Configuring an ASPF 1799Configuring an ASPFPolicyFollow these steps to configure an ASPF policy:n ■ If you enable TCP or UDP detection without configuring application layerprotocol detection, some packets may fail to get a response. Therefore, it isrecommended that you enable application layer protocol together withTCP/UDP detection.■ In the case of a Telnet application, you only need to configure TCP detection.■ The timeout value specified in the detect command takes precedence to thatspecified in the aging-time command.Applying an ASPF Policyto an InterfaceTwo concepts are distinguished in ASPF policy: internal interface and externalinterface. If the device is connected to both the internal network and the Internet,and employs ASPF to protect the internal network server, the interface connectedto the internal network is the internal interface and the one connected to theInternet is the external interface. When both ASPF and packet filter firewall areapplied to the external interface, accesses to the internal network from theInternet will be denied. Yet, the response packet can pass ASPF when internalnetwork users access the Internet.To monitor the traffic through an interface, you must apply the configured ASPFpolicy to that interface.As it is based on interfaces that an ASPF stores and maintains the application layerprotocol status, make sure that a connection initiation packet and thecorresponding return packet are based on the same interface.Follow these steps to apply an ASPF policy on an Interface:Enable the Firewall Function firewall enable RequiredDisabled by defaultTo do... Use the command... RemarksTo do... Use the command... RemarksEnter system view system-view -Create an ASPF policyand enter its viewaspf-policyaspf-policy-numberRequiredConfigure the timeout forSYN, FIN, TCP, and UDPsessionsaging-time { syn | fin |tcp | udp } secondsOptionalThe defaults are as follows:30 seconds for SYN; 5 seconds for FIN;3,600 seconds for TCP; and 30 secondsfor UDPConfigure ASPF detectionfor application layer andtransport layer protocolsdetect protocol[ java-blockingacl-number ][ aging-time seconds ]OptionalThe default timeouts are as follows:3,600 seconds for application layerprotocols;3,600 seconds for TCP; and 30 secondsfor UDP.