You are here: Home > CLI Commands > Just_CLI_Topics > firewall

firewall

firewall

allow-tri-session

amsdu

app-perf-monitoring

attack-rate

arp <1-16384> {blacklist|drop}

cp <1-16384>

grat-arp <1-16384> {blacklist|drop}

ping <1-16384>

session <1-16384>

tcp-syn <1-16384>

bwcontracts-subnet-broadcast

cp-bandwidth-contract

deny-inter-user-bridging

deny-inter-user-traffic

deny-source-routing

disable-ftp-server

dpi

drop-ip-fragments

enable-bridging

enable-per-packet-logging

enable-stateful-icmp

enforce-tcp-handshake

enforce-tcp-sequence

gre-call-id-processing

imm-fb

ip-classification

ipsec-mark-mgmt-frames

jumbo

local-valid-users

log-icmp-error

macast-red maxp-inv <maxp-inv> min-th <minimum-threshold> max-th <maximum threshold>

optimize-dad-frames

prevent-dhcp-exhaustion

prohibit-arp-spoofing

prohibit-ip-spoofing

prohibit-rst-replay

public-access

session-idle-timeout <seconds>

session-tunnel-fib

shape-mcast

stall-crash

voip-qos-trusted

voip-wmm-content-enforcement

web-cc

web-cc-cache-miss-drop

wireless-bridge-aging

Description

This command configures firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. options on the managed device.

Syntax

Parameter

Description

Range

Default

allow-tri-session

Allows three-way session when performing destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.. This option should be enabled when the managed device is not the default gatewayGateway is a network node that allows traffic to flow in and out of the network. for wireless clients and the default gatewayGateway is a network node that allows traffic to flow in and out of the network. is behind the managed device. This option is typically used for captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. configuration.

disabled

amsdu

Aggregated Medium Access Control Service Data Units (AMSDU) packets are dropped if this option is enabled.

disabled

app-perf-monitoring

Enables appShort form for application. It generally refers to the application that is downloaded and used on mobile devices. performance monitoring.

attack-rate

arp <1-16384> {blacklist|drop}

cp <1-16384>

grat-arp <1-16384> {blacklist|drop}

ping <1-16384>

session <1-16384>

tcp-syn <1-16384>

 

Sets rates which, if exceeded, can indicate a denial of service attack.

arp: Monitor/police ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. attack (non Gratuitous ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. ).

cp: Monitor/police control processor attack.

grat-arp: Monitor/police Gratuitous ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. attack.

ping: Monitor ping attack.

session: Monitor IP session attack.

tcp-syn: Monitor TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. SYN attack.

NOTE: <1-16384> denotes the number of arp, cp, grat-arp, ping, session, or tcp-syn requests per 30 seconds.

1-16384

bwcontracts-subnet-broadcast

Applies bw contracts to local subnetSubnet is the logical division of an IP network. broadcast traffic.

cp-bandwidth-contract

See firewall cp-bandwidth-contract

 

 

deny-inter-user-bridging

Prevents the forwarding of Layer2 traffic between wired or wireless users. You can configure user role policies that prevent Layer3 traffic between users or networks but this does not block Layer2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX from being forwarded. If enabled, traffic (all non-IP traffic) to untrusted port or tunnel is also blocked.

disabled

deny-inter-user-traffic

Denies downstream traffic between users in a wireless network (untrusted users) by disallowing layer2 and layer3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

disabled

deny-source-routing

Disallows forwarding of IP frames with source routing with the source routing options set. disabled

disable-ftp-server

Disables the FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. server on the managed device. Enabling this option prevents FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. transfers.

Enabling this option could cause APs to not boot up. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

dpi

Enables DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network.

disabled

drop-ip-fragments

When enabled, all IP fragments are dropped. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

enable-bridging

Enables bridging when the managed device is in factory default.

disabled

enable-per-packet-logging

Enables logging of every packet if logging is enabled for the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an Aruba representative, as doing so may create unnecessary overhead on the managed device.

disabled

enable-stateful-icmp

Enables stateful ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. processing. This parameter create sessions for ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. errors and denies unidirectional replies.

enforce-tcp-handshake

Prevents data from passing between two clients until the three-way TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

disabled

enforce-tcp-sequence

Enforces the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. sequence numbers for all packets.

disabled

gre-call-id-processing

Creates a unique state for each PPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. tunnel. Do not enable this option unless instructed to do so by a technical support representative.

disabled

imm-fb

Immediately free buffers on managed device. Do not enable this option unless instructed to do so by a technical support representative.

disabled

ip-classification

Enables IP reputation / geolocation classification.

ipsec-mark-mgmt-frames

This parameter marks management frames.

jumbo

Enables jumbo frames processing.

disabled

local-valid-users

Adds only IP addresses, which belong to a local subnetSubnet is the logical division of an IP network., to the user-table.

disabled

log-icmp-error

Logs received ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. errors. You should not enable this option unless instructed to do so by a customer support representative.

disabled

macast-red

Configures multicast random drop paramaters.

   

maxp-inv <maxp-inv>

Inverse mark probability instance.

1-255

 

min-th <minimum threshold>

Configures minimum threshold.

1-99

 

max-th <maximum threshold>

Configures maximum threshold.

1-99

 

optimize-dad-frames

Reduce flooding of IPv4 Gratuitous ARPs/IPv6 Duplicate Address Detection frames onto wireless clients.

enabled

prevent-dhcp-exhaustion

Enable check for DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  client hardware address against the packet source MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. This command checks the frame's source-MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. against the DHCPv4 client hardware address and drops the packet if it does not match. Enabling this feature prevents a client from submitting multiple DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  requests with different hardware addresses, thereby preventing DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  pool depletion.

disabled

prohibit-arp-spoofing

Detects and prohibits arp spoofing. When this option is enabled, possible arp spoofing attacks are logged and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

disabled

prohibit-ip-spoofing

Detects IP spoofing (where an intruder sends messages using the IP address of a trusted client). When this option is enabled, source and destination IP and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses are checked; possible IP spoofing attacks are logged and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

enabled in IPv4

 

disabled in IPv6

prohibit-rst-replay

Closes a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. connection in both directions if a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. RST is received from either direction. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

session-idle-timeout

Time, in seconds, that a non-TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. session can be idle before it is removed from the session table. You should not modify this option unless instructed to do so by an Aruba representative.

16-300

16

session-tunnel-fib

Enable session tunnel-based forwarding.

NOTE: Best practices is to enable this parameter only during maintenance window or off-peak production hours. On the M3, this parameter only enables tunnel-based forwarding, as session-based forwarding does not apply to this platform.

disabled

shape-mcast

Enables multicast optimization and provides excellent streaming quality regardless of the amount of VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or IP IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. groups that are used.

disabled

stall-crash

Triggers datapath crash on stall detection. Applies to the to 7200 Seriesmanaged device only.

enabled

voip-qos-trusted

Prioritizes the RTPReal-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic based on the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value set by the end user device.

NOTE: On enabling, all UCCUnified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities. based ALGs will be disabled.

disabled

voip-wmm-voip-content-enforcement

If traffic to or from the user is inconsistent with the associated QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. policy for voice, the traffic is reclassified to best effort and data path counters incremented.

This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

disabled

web-cc

Enables web content classification for all HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic. Once enabled, ArubaOS enforces ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. and bandwidth policies associated with web content categories or reputation levels.

NOTE: On enabling web-cc, the web-cc feature usage information will be sent to Aruba at every 7 days interval.

disabled

web-cc-cache-miss-drop

Issue this command to allow the managed device to drop any packets that do not match any web content category or reputation levels in the managed device's internal web content cache.

disabled

wireless-bridge-aging

Issue this command to prevent the aging of wireless client associated with AP.

enabled

Usage Guidelines

This command configures global firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. options on the managed device.

Example

The following command disallows forwarding of non-IP frames between users:

(host)[/md] (config) #firewall deny-inter-user-bridging

Related Commands

Release

Modification

firewall cp

Creates whitelist session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

firewall cp-bandwidth-contract

Configures bandwidth contract traffic rate limits, in packets per second, to prevent denial of service attacks.

show firewall

Display a list of global firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies.

Command History

Version

Description

ArubaOS 8.4.0.0

The voip-qos-trusted parameter was added.

ArubaOS 8.2.0.0

The wireless-bridge-aging parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

Base operating system except the

voip-wmm-voip-content-enforcement parameter which requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/