Firewall Policies
A firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy identifies specific characteristics about a data packet passing through the Aruba Managed Device and takes some action based on that identification. In a
Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies and ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. have three main functional differences. Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies differ from ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. in the following ways:
- Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies are stateful, meaning that they recognize flows in a network and keep track of the state of sessions. For example, if a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy permits telnet traffic from a client, the policy also recognizes that inbound traffic associated with that session should be allowed.
- Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies are bi-directional, meaning that they keep track of data connections traveling into or out of the network. ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. are normally applied to either traffic inbound to an interface or outbound from an interface.
- Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies are dynamic, meaning that address information in the policy rules can change as the policies are applied to users. For example, the alias user in a policy automatically applies to the IP address assigned to a particular user. ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. typically require static IP addresses in the rule.
You can apply IPv4 and IPv6 firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies to the same user role. See IPv6 Support for information about configuring IPv6 firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies.
Workflow for Configuring Firewall Policies
You can configure one or more firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies. This section describes how to configure the rules that constitute a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy. In order to configure the correct firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies, ensure that you first understand ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port., how to work with ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port., and what are role-based ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
Working With ACLs
ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. are a common way of restricting certain types of traffic on a physical port. ArubaOS provides the following types of ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.:
- Standard ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. permit or deny traffic based on the source IP address of the packet. Standard ACLS Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. use a bitwise mask to specify the portion of the source IP address to be matched.
- Extended ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. permit or deny traffic based on source or destination IP address, source or destination port number, or IP protocol. Extended ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be named or numbered, with valid numbers in the range 100-199 and 2000-2699.
- MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. are used to filter traffic on a specific source MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses. Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 700-799 and 1200-1299.
- Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. are used to filter based on the Ethertype field in the frame header. Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 200-299.These ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk.
- Service ACLs provide a generic way to restrict how protocols and services from specific hosts and subnets to the Mobility Master are used. Rules with this ACL are applied to all traffic on the Mobility Master regardless of the ingress port or VLAN.
- Routing ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. forward packets to a device defined by an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, a next-hop list, a tunnel or a tunnel group.
Routing ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is the only supported ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. type that can be configured on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Interface. Other ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. types are not supported.
ArubaOS provides both standard and extended ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for compatibility with router software from popular vendors, however firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies provide equivalent and greater function than standard and extended ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. and should be used instead.
You can apply MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to a user role, however these ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. only apply to non-IP traffic from the user.
Role-Based ACL
Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is a feature available on Aruba controllers to apply policies to traffic matching a particular user role. Earlier this feature was supported only when the users were present in the same controller. Starting from ArubaOS 8.6.0.0, this feature is extended to support multi-controller deployments. Role- to- role ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can now be assigned to two users terminating on different controllers. This feature can be configured by creating a policy domain group profile and adding the IP address of the controllers.
Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. supports mix of controller models with the exception of and x86 Virtual Mobility controllers. To apply role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for 9004 and x86 Virtual Mobility Controllers models, all the controllers have to be either 9004 or x86 VMCs respectively. To apply role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to x86 Virtual Mobility Controllers, all the controllers have to be managed by the same Mobility Master.
Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. works across multiple controllers only if the role is configured as a destination role in at least one ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. cannot be applied to the following:
- L2 multicast traffic
- L3 multicast/broadcast traffic
- ClearPass Policy Manager downloadable user role
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. in a multi-controller deployment:
(host) [md] policy-domain group-profile <name>
(host) [md] (Policy Domain Profile "name") controller <ip> <macaddress>
Multiple policy domains for group profiles are supported. The command should be executed in the /md node and the policy domain group profile supports IPv4 and IPv6 addresses but a combination of both is not supported.
Limitations
- Each node can be part of one profile only.
- All policy domain profiles can be applied at nodes only.
- Each policy domain profile can only have either all IPv4 or all IPv6 nodes. Mix of IPv4 and IPv6 nodes are not allowed.
- Managed devices should be part of a single domain. You cannot add a managed device to a Mobility Master, which is already part of another domain.
All managed devices should be running ArubaOS 8.7.0.0 when multiple policy domain manager profiles are configured.
The tasks for configuring a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy are:
- Configure the rules that constitute in creating a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy.
- Create a network alias. A network service alias defines a TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., or IP protocol and a list or range of ports supported by that service.
- Create an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. whitelist. The ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list consists of rules that explicitly permit or deny session traffic from being forwarded to or blocked from the managed device.
- Create a local net destination override. This feature provides a scalable solution to create a local net destination override.
Creating a Firewall Policy
This section describes how to configure the rules that constitute a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy. A firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy can then be applied to a user role (until the policy is applied to a user role, it does not have any effect).Table 1 describes required and optional parameters for a rule.
The following procedure describes how to create a web-only policy that allows web (HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access:
- In the node hierarchy, navigate to the tab.
- Click to create a new policy.
- Enter the policy name in the field.
- Select the policy type from the drop-down list. You can select , or .
- Click .
- Select the policy created and click in the table.
- Select option in the field.
- Click .
- To add a rule that allows HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.
- Under , select from the drop-down list.
- Select from the drop-down list.
- Click
Rules can be re-ordered by using the up and down buttons provided for each rule.
. - Click to apply this configuration. The policy is not created until the configuration is applied.
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a web-only policy that allows web (HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access:
(host) [md] (config) #ip access-list session web-only
Creating a Network Service Alias
When you create a network service alias, you can use that alias when specifying the network service for multiple session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
The following procedure describes how to create a network service alias:
- In the node hierarchy, navigate to the tab.
- Click to create a new policy.
- Enter the policy name in the field.
- Select a the policy type from the drop-down list. You can select , , or .
- Click .
- Select the policy created and click in the table.
- Select option in the field.
- Click .
- Select from the drop-down list.
- Click + in the
- Enter a .
- In the drop-down, select either or , or select and enter the IP protocol number and select an of the protocol for which you want to create an alias.
- In the
- If you select , enter the starting and ending port numbers in the and fields.
- If you select , enter a comma-separated list of port numbers in the field.
drop-down, specify whether you want to define the port by a contiguous range of ports, or by a list of non-contiguous port numbers. - To limit the service alias to a specific application, select one the of the following service types from the
- ftp: Service is FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network.
- tftp: Service is TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host.
- dns: Service is DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.
- dhcp: Service is DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.
- sip: Service is SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls.
- sips: Service is Secure SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls.
- svp: Service is SVP SpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN.
- sccp: Service is SCCP
- rtsp: Service is RTSP Real Time Streaming Protocol. RTSP is a network control protocol designed for use in entertainment and communications systems to control streaming media servers.
- vocera: Service is VOCERA
- noe: Service is Alcatel NOE New Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise.
- h323: Service is H323
- jabber: Service is Jabber
- facetime: Service is Facetime
drop-down list:
drop-down list to add a new service. - Click to add a new service.
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command defines a service alias:
(host) [md] (config) #netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}[ALG <service>]
Creating an ACL White List
The white list protects the managed device during traffic session processing by prohibiting traffic from being automatically forwarded to the managed device if it was not specifically denied in a blacklist. The maximum number of entries allowed in the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list is 256. To create an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list, you must first define a white list bandwidth contract, and then assign it to an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..
Creating a Bandwidth Contract
The following procedure describes how to create a bandwidth contract:
- In the node hierarchy, navigate to the tab.
- Expand the accordion.
- Click to create a new contract.
- In the field, enter the name of a bandwidth contract.
- In the field, enter a bandwidth rate value.
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a bandwidth contract:
(host) [mynode] (config) #cp-bandwidth-contract
Configuring the ACL White List
The following procedure describes how to configure an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list:
- In the node hierarchy, navigate to the tab.
- Expand the accordion.
- Click to create a new protocol.
- Select
Permit allows session traffic to be forwarded to the managed device and deny blocks session traffic.
or from the drop-down list. - Select Ipv4 or filter from the drop-down list.
- Select one of the following from the
- For a specific IPv4 or IPv6 filter, select . Enter the IP address and mask of the IPv4 or IPv6 filter in the corresponding fields.
- For a IPv4 or IPv6 host, select .
drop-down list: - Enter the Subnet Subnet is the logical division of an IP network. . and
- In the field, enter the number for a protocol and select the protocol from the drop-down list used by session traffic.
- In the field, enter a starting port. This is the first port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535.
- In the field, enter an ending port. This is the last port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535.
- (Optional) Select the name of the bandwidth contract to which the session traffic should be applied, from the drop-down list.
- For further information on creating bandwidth contracts, see Configuring Bandwidth Contracts
- Click ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. displays on the white list section. . The
- To delete an entry, click next to the entry you want to delete.
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white lists:
(host) [mynode] (config)firewall cp
Override Local Network Destination
To implement this feature, a new sub-command,
under the configuration command is introduced. An example and description are as follows:netdestination store
host vlan 10 offset 5
host vlan 10 offset 8
With the above, select the subnet Subnet is the logical division of an IP network. (for example, 10.1.1.0/24) assigned to vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.
The following procedure describes how to configure an override local network destination:
- In the node hierarchy, navigate to the tab.
- Select a role and click under to create a rule.
- Click one of the options in the filed to select a rule and click .
- Select from the drop-down list.
- Select from the drop-down list.
- Click in the table.
- Select from the drop-down list.
- Select a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. offset number which is the Netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. or range, from the drop-down list.
- Click .
- Click in the window.
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the local override netdestination:
(host) [md] (config) #netdestination store
(host) [md] (config-submode) #?
description Brief description about this destination (up to 128 characters in quote)
host Configure a single IPv4 host
invert Use all destinations EXCEPT this destination
name Configure a single host name or domain, Max 63 characters
network Configure a IPv4 subnet
no Delete Command
range Configure a range of IPv4 addresses
(host) [md] (config-submode) #host?
vlan IPv4 Address based on VLAN
A.B.C.D IPv4 Address of host
(host) [md] (config-submode) #host vlan ?
<1-4094> VLAN ID
(host) [md] (config-submode) #host vlan 55 ?
offset Offset in the VLAN subnet
(host) [md] (config-submode) #host vlan 55 offset ?
<1-254> Offset number in the VLAN subnet
(host) [md] (config-submode) #host vlan 55 offset 36
Execute the following command to show the local override netdestination:
(host) [md] #show netdestination store
Name: store
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 override vlan 55 offset 36
One netdestination definition can have a maximum of 256 netdestination entries. On the whole, there can be a maximum of 1024 netdestination entries on the Controller or Managed Device.
How to use the local-override netdestination alias in the managed device:
(host) [md] (config) #ip access-list session store-override
(host) [md] (config-sess-store-override) #any alias store any permit
(host) [md] (config-sess-store-override) #alias store any any deny
(host) [md] (config-sess-store-override) #!
(host) [md] #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol
vlan 1 172.72.10.254 / 255.255.255.0 up up
vlan 55 55.55.55.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up
(host) [md] #show acl acl-table | include dummy-acl
75 session 620 2 3 dummy-acl 0
(host) [md] #show acl ace-table acl 75
620: any netdest-id: 34 0 0-0 0-0 f1000080001:permit alias-dst hits-table-index 24578
621: netdest-id: 34 any 0 0-0 0-0 f800080001:permit alias-src hits-table-index 24579
622: any any 0 0-0 0-0 f180000:deny
RTP Traffic without Changing DSCP value
The RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic can be passed without changing the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value set by the end user device. This allows the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic to pass through the managed devices.
To pass the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic without changing the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value, execute the following command:
(host) [md] (config) #firewall
(host) [md] (config-submode)#voip-qos-trusted
To verify if the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic is passed without changing the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value, execute the following command:
(host) [md] #show firewall | include Trust
Trust packet QoS Enabled
To verify the client DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value (for example, 48) for RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic, execute the following command:
(host) #show datapath session dpi | include V
C - client, M - mirror, V - VOIP
r - Route Nexthop, h - High Value
Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge
10.15.123.147 10.15.16.19 17 33262 2060 0/0 6 48 0 local 2876
10.15.16.19 10.15.123.147 17 2060 33262 0/0 6 48 0 local 2876
Packets Bytes AclVer Int-Flag Sess-Flag2 PktsDpi UplnkVlan AppID
1 40 8009 81095 0 3 none alg-rtp
0 0 0 1094 0 2 none alg-rtp
AceIdx Flags DpiTIdx CPU ID
(3404) 1142/1138 FHPTCVBO dc 7
(3404) 0/1138 FHPTCVBO dc 6