AppRF

AppRF is an application visibility and control feature and was introduced in ArubaOS 6.4.2. AppRF performs deep packet inspection (DPI) of local traffic and detects over 1500 applications on the network. AppRF allows you to configure both application and application category policies within a given user role.

 

The AppRF dashboard application visibility feature is supported only in 7000 Series and 7200 Series controllers, and requires the PEF-NG license.

Since many applications are moving to the web and because the content in the web is so dynamic, ArubaOS introduces web content control through the Web Content Classification (WebCC) feature. WebCC uses a cloud-based service to dynamically determine the types of websites being visited, and their safety.

In the WebUI, the AppRF dashboard contains the following two pages as shown in Figure 1:

All Traffic—The All Traffic page displays the summary of all traffic in the controller. This is the default page. For more details, see All Traffic .
Web Content—The Web Content page link include the percentage of all traffic in parenthesis. The Web Content page displays the summary of only the web traffic in the controller. For more details, see Web Content Classification.

Figure 1  All Traffic and Web Content Page Options

All Traffic

The All Traffic page on the Dashboard > AppRF page displays the PEF summary of all the sessions in the controller aggregated by users, devices, destinations, applications, WLANs, and roles.The applications, application categories, and other containers are represented in box charts instead of pie charts.

Enable DPI to enhance the benefit of the existing visualization or dashboard, To enable DPI, see the Enabling Deep Packet Inspection (DPI) section.

To view the AppRF dashboard in the WebUI:

1. Navigate to the Dashboard > AppRF page.
2. Click on the link To enable this feature, click here to enable firewall visibility. To disable, click the Disable Firewall Visibility link at the bottom the page.

You will see a screen similar to the following figure.

Figure 2  AppRF- All Traffic Page

Action Bar

The Action bar displays the total traffic depending on the filters applied, allows the user to configure per Application, per Role, and Global Policy, and includes Action buttons namely, Block/Unblock, Throttle, and QoS.

Figure 3  Action Bar

Filters

You can click on any rectangle tile in a container and that filter is applied across all the containers.

For example: If you click on the Web rectangle in the Application Categories container, Application Categories == Web filter is applied to all other containers (Roles, WLANs, Application, Destination and Devices). See the following figure.

Figure 4  Single Filter Applied

You can apply multiple filters from different containers by clicking on muliple rectangle tiles in various containers.

For example: If you click on the Web rectangle in the Application Categories container and the https rectangle under Application, the remaining containers (Roles, WLANs, Destination and Devices) will be filtered on Application categories == web and Application == https. See the following figure.

Figure 5  Multiple Filters Applied

The action bar reflects the total traffic based on the filter applied. For example, see Figure 6 and Figure 7.

Figure 6  Total traffic with Web Filter

Figure 7  Total traffic with Web and https Filter

 

The action buttons are disabled if the applied filter contains anything apart from Role and Application or Role and Application category.

To remove filters, click on Remove filter in the container that filter is removed across all the containers.

Details

Clicking on Details navigates you to the corresponding details page with data filtered by all selected rectangle when a filter is applied, The Details link changes to User filtered by <filter> in that container. See Figure 8 and Figure 9

 

In the WLANs rectangle tile, wired indicates the traffic initiated by wired users and traffic from uplink ports.

Figure 8  Details

Figure 9  User filtered by <filter>

Clicking on Details or User filtered by <filter> shows the user table, See Figure 10 and Figure 11.

 

Figure 10  Details View

Figure 11  User filtered by <filter>- Details View

Block/Unblock, Throttle, and QoS Action Buttons

The pop-up window that is displayed for block/unblock, throttle, or QoS depends on the filters applied..

Upon clicking OK, the corresponding CLI commands are executed and the pop-up window closes retaining the filters in the AppRF main page. When filters are not applied, all the pop-up windows allow the user to configure global or per –role configuration.

The following table shows the pop-up window with respect to the Action button and the filter applied:

Table 1: Pop-up Window with Respect to the Action Button and the Filter Applied

Action Button Filter Config Level

Block/Throttle/QoS

Non-application/role ex: WLANS

No pop-up

Block

No Filters

Global and per role

Block Application Global
Block Application Category Global
Block Application and Role Global and per role
Block Application category and Role Global and per role
Throttle No Global and per role
Throttle Application Global
Throttle Application Category Global
Throttle Application and Role Global and per role
Throttle Application category and Role Global and per role
QoS Application Global
QoS Application Category Global

Block/Unblock

This button allows you to permit/deny an application or an application category for a given role. You can create global and per-role rules.

For example, you can block the YouTube application,which belongs to the Streaming application category for the guest role within the enterprise.

Applying a New Rule Using AppRF

1. Click on Block/Unblock on the Action bar.

 

The Block/Unblock button changes to the Block button if a filter is applied. The pop-up window appears based on the filters applied is shown in Table 1. Click on Show policy tables. Block allows only permit action and priority setting.

2. To create a new Global rule:
a. Click on the Global Policy tab, the following pop-up window appears:

Figure 12  Global Policy Tab

b. Click on New. The following pop-up window appears:

Figure 13  New Rule Pop-up Window

c. Select an Application category, Application, Action, and Priority.
3. To create a new per-role rule:
a. Click on the Per-role policies tab, the following pop-up window appears:

Figure 14  Per-role Policies Tab

b. Select a role from the list, or click on New below the role pane to create a new role and select the newly created role.
c. Select a policy from the list, or click on New below they policy pane to create a new policy and select the newly created policy.
d. Select an Application category, Application, Action, and Priority from the New Rule pop-up window, as shown in Figure 13
4. Click on OK.

Throttle

This button allows you to limit the bandwidth usage of an application or an application category on a given role. So, you can set the upstream limit and downstream limit for an application or an application category on a given role.

For example, you can rate limit applications video streaming applications like YouTube, Netflix.

You can also view the bandwidth contract table and create a new bandwidth contract.See the following figure.

Figure 15  Throttle Application and New Bandwidth Contract

QoS

This button allows you to set the priority for a given application or an application category on a given role. For example, you can set the video/voice sessions originating from wireless users with a different priority to that of other web applications so that traffic would be prioritized accordingly in the your network.

Figure 16  QoS for Application Category Streaming

Web Content Classification

Many applications are moving to the web and web being so dynamic in nature, ArubaOS 6.4.2.0 introduces web content control through the Web Content Classification (WebCC) feature. WebCC uses a cloud-based service to dynamically determine the types of websites being visited, and their safety.

 

This feature is available for all customers with a PEF license to use during an early preview period. Eventually, Aruba intends to license this feature as an annual subscription. License enforcement timeline and pricing information will be made available once the SKUs and prices are finalized.

The implementation of WebCC feature can be viewed on this new web page.

When the WebCC feature is enabled, all web traffic (http and https) is classified. The classification is done in data path as the traffic flows through the controller and updates dynamically.

Aruba has partnered with Webroot®, and uses the Webroot's URL database and the cloud look-up service to classify the web traffic. Aruba uses Webroot classified categories and score for web categories and reputation for WebCC.

The current policy enforcement model in Aruba relies on L3/L4 information of the packet or L7 information with Deep Packet Inspection (DPI) support to apply rules. WebCC complements this as the user is allowed to apply firewall policies based on web content category and reputation.

Benefits of WebCC:

1. Prevention of malicious malware, spyware, or adware by blocking known dangerous websites
2. Visibility into web content category-level
3. Visibility into web sites accessed by the user

To view the web content page from the WebUI, navigate to Dashboard > AppRF . Click on Web Content tab. The following figure shows the Web Content page.

Figure 17  Web Contents Page

The web content page includes the following containers:

Web Categories: This chart shows traffic for web categories in tree chart presentation. All boxes in this chart is click-able. Clicking on a box filters rest of page data with the clicked web category as filter, and this chart is locked until the filter is removed by clicking on Remove filter on <web category>. For example, see the following figure.

Figure 18  Filter by Web Category

Roles: This chart shows the for Roles using the web traffic in tree chart presentation. All role boxes are In this chart is click-able. Clicking on box filters rest of page data with the clicked Role as filter, and this chart is locked until the filter is removed by clicking on Remove filter on <role name>. For example, see the following figure.

Figure 19  Filter by Role

All traffic by Reputation: The reputation traffic light chart shows the percentage of traffic based on reputation or score of web traffic in the controller. The reputation levels are Trustworthy, Low-Risk, Moderate-Risk, Suspicious, and High-Risk. If there is no traffic on a specific reputation, then the corresponding reputation does not appear in the chart. The circles in this chart are click-able. Clicking on circle filters rest of page data with the selected reputation as filter and this chart is locked until the filter is removed by clicking on Remove filter on <reputation>. For example, see the following figure.

Figure 20  Filter by Reputation

Category Views: A drop-down at the extreme right of reputation traffic lights allows selecting the category view. The view options are Top 9 and Top 6. Top 9 is the default view and displays predefined set of categories that need to be listed in categories by reputation chart. This also list the top 6 or top 9 categories based on traffic usage. The list updates automatically when filters are applied. The following figure shows an for Top 9 category view with reputation chart.

 

Figure 21   Category View- Top 9

Details Table: Click on the web category link above the Category view chart to display the details table as shown in the following figure.

Figure 22  Category Views and Details

The details table of the selected web category includes the following four columns:

Website: Lists the website
Risk: Reputation score of the website with image presentation
Traffic: Traffic of the website in total traffic of the selected category
User: The number of users using that website
User Table: Click on the number in the User column in the details table as shown in the following figure:

Figure 23  User Table

The user table includes the following columns:

User: Lists the users of the website
Traffic: Traffic of the user on the website

Web Content Filters

Web content tree chart filter behaves in the same way described in Filters. Filters can be applied to Web Categories, Roles, and Reputation containers.

Following are the properties of container filters:

Clicking on any box in the tree chart or reputation traffic light chart will update whole page with the selected box as filter.
On clicking, the tree chart will freeze that chart and update rest of the page.
Filter will be applied only to non-freeze chart.
Reputation chart color won’t change upon selection.

The following figure shows an example with multiple filters:

Figure 24  Multiple Filters

WebCC Configuration in the WebUI

Configurations of policies from web content dashboard can be done with the help of the following Block/Unblock, Throttle, and QoS Action Buttons. These buttons behave the same way as described in Block/Unblock, Throttle, and QoS Action Buttons.

Block / Unblock

To permit or deny a rule for global policy or per-role policies for a web category, role, or reputation. To apply a policy, click on a on a web category, role, reputation, or a combination of these three container and click block. Click OK. For example, the following two figures show applying a policy on web category filter and on Role + Category + Reputation filter:

Figure 25  Policy on Web Category Filter

Figure 26  Policy on Web Category + Reputation + Role Filter

Throttle

To apply bandwidth contract for a web category, role, or reputation. For example, the following figure shows the throttle applied to a category filter:

Figure 27  Throttle on Category Filter

When multiple bandwidth contracts exist, the precedence is as follows:

WebCC Global bandwidth contract
Application bandwidth exception List
Application Category bandwidth exception List
App bandwidth contract
Application Category bandwidth contract
Web category bandwidth contract
Web reputation bandwidth contract
User bandwidth contract

QoS

To set the priority of the web category and reputation. For example, the following figure shows QoS on category and reputation filter:

Figure 28  QoS on Web Category + Reputation Filter

Additionally rules can be added in any of the following combination:

Rules for Web category only
Rules for Reputation only
Rules for Web Category and Web Reputation combination

WebCC Configuration in the CLI

Enabling WebCC

Use the following command to enable WebCC using the CLI:

(host) (config) #firewall web-cc

Use the following command to configure WebCC per-role using the CLI:

(host) (config-role) #web-cc

New policy configuration

The new CLI extends the existing policy configuration to take web category or reputation or both. Use the following command to configure a new policy to create ACL rule with web category and reputation:

(host) (config-sess-acl) #source destination proto-port/service/app/app-group <name> webcc-category <ctgry> webcc-reputation <score> action [log | mirror | time-range]

The following actions are supported when web category/reputation is selected:

Deny
Permit
Blacklist
Classify-media
Disable-scanning
Dot1q-priority
Log
Mirror
Queue
Time-range
TOS

Example for WebCC policy configuration is as follows:

ip access-list session url-filter

any any web-cc-category educational-institutions permit

any any web-cc-reputation suspicious deny

any any any deny

Assuming that webcc categorization was done only for http traffic running on TCP 80, the above ACL is converted as follows in datapath for pre-classification ACL scan:

ip access-list session url-filter

any any tcp {80} permit

any any tcp {80} deny

any any any deny

Post-classification, ACL look-up will have the ACL as follows:

ip access-list session url-filter

any any tcp {80} WebCCCtgID 40 WebCCRep 1-100 permit

any any tcp {80} WebCCRep 1-100 deny

any any any deny

In case there exists an ACL rule to deny/permit a specific web category but is required to make an exception to allow/deny a specific URL or website, then this can be accomplished by configuring in the following manner:

1. First define a netdestination with one or more URLs to whitelist or blacklist

(config) #netdestination search

(config-dest) #name www.google.com

(config-dest) #name www.bing.com

(config-dest) #exit

2. Apply this netdestination to an ACL

(config) #ip access-list session whitelist

(config-sess-whitelist)#any alias search tcp 80 permit

(config-sess-whitelist)#any alias search tcp 443 permit

3. Apply this ACL to an user-role. The position of this ACL should be at the top. However, with global or role-specific default ACLs this wouldn’t be possible.

(config) #user-role guest2

(config-role) #access-list session whitelist

 

If there a web-cc/app rule that is applicable globally across user-roles, then there is no way to override such behavior. This is a limitation.

WebCC Bandwidth Contract Configuration

With this feature, ArubaOS supports configuring WebCC category and reputation based bandwidth contract configuration/enforcement. This can be enforced globally for all user-roles, or can be enforced per user-role.

Use the following command to apply global WebCC based bandwidth contracts using the CLI:

(host) (config) #web-cc global-bandwidth-contract webcc-category/webcc-reputation <name> upstream/downstream mbits/kbits <value>

Use the following command to apply AAA bandwidth contracts using the CLI:

(host) (config) #aaa bandwidth-contract webcc mbits <value>

Use the following command to apply role-specific web-cc based bandwidth contracts using the CLI:

(host) (config) #user-role webcc

(host) (config-role) #bw-contract webcc-category/webcc-reputation <name> <contract> upstream/downstream

Debugging— The following show commands are introduced as part of this feature:

show web-cc category all: Displays all WebCC categories
show web-cc reputation: Displays WebCC reputation
show web-cc stats: Displays the statistics of WebCC module in CP
show web-cc status: Display the status of Web-CC module in CP
show web-cc global-bandwidth-contract: Displays configured WebCC bandwidth contract
show datapath web-cc: Displays md5, web category, reputation, and age for each URL
show datapath web-cc counters: Displays the number of URLs in cache, Classified and Unclassified sessions.
show datapath session web-cc: Displays Internal Flags, Pre Classification ACE Index, and Post Classification ACE Index
show gsm debug channel web_cc_info: Lists md5, Category, and Reputation for each URL. GSM entries are populated as and when URL cache entry is learned, and it is used for reporting the actual URLs being associated with user session entries.

The following clear command are introduced as part of this feature:

clear web-cc cache <md5_1> <md5_2> : Clears the WebCC cache entry from both data plane and GSM.
clear web-cc stats: Clears all WebCC statistics.
clear datapath web-cc counters: Clears configuration values and statistics in the WebCC datapath module.

PhoneHome-Lite

PhoneHome-Lite is an HTTPS-based tracking tool used to monitor WebCC feature usage on each controller. Aruba controllers communicate with Activate servers over a secure HTTPS SSL layer through the PhoneHome infrastructure to send information about which users have enabled WebCC. This usage data can then be analyzed to determine the scope of future WebCC feature licensing.

You can enable this feature using the controller's WebUI or CLI.

In the WebUI

To enable PhoneHome-Lite in the WebUI:

1. Navigate to Configuration > ADVANCED SERVICES > Stateful Firewall >Global Setting.
2. In the Global Setting tab, check the Enable Web Content Classification check box.

On enabling web-cc, the web-cc feature usage information will be sent to Aruba at every 7 days interval.

3. Click Apply.

In the CLI

To enable PhoneHome-Lite using the CLI:

(host) (config) #firewall web-cc

You can also view the WebCC configuration using the following command:

(host) (config) #show firewall

Global firewall policies

------------------------

Policy Action Rate Port

------ ------ ---- ----

Enforce TCP handshake before allowing data Disabled

Prohibit RST replay attack Disabled

.....

Web Content Classification Enabled

....