You are here: Home > CLI Commands > Just_CLI_Topics > show firewall

show firewall

show firewall [debug-route][dns-names]

Description

Display a list of global firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies and policy details.

Syntax

Parameter

Description

debug-route

Show global route debug settings, including the route protocol (IPv4/IPv6) and IP address.

dns-names

Display a list of DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. names and IP addresses used in firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. commands.

Examples

Include the optional dns-names parameter to list the DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. names used in firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies currently configured on the controller.

(host) [mynode] #show firewall dns-names

FW DNS names

------------

Name Id InUse List

---- -- ----- ----

*.google. 13 1 216.58.213.174 216.58.213.163 74.125.24.94 216.58.210.131

youtube.googleapis.com 9 1

m.youtube.com 7 1

accounts.google.com 1 1

www.youtube.com 6 1 64.233.167.91 64.233.167.93 64.233.167.190 216.58.198.110

graph.facebook.com 3 1

www.bing.com 12 1 204.79.197.200

www.youtube-nocookie.com 10 1

ssl.gstatic.com 2 1 216.58.213.163 216.58.198.99

youtubei.googleapis.com 8 1

www.googleapis.com 11 1 216.58.213.138 64.233.184.95

facebook.com 5 1

fbstatic-a.akamaihd.net 4 1

This example below shows all firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies currently configured on the controller.

(host) [mynode] (config) #show firewall

Global firewall policies

------------------------

Policy Action Rate Port

------ ------ ---- ----

Enforce TCP handshake before allowing data Disabled

Prohibit RST replay attack Disabled

Deny all IP fragments Disabled

Prohibit IP Spoofing Enabled

Monitor ping attack Disabled

Monitor TCP SYN attack Disabled

Monitor IP sessions attack Disabled

Deny inter user bridging Disabled

Log all received ICMP errors Disabled

Per-packet logging Disabled

Blacklist Grat ARP attack client Disabled

Allow tri-session with DNAT Disabled

Disable FTP server No

Blacklist ARP attack client Disabled

Monitor ARP attack Disabled

Monitor Gratuitous ARP attack Enabled 50/sec

GRE call id processing Disabled

Session Idle Timeout Disabled

WMM content enforcement Disabled

Session VOIP Timeout Disabled

Only allow local subnets in user table Disabled

Monitor/police CP attacks Disabled

Rate limit CP untrusted ucast traffic Enabled 9765 pps

Rate limit CP untrusted mcast traffic Enabled 1953 pps

Rate limit CP trusted ucast traffic Enabled 65535 ps

Rate limit CP trusted mcast traffic Enabled 1953 pps

Rate limit CP route traffic Enabled 976 pps

Rate limit CP session mirror traffic Enabled 976 pps

Rate limit CP auth process traffic Enabled 976 pps

Deny inter user traffic Disabled

Prohibit ARP Spoofing Disabled

Enforce bw contracts for broadcast traffic Disabled

Multicast automatic shaping Disabled

Stall Detection Enabled

Enforce TCP Sequence numbers Disabled

AMSDU Rx Enabled

Jumbo Frames Disabled

Session-tunnel FIB Enabled

Prevent DHCP exhaustion Disabled

Deny source routing Disabled

Immediate Freeback Disabled

DPI Classification Enabled [Cfg: enabled, PEF license: installed]

Web Content Classification Enabled

Web Content Cache Miss Drop Disabled

Optimize Duplicate Address Detection frames Enabled

The output of this command includes the following information:

Parameter

Description

Enforce TCP handshake before allowing data

If enabled, this feature prevents data from passing between two clients until the three-way TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

Prohibit RST replay attack

If enabled, this setting closes a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. connection in both directions if a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. RST is received from either direction.

Deny all IP Fragments

If enabled, all IP fragments are dropped.

Prohibit IP Spoofing

When this option is enabled, source and destination IP and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses are checked; possible IP spoofing attacks are logged and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

Monitor ping attack

If enabled, the controller monitors the number of ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. pings per second. If this value exceeds the maximum configured rate, the controller will register a denial of service attack.

Monitor TCP SYN attack

If enabled, the controller monitors the number of TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. SYN messages per second. If this value exceeds the maximum configured rate, the controller will register a denial of service attack.

Monitor IP sessions attack

If enabled, the controller monitors the number of TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. sessions requests per second. If this value exceeds the maximum configured rate, the controller will register a denial of service attack sessions.

Deny inter user bridging

If enabled this setting prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic.

Log all received ICMP errors

Shows if the controller will log received ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. errors.

Per-packet logging

If active, and logging is enabled for the corresponding session rule, this feature logs every packet.

Blacklist Grat ARP attack client

If enabled, blacklist clients exceeding the Gratuitous ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. attack rate.

Allow tri-session with DNAT

Shows if the controller allows three-way session when performing destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device..

Disable FTP server

If active, this feature disables the FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. server on the controller.

Blacklist ARP attack client

If enabled, blacklist clients exceeding the ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. attack rate.

Monitor ARP attack

Shows the status of the ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. attack monitor.

Monitor Gratuitous ARP attack

Shows the status of the Gratuitous ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. attack monitor.

GRE call id processing

If active the controller creates a unique state for each PPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. tunnel.

Session Idle Timeout

Shows if a session idle timeout interval has been defined.

WMM content enforcement

If traffic to or from the user is inconsistent with the associated QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. policy for voice, this feature reclassifies traffic to best effort and data path counters are incremented.

Session VOIP Timeout

If enabled, a idle session timeout is defined for sessions that are marked as voice sessions.

Only allow local subnets in user table

If enabled, the controller only adds IP addresses which belong to a local subnetSubnet is the logical division of an IP network. to the user table.

Monitor/police CP attacks

If enabled, the controller monitors a misbehaving user’s inbound traffic rate. If this rate is exceeded, the controller can register a denial of service attack.

Rate limit CP untrusted ucast traffic

Shows the inbound traffic rate

Rate limit CP untrusted mcast traffic

Displays the untrusted multicast traffic rate limit.

Rate limit CP trusted ucast traffic

Displays the trusted unicast traffic rate limit.

Rate limit CP trusted mcast traffic

Displays the trusted multicast traffic rate limit.

 

Rate limit CP route traffic

Displays the traffic rate limit for traffic that needs generated ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. requests.

Rate limit CP session mirror traffic

Displays the traffic rate limit for session mirrored traffic forwarded to the controller.

Rate limit CP auth process traffic

Displays the traffic rate limit for traffic forwarded to the authentication process.

Deny inter user traffic

If enabled, this setting disables traffic between all untrused users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic.

Prohibit ARP Spoofing

When this option is enabled, possible arp spoofing attacks are logged and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

Enforce bw contracts for broadcast traffic

If enabled, bw contracts are applied ot local subnetSubnet is the logical division of an IP network. broadcast traffic.

Multicast automatic shaping

If enabled, enables multicast optimization and provides excellent streaming quality regardless of the amount of VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or IP IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. groups that are used.

Stall Detection

If enabled, triggers datapath crash on stall detection. Applies to the to 7200 Seriescontrollers only.

Enforce TCP Sequence numbers

If enabled, prevents data from passing between two clients until the three-way TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. handshake has been performed.

AMSDU Rx

AMSDU packets are dropped if this option is enabled.

Jumbo Frames

If enabled, supports up to 9216 bytes of payload on the controller.

Session-tunnel FIB

Enables session tunnel based forwarding.

Prevent DHCP Exhaustion

If enabled, this option checks for DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  client hardware address against the packet source MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. This command checks the frame's source-MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. against the DHCPv4 client hardware address and drops the packet if it does not match. This feature prevents a client from submitting multiple DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  requests with different hardware addresses, thereby preventing DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  pool depletion.

Deny Source Routing

If enabled, forwarding of IP frames with source routing with the source routing options set is disallowed.

Immediate Freeback

If enabled, immediately frees buffers on 7200 Series controllers. Do not enable this option unless instructed to do so by a technical support representative.

DPI Classification

If enabled, performs deep packet inspection.

Web Content Classification

If enabled, allows web content classification for all HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.

Default: disabled

Web Content Cache Miss Drop

If enabled, allows the controller to drop any packets that do not match any web content category or reputation levels in the controller's internal web content cache.

Default: disabled

Optimize Duplicate Address Detection frames

Reduce flooding of IPv4 Gratuitous ARPs/IPv6 Duplicate Address Detection frames onto wireless clients.

Default: enabled

Related Commands

Command

Description

firewall

This command configures firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. options on the controller.

firewall cp

This command creates whitelist session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.

firewall cp-bandwidth-contract

This command configures bandwidth contract traffic rate limits to prevent denial of service attacks.

Command History

Version

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/