Detecting and Blocking Java Applets and ActiveX

Context

Generally, both Java Applets and ActiveX are contained in packet payloads and cannot be identified through the packet header inspection. Moreover, they are easily used to make Trojan horses and viruses. Therefore, they must be identified through application-layer detection to protect intranet hosts. The FW can use the ASPF function to detect and block Java Applets and ActiveX and protect networks from malicious Java Applets and ActiveX.

You can enable the function of detecting and blocking Java Applets and ActiveX in the system view, interzone view, or intrazone view. If this function is enabled in the system view, both interzone and intrazone functions are also enabled.

Procedure

Enable the function of detecting or blocking Java Applets and ActiveX in the system view.
1. Run the system-view command to enter the system view.
2. Run the firewall detect { activex-blocking | java-blocking } command to enable the function of detecting or blocking Java Applets and ActiveX.
Enable the function of detecting or blocking Java Applets and ActiveX in the interzone view.
1. Run the system-view command to enter the system view.
2. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view.
3. Run the detect { activex-blocking | java-blocking } [ acl-number { inbound | outbound } ] command to enable the function of detecting or blocking Java Applets and ActiveX.
  By referencing a basic ACL, you can narrow down the scope of application-layer detection. inbound indicates the direction from a low-priority security zone to a high-priority security zone, and outbound indicates the direction from a high-priority security zone to a low-priority security zone.
Enable the function of detecting or blocking Java Applets and ActiveX in the intrazone view.
1. Run the system-view command to enter the system view.
2. Run the firewall zone [ name ] zone-name command to access the intrazone view.
3. Run the detect { activex-blocking | java-blocking } [ acl-number ] command to enable the function of detecting or blocking Java Applets and ActiveX.
  By referencing a basic ACL, you can narrow down the scope of application-layer detection.