AppRF is an application visibility and control feature and was introduced in ArubaOS 6.4.2. AppRF performs deep packet inspection (DPI) of local traffic and detects over 1500 applications on the network. AppRF allows you to configure both application and application category policies within a given user role.
|
|
The AppRF dashboard application visibility feature is supported only in 7000 Series and 7200 Series controllers, and requires the PEF-NG license. |
Since many applications are moving to the web and because the content in the web is so dynamic, ArubaOS introduces web content control through the Web Content Classification (WebCC) feature. WebCC uses a cloud-based service to dynamically determine the types of websites being visited, and their safety.
In the WebUI, the AppRF dashboard contains the following two pages as shown in Figure 1:
| | —The All Traffic page displays the summary of all traffic in the controller. This is the default page. For more details, see All Traffic . |
| | —The Web Content page link include the percentage of all traffic in parenthesis. The Web Content page displays the summary of only the web traffic in the controller. For more details, see Web Content Classification. |
Figure 1 All Traffic and Web Content Page Options
The page on the > page displays the PEF summary of all the sessions in the controller aggregated by users, devices, destinations, applications, WLANs, and roles.The applications, application categories, and other containers are represented in box charts instead of pie charts.
Enable DPI to enhance the benefit of the existing visualization or dashboard, To enable DPI, see the Enabling Deep Packet Inspection (DPI) section.
To view the AppRF dashboard in the WebUI:
| 1. | Navigate to the page. |
| 2. | Click on the link to enable firewall visibility. To disable, click the link at the bottom the page. |
You will see a screen similar to the following figure.
Figure 2 AppRF- All Traffic Page
The Action bar displays the total traffic depending on the filters applied, allows the user to configure per Application, per Role, and Global Policy, and includes Action buttons namely, Block/Unblock, Throttle, and QoS.
Figure 3 Action Bar
You can click on any rectangle tile in a container and that filter is applied across all the containers.
For example: If you click on the rectangle in the container, Application Categories == Web filter is applied to all other containers (Roles, WLANs, Application, Destination and Devices). See the following figure.
Figure 4 Single Filter Applied
You can apply multiple filters from different containers by clicking on muliple rectangle tiles in various containers.
For example: If you click on the rectangle in the container and the rectangle under , the remaining containers (Roles, WLANs, Destination and Devices) will be filtered on Application categories == web and Application == https. See the following figure.
Figure 5 Multiple Filters Applied
The action bar reflects the total traffic based on the filter applied. For example, see Figure 6 and Figure 7.
Figure 6 Total traffic with Web Filter
Figure 7 Total traffic with Web and https Filter
|
|
The action buttons are disabled if the applied filter contains anything apart from Role and Application or Role and Application category. |
To remove filters, click on in the container that filter is removed across all the containers.
Clicking on navigates you to the corresponding details page with data filtered by all selected rectangle when a filter is applied, The link changes to in that container. See Figure 8 and Figure 9
|
|
In the rectangle tile, indicates the traffic initiated by wired users and traffic from uplink ports. |
Figure 9 User filtered by <filter>
Clicking on or shows the user table, See Figure 10 and Figure 11.
Figure 11 User filtered by <filter>- Details View
The pop-up window that is displayed for block/unblock, throttle, or QoS depends on the filters applied..
Upon clicking , the corresponding CLI commands are executed and the pop-up window closes retaining the filters in the AppRF main page. When filters are not applied, all the pop-up windows allow the user to configure global or per –role configuration.
The following table shows the pop-up window with respect to the Action button and the filter applied:
Table 1: Pop-up Window with Respect to the Action Button and the Filter Applied
| Action Button | Filter | Config Level |
|---|---|---|
|
Block/Throttle/QoS |
Non-application/role ex: WLANS |
No pop-up |
|
Block |
No Filters |
Global and per role |
| Block | Application | Global |
| Block | Application Category | Global |
| Block | Application and Role | Global and per role |
| Block | Application category and Role | Global and per role |
| Throttle | No | Global and per role |
| Throttle | Application | Global |
| Throttle | Application Category | Global |
| Throttle | Application and Role | Global and per role |
| Throttle | Application category and Role | Global and per role |
| QoS | Application | Global |
| QoS | Application Category | Global |
This button allows you to permit/deny an application or an application category for a given role. You can create global and per-role rules.
For example, you can block the YouTube application,which belongs to the Streaming application category for the guest role within the enterprise.
| 1. | Click on on the Action bar. |
|
|
The button changes to the button if a filter is applied. The pop-up window appears based on the filters applied is shown in Table 1. Click on . allows only permit action and priority setting. |
| 2. | To create a new Global rule: |
| a. | Click on the tab, the following pop-up window appears: |
Figure 12 Global Policy Tab
| b. | Click on The following pop-up window appears: |
Figure 13 New Rule Pop-up Window
| c. | Select an , , , and . |
| 3. | To create a new per-role rule: |
| a. | Click on the tab, the following pop-up window appears: |
Figure 14 Per-role Policies Tab
| b. | Select a role from the list, or click on below the role pane to create a new role and select the newly created role. |
| c. | Select a policy from the list, or click on below they policy pane to create a new policy and select the newly created policy. |
| d. | Select an , , , and |
| 4. | Click on |
This button allows you to limit the bandwidth usage of an application or an application category on a given role. So, you can set the upstream limit and downstream limit for an application or an application category on a given role.
For example, you can rate limit applications video streaming applications like YouTube, Netflix.
You can also view the bandwidth contract table and create a new bandwidth contract.See the following figure.
Figure 15 Throttle Application and New Bandwidth Contract
This button allows you to set the priority for a given application or an application category on a given role. For example, you can set the video/voice sessions originating from wireless users with a different priority to that of other web applications so that traffic would be prioritized accordingly in the your network.
Figure 16 QoS for Application Category Streaming
Many applications are moving to the web and web being so dynamic in nature, ArubaOS 6.4.2.0 introduces web content control through the Web Content Classification (WebCC) feature. WebCC uses a cloud-based service to dynamically determine the types of websites being visited, and their safety.
|
|
This feature is available for all customers with a PEF license to use during an early preview period. Eventually, Aruba intends to license this feature as an annual subscription. License enforcement timeline and pricing information will be made available once the SKUs and prices are finalized. |
The implementation of WebCC feature can be viewed on this new web page.
When the WebCC feature is enabled, all web traffic (http and https) is classified. The classification is done in data path as the traffic flows through the controller and updates dynamically.
Aruba has partnered with Webroot®, and uses the Webroot's URL database and the cloud look-up service to classify the web traffic. Aruba uses Webroot classified categories and score for web categories and reputation for WebCC.
The current policy enforcement model in Aruba relies on L3/L4 information of the packet or L7 information with Deep Packet Inspection (DPI) support to apply rules. WebCC complements this as the user is allowed to apply firewall policies based on web content category and reputation.
Benefits of WebCC:
| 1. | Prevention of malicious malware, spyware, or adware by blocking known dangerous websites |
| 2. | Visibility into web content category-level |
| 3. | Visibility into web sites accessed by the user |
To view the web content page from the WebUI, navigate to > . Click on tab. The following figure shows the Web Content page.
Figure 17 Web Contents Page
The web content page includes the following containers:
| | This chart shows traffic for web categories in tree chart presentation. All boxes in this chart is click-able. Clicking on a box filters rest of page data with the clicked web category as filter, and this chart is locked until the filter is removed by clicking on . For example, see the following figure. |
Figure 18 Filter by Web Category
| | This chart shows the for Roles using the web traffic in tree chart presentation. All role boxes are In this chart is click-able. Clicking on box filters rest of page data with the clicked Role as filter, and this chart is locked until the filter is removed by clicking on . For example, see the following figure. |
Figure 19 Filter by Role
| | The reputation traffic light chart shows the percentage of traffic based on reputation or score of web traffic in the controller. The reputation levels are Trustworthy, Low-Risk, Moderate-Risk, Suspicious, and High-Risk. If there is no traffic on a specific reputation, then the corresponding reputation does not appear in the chart. The circles in this chart are click-able. Clicking on circle filters rest of page data with the selected reputation as filter and this chart is locked until the filter is removed by clicking on . For example, see the following figure. |
Figure 20 Filter by Reputation
| | : A drop-down at the extreme right of reputation traffic lights allows selecting the category view. The view options are Top 9 and Top 6. Top 9 is the default view and displays predefined set of categories that need to be listed in categories by reputation chart. This also list the top 6 or top 9 categories based on traffic usage. The list updates automatically when filters are applied. The following figure shows an for Top 9 category view with reputation chart. |
Figure 21 Category View- Top 9
| | Click on the web category link above the Category view chart to display the details table as shown in the following figure. |
Figure 22 Category Views and Details
The details table of the selected web category includes the following four columns:
| | : Lists the website |
| | : Reputation score of the website with image presentation |
| | : Traffic of the website in total traffic of the selected category |
| | : The number of users using that website |
| | Click on the number in the column in the details table as shown in the following figure: |
Figure 23 User Table
The user table includes the following columns:
| | : Lists the users of the website |
| | : Traffic of the user on the website |
Web content tree chart filter behaves in the same way described in Filters. Filters can be applied to Web Categories, Roles, and Reputation containers.
Following are the properties of container filters:
| | Clicking on any box in the tree chart or reputation traffic light chart will update whole page with the selected box as filter. |
| | On clicking, the tree chart will freeze that chart and update rest of the page. |
| | Filter will be applied only to non-freeze chart. |
| | Reputation chart color won’t change upon selection. |
The following figure shows an example with multiple filters:
Figure 24 Multiple Filters
Configurations of policies from web content dashboard can be done with the help of the following Block/Unblock, Throttle, and QoS Action Buttons. These buttons behave the same way as described in Block/Unblock, Throttle, and QoS Action Buttons.
To permit or deny a rule for global policy or per-role policies for a web category, role, or reputation. To apply a policy, click on a on a web category, role, reputation, or a combination of these three container and click block. Click . For example, the following two figures show applying a policy on web category filter and on Role + Category + Reputation filter:
Figure 25 Policy on Web Category Filter
Figure 26 Policy on Web Category + Reputation + Role Filter
To apply bandwidth contract for a web category, role, or reputation. For example, the following figure shows the throttle applied to a category filter:
Figure 27 Throttle on Category Filter
When multiple bandwidth contracts exist, the precedence is as follows:
| | WebCC Global bandwidth contract |
| | Application bandwidth exception List |
| | Application Category bandwidth exception List |
| | App bandwidth contract |
| | Application Category bandwidth contract |
| | Web category bandwidth contract |
| | Web reputation bandwidth contract |
| | User bandwidth contract |
To set the priority of the web category and reputation. For example, the following figure shows QoS on category and reputation filter:
Figure 28 QoS on Web Category + Reputation Filter
Additionally rules can be added in any of the following combination:
| | Rules for Web category only |
| | Rules for Reputation only |
| | Rules for Web Category and Web Reputation combination |
Use the following command to enable WebCC using the CLI:
(host) (config) #firewall web-cc
Use the following command to configure WebCC per-role using the CLI:
(host) (config-role) #web-cc
The new CLI extends the existing policy configuration to take web category or reputation or both. Use the following command to configure a new policy to create ACL rule with web category and reputation:
(host) (config-sess-acl) #source destination proto-port/service/app/app-group <name> webcc-category <ctgry> webcc-reputation <score> action [log | mirror | time-range]
The following actions are supported when web category/reputation is selected:
| | Deny |
| | Permit |
| | Blacklist |
| | Classify-media |
| | Disable-scanning |
| | Dot1q-priority |
| | Log |
| | Mirror |
| | Queue |
| | Time-range |
| | TOS |
Example for WebCC policy configuration is as follows:
ip access-list session url-filter
any any web-cc-category educational-institutions permit
any any web-cc-reputation suspicious deny
any any any deny
Assuming that webcc categorization was done only for http traffic running on TCP 80, the above ACL is converted as follows in datapath for pre-classification ACL scan:
ip access-list session url-filter
any any tcp {80} permit
any any tcp {80} deny
any any any deny
Post-classification, ACL look-up will have the ACL as follows:
ip access-list session url-filter
any any tcp {80} WebCCCtgID 40 WebCCRep 1-100 permit
any any tcp {80} WebCCRep 1-100 deny
any any any deny
In case there exists an ACL rule to deny/permit a specific web category but is required to make an exception to allow/deny a specific URL or website, then this can be accomplished by configuring in the following manner:
| 1. | First define a netdestination with one or more URLs to whitelist or blacklist |
(config) #netdestination search
(config-dest) #name www.google.com
(config-dest) #name www.bing.com
(config-dest) #exit
| 2. | Apply this netdestination to an ACL |
(config) #ip access-list session whitelist
(config-sess-whitelist)#any alias search tcp 80 permit
(config-sess-whitelist)#any alias search tcp 443 permit
| 3. | Apply this ACL to an user-role. The position of this ACL should be at the top. However, with global or role-specific default ACLs this wouldn’t be possible. |
(config) #user-role guest2
(config-role) #access-list session whitelist
|
|
If there a web-cc/app rule that is applicable globally across user-roles, then there is no way to override such behavior. This is a limitation. |
With this feature, ArubaOS supports configuring WebCC category and reputation based bandwidth contract configuration/enforcement. This can be enforced globally for all user-roles, or can be enforced per user-role.
Use the following command to apply global WebCC based bandwidth contracts using the CLI:
(host) (config) #web-cc global-bandwidth-contract webcc-category/webcc-reputation <name> upstream/downstream mbits/kbits <value>
Use the following command to apply AAA bandwidth contracts using the CLI:
(host) (config) #aaa bandwidth-contract webcc mbits <value>
Use the following command to apply role-specific web-cc based bandwidth contracts using the CLI:
(host) (config) #user-role webcc
(host) (config-role) #bw-contract webcc-category/webcc-reputation <name> <contract> upstream/downstream
The following commands are introduced as part of this feature:
| | : Displays all WebCC categories |
| | Displays WebCC reputation |
| | Displays the statistics of WebCC module in CP |
| | Display the status of Web-CC module in CP |
| | Displays configured WebCC bandwidth contract |
| | Displays md5, web category, reputation, and age for each URL |
| | Displays the number of URLs in cache, Classified and Unclassified sessions. |
| | Displays Internal Flags, Pre Classification ACE Index, and Post Classification ACE Index |
| | : Lists md5, Category, and Reputation for each URL. GSM entries are populated as and when URL cache entry is learned, and it is used for reporting the actual URLs being associated with user session entries. |
The following command are introduced as part of this feature:
| | : Clears the WebCC cache entry from both data plane and GSM. |
| | : Clears all WebCC statistics. |
| | : Clears configuration values and statistics in the WebCC datapath module. |
PhoneHome-Lite is an HTTPS-based tracking tool used to monitor WebCC feature usage on each controller. Aruba controllers communicate with Activate servers over a secure HTTPS SSL layer through the PhoneHome infrastructure to send information about which users have enabled WebCC. This usage data can then be analyzed to determine the scope of future WebCC feature licensing.
You can enable this feature using the controller's WebUI or CLI.
To enable PhoneHome-Lite in the WebUI:
| 1. | Navigate to . |
| 2. | In the tab, check the check box. |
On enabling web-cc, the web-cc feature usage information will be sent to Aruba at every 7 days interval.
| 3. | Click . |
To enable PhoneHome-Lite using the CLI:
(host) (config) #firewall web-cc
You can also view the WebCC configuration using the following command:
(host) (config) #show firewall
Global firewall policies
------------------------
Policy Action Rate Port
------ ------ ---- ----
Enforce TCP handshake before allowing data Disabled
Prohibit RST replay attack Disabled
.....
....