The detect command configures the interzone ASPF/ALG function.
The undo detect command cancels the ASPF/ALG configuration.
detect protocol
detect { activex-blocking | java-blocking } [ acl-number1 { inbound | outbound } ]
detect user-defined acl-number2 { inbound | outbound }
detect ipv6 ipv6-protocol
undo detect protocol
undo detect { activex-blocking | java-blocking } [ inbound | outbound ]
undo detect user-defined { inbound | outbound }
undo detect ipv6 ipv6-protocol
| Parameter | Description | Value |
|---|---|---|
| protocol | Specifies one of the protocols supported by IPv4 ASPF/ALG. | The value can be dns, ftp, h323, icq, ils, mgcp, mms, msn, netbios, pptp, qq, rsh, rtsp, sccp, sip or sqlnet. |
| activex-blocking | Blocks Activex Applets. | - |
| java-blocking | Blocks Java Applets. | - |
| ipv6-protocol | Specifies one of the protocols supported by IPv6 ASPF/ALG. | The value can be ftp, sip or rtsp. |
| acl-number1 | Specifies the number of an ACL. | The value is an integer ranging from 2000 to 2999. |
| user-defined | Indicates customization. | - |
| acl-number2 | Specifies the number of an ACL. | You can specify either of the following ACLs:
|
| inbound | Enables inbound packet filtering in the interzone. | - |
| outbound | Enables outbound packet filtering in the interzone. | - |
The interzone ASPF/ALG function is disabled by default. Enable ASPF/ALG for a specific protocol as required. Disable ASPF/ALG for protocols that do not require ASPF/ALG.
The SIP ASPF/ALG function configured using the detect sip command takes effect only for UDP-based SIP traffic and TLS-encrypted SIP traffic. For TLS-encrypted SIP traffic, the FW performs SSL decryption before ASPF/ALG processing.
For ASPF/ALG on TCP-based SIP traffic, run the detect [ ipv6 ] sip tcp command.
# Enable the ASPF/ALG function for FTP protocol between the Trust and Untrust zones.
<sysname> system-view [sysname] firewall interzone trust untrust [sysname-interzone-trust-untrust] detect ftp
# Configure the user-defined ASPF in the inbound direction of the Trust-Untrust interzone to identify TFTP packets. Because the TFTP control port of the TFTP server is 69, set the port in ACL 3000 to 69.
<sysname> system-view [sysname] acl 3000 [sysname-acl-adv-3000] rule permit udp destination-port eq 69 [sysname-acl-adv-3000] quit [sysname] firewall interzone trust untrust [sysname-interzone-trust-untrust] detect user-defined 3000 inbound