FAQ-How Can I Configure Interzone Packet Filtering?

Publication Date:  2012-10-24 Views:  408 Downloads:  0
Issue Description
Q: How Can I Configure Interzone Packet Filtering?
Alarm Information
NA
Handling Process
USG5300 V100R002 and earlier versions apply ACL-based packet filtering, and USG5300 V100R003 and later versions apply policy-based packet filtering.

As shown in Figure 1, hosts at 192.168.0.2/24 can access the Internet, but the host at 192.168.0.3 cannot. The following examples describe how to configure ACL- and policy-based packet filtering for IP addresses. For details on packet filtering, refer to the related product documents.

Figure 1 Networking diagram for IP-specific interzone packet filtering


1、Configure ACL-based packet filtering.

<sysname> system-view
[sysname] acl 3001
[sysname-acl-adv-3001] rule permit ip source 192.168.0.2 0  //You can set the source IP address, destination IP address, protocol, and time range in a rule.
[sysname-acl-adv-3001] rule deny ip source 192.168.0.3 0
[sysname-acl-adv-3001] quit
[sysname] firewall interzone trust untrust
[sysname-interzone-trust-untrust] packet-filter 3001 outbound

2、Configure policy-based packet filtering.

<sysname> system-view
[sysname] policy interzone trust untrust outbound
[sysname-policy-interzone-trust-untrust-outbound] policy 1
[sysname-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.2 0  //You can set the source IP address, destination IP address, protocol, and time range in the policy ID view.
[sysname-policy-interzone-trust-untrust-outbound-1] action permit
[sysname-policy-interzone-trust-untrust-outbound-1] quit
[sysname-policy-interzone-trust-untrust-outbound] policy 2   //You can configure multiple policy IDs. Run the display this command in the policy interzone view to display policy IDs. The policy IDs are displayed in descending order of matching priority.
[sysname-policy-interzone-trust-untrust-outbound-2] policy source 192.168.0.3 0
[sysname-policy-interzone-trust-untrust-outbound-2] action deny
Root Cause
NA
Suggestions
The functionality of the two commands is similar to packet filtering, but the commands are not used for configuring packet filtering.

The detect user-defined acl-number { inbound | outbound } command configures user-defined ASPF and generates triplet server map entries. For details on ASPF, refer to the related product documents.
The aspf packet-filter acl-number { inbound | outbound } command determines whether to forward packets that match server map entries.
Packet filtering determines whether to forward packets and establish a session based on quintuple information. aspf packet-filter determines whether to forward packets that match server map entries.

Generating server map entries through ASPF has less restrictions on the quintuple session information. Some ports become available during packet forwarding, which causes security risks. When you configure ASPF, ensure that ACL rules are accurate. Packet filtering is not implemented on packets that match server map entries. However, you can run the aspf packet-filter command to block some packets.

END