< Home

Understanding the Server Map

This section describes only the server map created by the ASPF/ALG function. For server maps of other types, see Server Map.

Functions of the Server Map in the ASPF/ALG Function

The server map is one of the bases for implementing the ASPF/ALG function.

The server map is used to permit packets that cannot be explicitly permitted in security policies. It is a refined "security policy" that is automatically generated by the ASPF/ALG function and is an invisible channel on the FW.

The ASPF/ALG function can detect the application layer information of certain packets and record the key data in the application layer information in the server map. Subsequent packets matching the server map are directly permitted or have NAT performed and sessions established, without being controlled by security policies.

Take ASPF of multi-channel protocols (such as FTP, H.323, and SIP) as an example. The applications of these multi-channel protocols usually require the control channel and data channel be established. After the control channel is established, the address and port of the data channel is negotiated through the control channel, and then the data channel is established according to the negotiation result. The FW automatically generates a server map based on the address and port information carried in the application layer of the negotiation packet. Subsequent data packets match the server map and are permitted. The data channel is established successfully.

Take the FTP active mode (the server proactively accesses the client) as an example. The FW detects the application layer information of the PORT command packet and records the IP address and port carried in the application layer in the server map.
Figure 1 ASPF in FTP active mode
Check the server map generated on the FW.
<sysname> display firewall server-map
Type: ASPF, 2.2.2.2 -> 1.1.1.1:yyyy, Zone: ---
   Protocol: tcp(Appro: ftp-data), Left-Time: 00:00:57
   VPN: public -> public

Port yyyy is the data port opened by the client to the server through the control channel. The data packet for the server (2.2.2.2) to proactively access port yyyy of the client (1.1.1.1) matches the server map and is permitted.

A server map of the ASPF/ALG type is generated only when the corresponding traffic passes through the device.

Position of the Server Map in the Forwarding

The server map created by the ASPF/ALG function has a higher priority than the security policy. After a packet matches the server map of the ASPF/ALG type, the packet is directly permitted and a session table is generated, without the need to match against security policies. If subsequent packets match the session table, the packets are directly permitted, without the need to match against the server map.

Figure 2 shows the position of the server map in the simplified forwarding process.

Figure 2 Position of the server map in the forwarding

Server Map Aging

In addition to the manual deletion of a server map, the FW also supports a server map aging mechanism.

The server map also occupies certain device resources. The aging mechanism of the server map is the same as that of the session table. If a server map fails to be matched by traffic after a specified period of time, the server map is deleted.

Different from the session table aging time, the aging time of the ASPF/ALG server map is fixed and cannot be configured. For example, the aging time of the FTP server map is 15 seconds.

Parent Topic: ASPF/ALG
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >