< Home

detect ftp exclude

Function

The detect ftp exclude command enables ASPF/ALG for FTP in a zone or between zones and configures the device not to implement ASPF/ALG processing for FTP traffic matching a specific ACL.

The undo detect ftp exclude command configures the device to implement ASPF/ALG processing for FTP traffic again.

Format

detect ftp exclude acl acl-number

undo detect ftp exclude acl

Parameters

Parameter Description Value
exclude Frees specific traffic from being processed by ASPF/ALG. -
acl acl-number Specifies an IPv4 advanced ACL. The value is an integer ranging from 3000 to 3999.

Views

Security intrazone/interzone view

Default Level

2: Configuration level

Usage Guidelines

By default, when ASPF/ALG for FTP is enabled, ASPF/ALG processing is implemented for all FTP traffic.

In specific scenarios, to free the FTP traffic matching specific rules from being processed by ASPF/ALG, create an advanced ACL and then run the detect ftp exclude acl acl-number command to reference the ACL.

If the traffic needs to be processed by ASPF/ALG again, run the undo detect ftp exclude acl command to cancel the reference of the ACL.

Before running the detect ftp exclude acl acl-number command again, run the undo detect ftp exclude acl command to cancel the last reference.

A referenced ACL can be modified only but cannot be deleted. The modified ACL takes effect only for traffic of newly created sessions, not traffic of existing sessions.

Both the detect ftp exclude acl acl-number and firewall detect ftp exclude acl acl-number commands can be used to free FTP traffic matching a specific ACL from being processed by ASPF/ALG. The former command configuration takes effect within a zone or between zones, whereas the latter command configuration takes effect globally. If both commands are run, the detect ftp exclude acl acl-number command configuration takes effect.

Example

# Enable ASPF/ALG for FTP between the Trust and Untrust zones and configure the device not to implement ASPF/ALG processing for traffic with source address 10.1.1.1 and destination address 10.2.1.1. 

<sysname> system-view
[sysname] acl 3001
[sysname-acl-adv-3001] rule permit tcp source 10.1.1.1 0.0.0.255 destination 10.2.1.1 0.0.0.255
[sysname-acl-adv-3001] quit
[sysname] firewall interzone trust untrust
[sysname-interzone-trust-untrust] detect ftp exclude acl 3001
Parent Topic: ASPF/ALG Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >