Configuring the Function of Skipping ASPF/ALG for FTP Traffic

Context

When ASPF/ALG of FTP is enabled, all FTP traffic is processed by ASPF/ALG by default. In some scenarios, you can configure the function of skipping ASPF/ALG for certain FTP traffic.

Similar to the configurations of ASPF/ALG, the configurations of skipping ASPF/ALG for certain traffic also fall into global, interzone, and intrazone configurations. The priorities of the interzone and intrazone configurations are higher than that of the global configuration.

Procedure

In the global view, configure the function of skipping ASPF/ALG for FTP traffic.
1. Run the system-view command to enter the system view.
2. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create an advanced ACL. The acl-number of an advanced ACL ranges from 3000-3999.
3. Run the rule[ rule-id ] permit tcp [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | source-port operator port [ port2 ] | destination-port operator port [ port2 ] | icmp-type { icmp-type-name | icmp-type-number icmp-code } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } ^* } ] ^* [ description description ] command to configure an advanced ACL rule.
4. Run the firewall detect ftp exclude acl acl-number command to enable ASPF/ALG of FTP and configure the skipping of ASPF/ALG for FTP traffic matching a specified ACL.
Configure the skipping of ASPF/ALG for interzone or intrazone FTP traffic.
1. Run the system-view command to enter the system view.
2. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create an advanced ACL. The acl-number of an advanced ACL ranges from 3000-3999.
3. Run the rule[ rule-id ] permit tcp [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | source-port operator port [ port2 ] | destination-port operator port [ port2 ] | icmp-type { icmp-type-name | icmp-type-number icmp-code } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } ^* } ] ^* [ description description ] command to configure an advanced ACL rule.
4. Run the quit command to return to the system view.
5. Run the firewall interzone zone-name1 zone-name2 or firewall zone [ name ] zone-name command to enter the interzone or intrazone view.
6. Run the detect ftp exclude acl acl-number command to enable ASPF/ALG of FTP and configure the skipping of ASPF/ALG for FTP traffic matching a specified ACL.