as HTTP
packets.
z Host port mapping: A mapping of a user-defined port number to an application layer protocol for
packets to/from specific hosts. For example, you can establish a host port mapping so that all TCP
packets using 8080 as the destination port and 10.110.0.0/16 as the destination network segment
are regarded as HTTP packets. The hosts can be specified by means of a basic ACL.
3) Single-channel protocol and multi-channel protocol
z Single-channel protocol: A single-channel protocol establishes only one channel to exchange both
control messages and data for a user. SMTP and HTTP are examples of single-channel protocols.
z Multi-channel protocol: A multi-channel protocol establishes more than one channel for a user and
transfers control messages and user data through different channels. FTP and RTSP are
examples of multi-channel protocols.
4) Internal interface and external interface
On an edge device configured with ASPF to protect servers on the internal network, interfaces
connected with the internal network are internal interfaces while the interface connected with the
Internet is the external interface.
When an ASPF is applied on the outbound direction of the external interface of a device, a temporary
channel can be opened on the firewall for return packets to internal network users accessing the
Internet.
Basic idea of application layer protocol detection
Figure 1-1 Basic idea of application layer protocol detection
As shown above, to protect the internal network, an ACL is usually required on the router to permit
internal hosts to access external networks while prohibiting hosts on external networks from accessing
the internal network. However, the ACL will also filter out the return packets to internal users, thus failing
the connection setup attempts.
For a device with a single-core CPU:
After application layer protocol detection is enabled on the device, the ASPF can detect each
application layer session and create a status entry and a temporary access control list (TACL) for the
session. For a multi-channel protocol, a TACL will also be created for data channels.

z The status entry is created when ASPF detects the session’s first packet sent to the Internet, and is
used to maintain the status of the session at different points of time and to determine whether state
transitions of the session are correct.
z The TACL is created at the same time the status entry is created, and is deleted at the end of the
session. It is equivalent to a permit statement in an extended ACL. The TACL is mainly used to
match all the return packets of the session, and can set up a temporary return channel on the
external interface of the firewall for packets returned by the application.
An example of FTP detection is used in the following paragraphs to explain the process of multi-channel
application layer protocol detection.
Figure 1-2 Network diagram for FTP detection
As shown in Figure 1-2, FTP connections are established in the following process:
1) The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.
2) As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the
client.
3) When data transmission gets timed out or ends, the data connection is removed.
Here is how ASPF implements FTP detection during the FTP connection lifetime:
1) The ASPF checks IP packets on the outbound interface to identify TCP-based FTP packets.
2) Based on the port number, the ASPF determines whether a connection is a control connection and,
if yes, creates a TACL for returned packets and a status entry.
3) The ASPF checks each FTP control connection packet, analyzes the FTP instruction, and updates
the status entry based on the instruction. If the packet contains a data channel setup instruction,
the ASPF creates a TACL for the data connection. For a data connection, the ASPF does not
perform status detection.
4) For returned control connection packets, the ASPF first matches these packets against the control
connection TACL, and then checks their application status based on the application type, and
determines whether to permit the packets to pass according to the results of the match checks. For
returned data connection packets, the ASPF only performs the data connection TACL match.
5) When the FTP connection is removed, the ASPF removes the status entry and TACL accordingly.
The detection process for a single-channel protocol (such as SMTP and HTTP) is relatively simple: a
TACL is created at the connection initiation and is deleted when the connection is removed.
For a device with a multi-core CPU:
ASPF implements the application layer protocol detection function in cooperation with the session
management and Application Level Gateway (ALG) features. After detecting the first packet of a
session, ASPF matches the packet with the configured policy and sends the result to the session

management feature, which is responsible for session information database establishment and session
status maintenance. Then, the ASPF processes subsequent packets of the session based on session
status information returned by the session management feature.
For details about session management and ALG, refer to Session Management Configuration and ALG
Configuration in the Security Volume.
Basic idea of transport layer protocol detection
The transport layer protocol detection here refers to general TCP/UDP detection. Different from
application layer protocol detection, general TCP/UDP detection is specific to the transport layer
information in the packets, such as source and destination addresses and port number. General
TCP/UDP detection requires a full match between the packets returned to the external interface of the
ASPF and the packets previously sent out from the external interface of ASPF, namely a perfect match
of the source and destination address and port number; otherwise, the return packets will be blocked.
Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP
detection without application layer detection will lead to failure of establishing a data connection.
Configuring a Packet Filter Firewall

Packet Filtering Firewall Configuration Task List
Complete the following tasks to configure a packet filter firewall:
Task Remarks
Enabling the Firewall Function Required
Configuring the Default Filtering Action of the
Optional
Firewall
Enabling Fragment Inspection Optional
Configuring the High and Low Watermarks for

Optional
Fragment Inspection
Configuring Packet Filtering on an Interface Required
Configuring Ethernet Frame Filtering Optional
Support for high and low watermarks for fragment inspection and Ethernet frame filtering depends on
the device model.
Enabling the Firewall Function
Enabling the IPv4 firewall function
Following these steps to enable the IPv4 firewall function:

To do… Use the command… Remarks

Enter system view system-view —
Enable the IPv4 firewall Required

firewall enable
function on a centralized device Disabled by default
Enable the IPv4 firewall firewall enable { all | slot Required

function on a distributed device slot-number } Disabled by default
Enabling the IPv6 firewall function
Following these steps to enable the IPv6 firewall function:


firewall ipv6 enable
function Disabled by default
Configuring the Default Filtering Action of the Firewall
The default filtering action configuration is used for the firewall to determine whether to permit a data
packet to pass or deny the packet when there is no appropriate criterion for judgment.
IPv4 application
Follow these steps to configure the default filtering action of the IPv4 firewall:

Set the default filtering action of Optional

firewall default { deny |
the firewall to “permit” or “deny” permit (permit packets to pass
permit }
on a centralized device the firewall) by default
Set the default filtering action of firewall default { deny | Optional

the firewall to “permit” or “deny” permit } { all | slot permit (permit packets to pass
on a distributed device slot-number } the firewall) by default

IPv6 application
Follow these steps to configure the default filtering action of the IPv6 firewall:

Optional
Specify the default filtering firewall ipv6 default { deny |
action of the firewall permit } permit (permit packets to pass
the firewall) by default
Enabling Fragment Inspection
Exact match can be implemented only after fragment inspection is enabled. In doing so, packet filtering
firewall records the status of the fragment and performs exact match to information of layer 3 or above
based on advanced ACL rules.
The packet filtering firewall records the status of fragments at the price of system resource consumption.
If exact match is not required, you can disable fragments inspection to improve system performance
and reduce system overhead.
1) Enable the IPv4 fragment inspection function:
To do... Use the command... Remarks
Enable IPv4 fragment Required
inspection on a centralized firewall fragments-inspect
device Disabled by default
Enable IPv4 fragment Required

firewall fragments-inspect
inspection on a distributed
{ all | slot slot-number } Disabled by default
device
2) Enable the IPv6 fragment inspection function

After this function is enabled, if the first fragment is discarded when the IPv6 fragments of all interfaces
match against IPv6 ACL, all the non-first fragments will be discarded too. If not, the protocol information
carried in the first fragment will be added into the non-first fragments before the matching procedure
starts.
Follow these steps to enable the IPv6 fragment inspection function of the firewall:

Enable IPv6 fragment firewall ipv6 Required

inspection fragments-inspect Disabled by default
Configuring the High and Low Watermarks for Fragment Inspection
If fragment inspection is enabled and exact match is applied, the efficiency of packet filtering may
reduce, especially when matching items are numerous. Therefore, it is necessary to set the high and
low watermark values for fragment inspection. Thus, when the number of fragment status recorded
reaches the upper limit, earlier items can be deleted (from the earliest) until the number reduces to the
lower limit.
Follow these steps to configure the high and low watermarks for fragment inspection:

Optional
By default, the high watermark
Configure the high and low value of the number of
watermarks for fragment fragment status records is
[ high | low ] { number |
inspection on a centralized 2,000, and the low watermark
default }
device value of the number of
fragment status records is
1,500.
Optional
By default, the high watermark
Configure the high and low value of the number of
watermarks for fragment fragment status records is
[ high | low ] { number |
inspection on a distributed 2,000, and the low watermark
default } { all | slot slot-number
device value of the number of
fragment status records is
1,500.

Configuring Packet Filtering on an Interface
When an ACL is applied to an interface, the time range–based filtering will also work at the same time.
In addition, you can specify separate access rules for inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines rules based on the
Layer 3 source IP addresses only to analyze and process data packets.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules
according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP
source and destination ports, and so on.
An advanced ACL supports two match modes: normal match and exact match. Normal match refers to
match of Layer 3 information. In this type of match, the information of rather than Layer 3 is ignored.
Whereas in exact match, all advanced ACL rules are matched. For this reason, the firewall must record
the status of the first fragment of each packet in order to obtain the match information of the subsequent
fragments. The default mode is normal match mode.
Enabling packet filtering on an interface is mutually exclusive with adding the interface to an
aggregation group and adding the interface to a service loopback group.
1) Configure IPv4 packet filtering on an interface:

interface interface-type
Enter interface view —
interface-number
Required
firewall packet-filter
IPv4 packets are not filtered by
{ acl-number | name acl-name }
Configure IPv4 packet filtering default.
{ inbound | outbound }
on an interface Support for the
[ match-fragments { exactly |
normally } ] match-fragments keyword
depends on the device model.
2) Configure IPv6 packet filtering on an interface

IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet
filtering on either the inbound or outbound direction of an interface. However, only one IPv6 ACL is
allowed on each direction.
Follow these steps to configure IPv6 packet filtering on an interface

interface-number
firewall packet-filter ipv6 Required
Configure IPv6 packet filtering { acl6-number | name
on an interface acl6-name } { inbound | IPv6 packets are not filtered by
outbound } default
Configuring Ethernet Frame Filtering
Follow these steps to configure Ethernet frame filtering:

interface-number
Configure Ethernet frame
filtering for the firewall ethernet-frame-filter Required
inbound/outbound direction of { acl-number | name acl-name } No filtering is performed by
interface and set the number of { inbound | outbound } default
the ACL to be used
The Ethernet frame filtering configuration on an interface is effective only after you add the interface into
a bridge group.

Displaying and Maintaining a Packet Filtering Firewall
display firewall
View the Ethernet frame ethernet-frame-filter { all |
Available in any view
filtering statistics dlsw | interface interface-type
interface-number }
display firewall-statistics { all

View the packet filtering | fragments-inspect |
statistics of the IPv4 firewall interface interface-type
interface-number }
display firewall ipv6

View the packet filtering statistics { all | interface
statistics of the IPv6 firewall interface-type
interface-number }
reset firewall
Clean the ACL-based firewall ethernet-frame-filter { all |
Available in user view
statistics dlsw | interface interface-type
interface-number }
reset firewall-statistics { all |
Clear the packet filtering
interface interface-type Available in user view
statistics of the IPv4 firewall
interface-number }
reset firewall ipv6 statistics

Clear the packet filtering
{ all | interface interface-type Available in user view
statistics of the IPv6 firewall
interface-number }
z Support for the display firewall ethernet-frame-filter, display firewall ipv6 statistics, reset
firewall ethernet-frame-filter, and reset firewall ipv6 statistics commands depends on the
device model.
z Support for the fragments-inspect keyword in the display firewall-statistics command depends
on the device model.
Packet Filtering Firewall Configuration Example
Support for this configuration example depends on the device model.

Network requirements
z A company accesses the Internet through Serial 2/0 of Router A, which connects the internal
network through an Ethernet port, Ethernet 1/1.
z The company provides WWW, FTP and Telnet services to the outside. The internal subnet of the
company is 129.1.1.0, on which the internal FTP server address is 129.1.1.1, the Telnet server
address is 129.1.1.2, the internal WWW server address is 129.1.1.3, and the public address of the
company is 20.1.1.1. NAT is enabled on Router A so that hosts on the internal network can gain
access to the Internet and external hosts can access the internal servers.
z By using a firewall, the company intends to achieve the following aim: only specific users on
external networks are given access to the internal servers, and only specific host on the internal
network are permitted to access external networks.
z Assume that the IP address of a specific external user is 202.3.3.3.
Figure 1-3 Network diagram for packet filtering firewall configuration
129.1.1.1/32 129.1.1.2/32 129.1.1.3/32

FTP server Telnet server WWW server
Internal network
Eth1/1
129.1.1.5/24 S2/0
20.1.1.1/16
v
WAN v
Specific internal host Router
129.1.1.4/32 Specific external host
20.3.3.3/32
Configuration procedure
# Enable the firewall function on Router A.

<Router> system-view
[Router] firewall enable
# Create advanced ACL 3001.

[Router] acl number 3001
# Configure rules to permit specific hosts to access external networks and permit internal servers to
access external networks.
[Router-acl-adv-3001] rule permit ip source 129.1.1.1 0
# Configure a rule to prohibit all IP packets from passing the firewall.

[Router-acl-adv-3001] rule deny ip
# Create advanced ACL 3002.

[Router-acl-adv-3001] quit
[Router] acl number 3002
# Configure a rule to allow a specific external user to access internal servers.

[Router-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255
# Configure a rule to permit specific data (only packets of which the port number is greater than 1024) to
get access to the internal network.
[Router-acl-adv-3002] rule permit tcp destination 20.1.1.1 0 destination-port gt 1024
[Router-acl-adv-3002] rule deny ip
# Apply ACL 3001 to packets that come in through Ethernet 1/1.

[Router-acl-adv-3002] quit
[Router] interface ethernet 1/1
[Router-Ethernet1/1] firewall packet-filter 3001 inbound
# Apply ACL 3002 to packets that come in through Serial 2/0.

[Router-Ethernet1/1] quit
[Router] interface serial 2/0
[Router-Serial2/0] firewall packet-filter 3002 inbound
Configuring an ASPF
ASPF Configuration Task List
Complete the following tasks to configure an ASPF:
Task Remarks
Enabling the Firewall Function Required
Configuring an ASPF Policy Required
Applying an ASPF Policy to an Interface Required
Enabling the Session Logging Function for ASPF Optional
Configuring Port Mapping Optional
Support for the ASPF session logging function and port mapping function depends on the device model.
Enabling the Firewall Function
Following these steps to enable the firewall function:



firewall enable
function on a centralized device Disabled by default
Enable the IPv4 firewall firewall enable { all | slot Required

function on a distributed device slot-number } Disabled by default
Configuring an ASPF Policy
Follow these steps to configure an ASPF policy:

Create an ASPF policy and aspf-policy
Required
enter its view aspf-policy-number
Optional
Configure the timeout for SYN, aging-time { fin | syn | tcp | The defaults are as follows:
FIN, TCP, and UDP sessions udp } seconds 30 seconds for SYN; 5 seconds
for FIN; 3,600 seconds for TCP;
and 30 seconds for UDP
Optional
The default timeouts are as
Configure ASPF detection for detect protocol [ java-blocking follows:
application layer and transport acl-number ] [ aging-time 3,600 seconds for application
layer protocols seconds ] layer protocols;
3,600 seconds for TCP; and 30
seconds for UDP.
Optional
Specify to drop ICMP error
icmp-error drop By default, ICMP error
messages
messages are not dropped.
Optional
Specify to drop non-SYN
packet that is the first packet tcp syn-check By default, a non-SYN packet
over a TCP connection that is the first packet over a
TCP connection is not dropped.

z Support for the aging-time, detect, icmp-error drop and tcp syn-check commands depends on
the device model.
z If you enable TCP or UDP detection without configuring application layer protocol detection, some
packets may fail to get a response. Therefore, it is recommended that you enable application layer
protocol detection together with TCP/UDP detection.
z In the case of a Telnet application, you only need to configure TCP detection.
z The timeout value specified in the detect command takes precedence to that specified in the
aging-time command.
Applying an ASPF Policy to an Interface
Two concepts are distinguished in ASPF policy: internal interface and external interface. If the device is
connected to both the internal network and the Internet, and employs ASPF to protect the internal
network server, the interface connected to the internal network is the internal interface and the one
connected to the Internet is the external interface. When both ASPF and packet filtering firewall are
applied to the external interface, accesses to the internal network from the Internet will be denied. Yet,
the response packet can pass ASPF when internal network users access the Internet.
To monitor the traffic through an interface, you must apply the configured ASPF policy to that interface.
As it is based on interfaces that an ASPF stores and maintains the application layer protocol status,
make sure that a connection initiation packet and the corresponding return packet are based on the
same interface.
Follow these steps to apply an ASPF policy on an Interface:

interface-number
firewall aspf Required

Apply an ASPF policy to the
aspf-policy-number { inbound |
interface Not applied by default
outbound }
Enabling the Session Logging Function for ASPF

ASPF provides an enhanced session logging function, which can record the information of each
connection, including the duration, source and destination addresses of the connection, the port used
by the connection and number of bytes transmitted.
Follow these steps to enable the session logging function of ASPF:

aspf-policy
Enter ASPF policy view Required
aspf-policy-number
Enable the session logging Optional

log enable
function of the ASPF Disabled by default
Configuring Port Mapping
Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping.
z A general port mapping refers to a mapping of a user-defined port number to an application layer
protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of
which is port 8080 are regarded as HTTP packets.
z A host port mapping refers to a mapping of a user-defined port number to an application layer
protocol for packets to some specific hosts. For example, you can establish a host port mapping so
that all TCP packets using port 8080 sent to the network segment 10.110.0.0 are regarded as
HTTP packets. The address range of hosts can be specified by means of a basic ACL.
Follow these steps to configure port mapping

Configure mapping between port-mapping Required
the port and the application application-name port
protocol port-number [ acl acl-number ] Not configured by default
Displaying and Maintaining an ASPF

View all ASPF policy and
display aspf all Available in any view
session information


View the ASPF policy
configuration applied the display aspf interface Available in any view
interface
View the configuration
display aspf policy
information of a specific ASPF Available in any view
aspf-policy-number
policy
View ASPF session display aspf session

information [ verbose ]
display port-mapping
View the port mapping
[ application-name | port Available in any view
information
port-number ]
Clear ASPF session reset aspf session Available in user view
z Support for the display aspf session, display port-mapping and reset aspf session commands
depends on the device model.
z Whether the display aspf all command supports session information displaying depends on the
device model.
ASPF Configuration Example I
z Configure an ASPF policy on Router A to detect the FTP and HTTP traffic flows passing through
Router A.
z Requirement: Only return packets for FTP and HTTP connections initiated by users on the internal
network are permitted to pass through Router A and get into the internal network, while all other
types of packets are blocked. In addition, this ASPF policy should be able to block Java applets
carried in HTTP packets from the server 2.2.2.2.
z This example is suitable for a scenario where local users need to gain access to remote servers.

Figure 1-4 Network diagram for ASPF configuration
Router A Router B
S2/0
10.1.1.1/24
Eth1/1
Internal network 192.168.1.1/24 External network
Host Server host

192.168.1.2/32 2.2.2.11/32

<RouterA> system-view
[RouterA] firewall enable
# Configure ACL 3111 to prohibit all IP packets from entering into the internal network. The ASPF will
create a TACL for packets permitted to pass the firewall.
[RouterA] acl number 3111
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create ACL 2001 to block Java applets from site 2.2.2.2.

[RouterA-acl-basic-2001] rule deny source 2.2.2.11 0
[RouterA-acl-basic-2001] rule permit
[RouterA-acl-basic-2001] quit
# Create an ASPF policy that checks application layer protocols FTP and HTTP, and set the idle timeout
value for the two protocols to 3,000 seconds.
[RouterA] aspf-policy 1
[RouterA-aspf-policy-1] detect ftp aging-time 3000
[RouterA-aspf-policy-1] detect http java-blocking 2001 aging-time 3000
[RouterA-aspf-policy-1] quit
# Apply ACL 3111 and the ASPF policy to the interface Serial 2/0.
[RouterA] interface serial 2/0
[RouterA-Serial2/0] firewall aspf 1 outbound
[RouterA-Serial2/0] firewall packet-filter 3111 inbound

ASPF Configuration Example II
Configure an ASPF policy on Router A to drop ICMP error messages and non-SYN packets that are the
first packets over TCP connections.
This example applies to scenarios where local users need to access remote network services.
Figure 1-5 Network diagram for ASPF configuration
Router A Router B
S2/0
10.1.1.1/24
Eth1/1
Internal network 192.168.1.1/24 External network
Host
192.168.1.2/32 Server

<RouterA> system-view
[RouterA] firewall enable
# Configure ACL 3111 to prohibit all IP packets from entering the internal network. The ASPF will create
a TACL for packets permitted to pass the firewall.
[RouterA-acl-adv-3111] rule deny ip
[RouterA-acl-adv-3111] quit
# Create an ASPF policy.

[RouterA] aspf-policy 1
[RouterA-aspf-policy-1] icmp-error drop
[RouterA-aspf-policy-1] tcp syn-check
[RouterA-aspf-policy-1] quit
# Apply ACL 3111 and the ASPF policy to interface Serial 2/0.
[RouterA] interface serial 2/0
[RouterA-Serial2/0] firewall aspf 1 outbound

[RouterA-Serial2/0] firewall packet-filter 3111 inbound


03-Firewall Configuration

Uploaded by

Copyright:

Available Formats

03-Firewall Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03-Firewall Configuration

Uploaded by

Copyright:

Available Formats

Firewall Configuration Security Volume

Operation Manual Table of Contents

Huawei Proprietary and Confidential i

Support for some features varies by router model, as shown below.

Huawei Proprietary and Confidential 1-1

Packet Filtering Firewall

Introduction to Packet Filtering Firewall

Support for fragment filtering

Support for this feature depends on the device model.

An ASPF provides the following main functions:

Huawei Proprietary and Confidential 1-3

Support for Java blocking depends on the device model.

Basic concepts of ASPF

1-4 Huawei Proprietary and Confidential

Basic idea of application layer protocol detection

Figure 1-1 Basic idea of application layer protocol detection

Huawei Proprietary and Confidential 1-5

1-6 Huawei Proprietary and Confidential

Basic idea of transport layer protocol detection

Configuring a Packet Filter Firewall

Complete the following tasks to configure a packet filter firewall:

Configuring the High and Low Watermarks for

Configuring Ethernet Frame Filtering Optional

Enabling the Firewall Function

Enabling the IPv4 firewall function

Following these steps to enable the IPv4 firewall function:

Huawei Proprietary and Confidential 1-7

To do… Use the command… Remarks

Enable the IPv4 firewall Required

Enable the IPv4 firewall firewall enable { all | slot Required

Enabling the IPv6 firewall function

Support for this feature depends on the device model.

Following these steps to enable the IPv6 firewall function:

To do… Use the command… Remarks

Enable the IPv6 firewall Required

Configuring the Default Filtering Action of the Firewall

To do… Use the command… Remarks

Set the default filtering action of Optional

Set the default filtering action of firewall default { deny | Optional

1-8 Huawei Proprietary and Confidential

Support for this feature depends on the device model.

To do… Use the command… Remarks

Enabling Fragment Inspection

Support for this feature depends on the device model.

Enable IPv4 fragment Required

2) Enable the IPv6 fragment inspection function

Huawei Proprietary and Confidential 1-9

To do... Use the command... Remarks

Enable IPv6 fragment firewall ipv6 Required

Configuring the High and Low Watermarks for Fragment Inspection

Support for this feature depends on the device model.

To do... Use the command... Remarks

1-10 Huawei Proprietary and Confidential

Configuring Packet Filtering on an Interface

1) Configure IPv4 packet filtering on an interface:

2) Configure IPv6 packet filtering on an interface

Support for this feature depends on the device model.

Huawei Proprietary and Confidential 1-11

To do... Use the command... Remarks

Configuring Ethernet Frame Filtering