Firewall Policies

A firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy identifies specific characteristics about a data packet passing through the Aruba Managed Device and takes some action based on that identification. In an Aruba Managed Device, that action can be a firewall-type action such as permitting or denying the packet, an administrative action such as logging the packet, or a QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. action such as setting 802.1p bits or placing the packet into a priority queue. You can apply firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies to user roles to give differential treatment to different users on the same network, or to physical ports to apply the same policy to all traffic through the port.

Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies and ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. have three main functional differences. Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies differ from ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. in the following ways:

Workflow for Configuring Firewall Policies

You can configure one or more firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies. This section describes how to configure the rules that constitute a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy. In order to configure the correct firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies, ensure that you first understand ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port., how to work with ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port., and what are role-based ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Working With ACLs

ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. are a common way of restricting certain types of traffic on a physical port. ArubaOS provides the following types of ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.:

ArubaOS provides both standard and extended ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for compatibility with router software from popular vendors, however firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies provide equivalent and greater function than standard and extended ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. and should be used instead.

You can apply MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and Ethertype ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to a user role, however these ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. only apply to non-IP traffic from the user.

Role-Based ACL

Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. is a feature available on Aruba controllers to apply policies to traffic matching a particular user role. Earlier this feature was supported only when the users were present in the same controller. Starting from ArubaOS 8.6.0.0, this feature is extended to support multi-controller deployments. Role- to- role ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can now be assigned to two users terminating on different controllers. This feature can be configured by creating a policy domain group profile and adding the IP address of the controllers.

Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. supports mix of controller models with the exception of and x86 Virtual Mobility controllers. To apply role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for 9004 and x86 Virtual Mobility Controllers models, all the controllers have to be either 9004 or x86 VMCs respectively. To apply role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to x86 Virtual Mobility Controllers, all the controllers have to be managed by the same Mobility Master.

Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. works across multiple controllers only if the role is configured as a destination role in at least one ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. cannot be applied to the following:

  • L2 multicast traffic
  • L3 multicast/broadcast traffic
  • ClearPass Policy Manager downloadable user role

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create role-based ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. in a multi-controller deployment:

(host) [md] policy-domain group-profile <name>

(host) [md] (Policy Domain Profile "name") controller <ip> <macaddress>

Multiple policy domains for group profiles are supported. The command should be executed in the /md node and the policy domain group profile supports IPv4 and IPv6 addresses but a combination of both is not supported.

Limitations

  • Each node can be part of one profile only.
  • All policy domain profiles can be applied at /md nodes only.
  • Each policy domain profile can only have either all IPv4 or all IPv6 nodes. Mix of IPv4 and IPv6 nodes are not allowed.
  • Managed devices should be part of a single domain. You cannot add a managed device to a Mobility Master, which is already part of another domain.

All managed devices should be running ArubaOS 8.7.0.0 when multiple policy domain manager profiles are configured.

The tasks for configuring a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy are:

  1. Configure the rules that constitute in creating a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy.

    See “Creating a Firewall Policy” on page 1.

  2. Create a network alias. A network service alias defines a TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., or IP protocol and a list or range of ports supported by that service.

    See “Creating a Network Service Alias” on page 1

  3. Create an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. whitelist. The ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list consists of rules that explicitly permit or deny session traffic from being forwarded to or blocked from the managed device.

    See “Creating an ACL White List” on page 1

  4. Create a local net destination override. This feature provides a scalable solution to create a local net destination override.

    See “Override Local Network Destination” on page 1

Creating a Firewall Policy

This section describes how to configure the rules that constitute a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy. A firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy can then be applied to a user role (until the policy is applied to a user role, it does not have any effect).Table 1 describes required and optional parameters for a rule.

The following procedure describes how to create a web-only policy that allows web (HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access:

  1. In the Mobility Master node hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  2. Click + to create a new policy.
  3. Enter the policy name in the Policy name field.
  4. Select the policy type from the Policy type drop-down list. You can select Ethertype, Extended, MAC, Route, Session, or Standard.
  5. Click Submit.
  6. Select the policy created and click + in the Policy <policy name> table.
  7. Select Access Control option in the Rule Type field.
  8. Click OK.
  9. To add a rule that allows HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.
    1. Under Service/app, select Service from the drop-down list.
    2. Select svc-http from the Servicealias drop-down list.
  10. Click Submit.

    Rules can be re-ordered by using the up and down buttons provided for each rule.

  11. Click Submit to apply this configuration. The policy is not created until the configuration is applied.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a web-only policy that allows web (HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access:

(host) [md] (config) #ip access-list session web-only

Table 1: Firewall Policy Rule Parameters

Parameter

Description

IP version

Specifies whether the policy applies to IPv4 or IPv6 traffic.

Source (required)

Source of the traffic, which can be one of the following:

  • any: Acts as a wildcard and applies to any source address.
  • user: Refers to traffic from the wireless client.
  • host: Refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host.
  • network: Refers to a traffic that has a source IP from a subnet Subnet is the logical division of an IP network. of IP addresses. When this option is chosen, you must configure the IP address and network mask of the subnet Subnet is the logical division of an IP network..
  • alias: Refers to using an alias for a host or network. You configure the alias by navigating to the Configuration > Roles & Policies > Policies tab. Select a policy created and click + to create a Rule. Select the Access Control option in the Rule Type. Select Alias from the Destination drop-down list and the alias name from the Destination alias drop-down list. Select a Source from the traffic Source drop-down list.

Destination (required)

Destination of the traffic, which can be configured in the same manner as Source.

Service/app (required)

Type of traffic, which can be one of the following:

Action (required)

The action that you want the managed device to perform on a packet that matches the specified criteria. This can be one of the following:

TOS (optional)

Value of TOS bits to be marked in the IP header of a packet matching this rule when it leaves the managed device.

Time Range

You can create an absolute time range with a single fixed start and end date and time, or create a periodic (recurring) time range that starts and ends at a specified time on a weekday, weekend, or selected day.

Log (optional)

Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls.

Mirror (optional)

Mirrors session packets to datapath or remote destination.

Queue (optional)

The queue in which a packet matching this rule should be placed.
Select High for higher priority data, such as voice, and Low for lower priority traffic.

Time Range (optional)

Time range for which this rule is applicable.

To configure time range, navigate to Configuration > Roles & Policies > Roles tab. Select a role and click + in the Global Rules table. Select a time range from the Time range drop-down list.

Pause ARM Scanning (optional)

Pause ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning while traffic is present. Note that you must enable VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Aware Scanning in the ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. profile for this feature to work.

Black List (optional)

Automatically blacklists a client that is the source or destination of traffic matching this rule. This option is recommended for rules that indicate a security breach where the blacklisting option can be used to prevent access to clients that are attempting to breach the security.

ACL White List (optional)

A rule must explicitly permit a traffic session before it is forwarded to the managed device. The last rule in the white list denies everything else.
Configure white list ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. on the Configuration > Services > Firewall > ACL White List accordion.

802.1p Priority (optional)

When this parameter is enabled, the value of 802.1p priority bits are marked in the frame of a packet matching this rule when it leaves the managed device. 0 is the lowest priority (background traffic) and 7 is the highest (network control).

Creating a Network Service Alias

When you create a network service alias, you can use that alias when specifying the network service for multiple session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

The following procedure describes how to create a network service alias:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.
  2. Click + to create a new policy.
  3. Enter the policy name in the Policy name field.
  4. Select a the policy type from the Policy type drop-down list. You can select Ethertype, Extended,MAC, Route, Session, or Standard.
  5. Click Submit.
  6. Select the policy created and click + in the Policy <policy name> table.
  7. Select Access Control option in the Rule Type field.
  8. Click OK.
  9. Select Service from the Service/app drop-down list.
  10. Click + in the Service alias drop-down list to add a new service.
    1. Enter a Service name .
    2. In the Protocol drop-down, select either TCP or UDP, or select protocol and enter the IP protocol number and select an Application level gateway (alg) of the protocol for which you want to create an alias.
    3. In the Port type drop-down, specify whether you want to define the port by a contiguous range of ports, or by a list of non-contiguous port numbers.
      • If you select range, enter the starting and ending port numbers in the Starting port and End port fields.
      • If you select list, enter a comma-separated list of port numbers in the Port list field.
    4. To limit the service alias to a specific application, select one the of the following service types from the Application Level Gateway (alg) drop-down list:
  11. Click Submit to add a new service.
  12. Click Submit.
  13. Click Pending Changes.
  14. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command defines a service alias:

(host) [md] (config) #netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}[ALG <service>]

Creating an ACL White List

The white list protects the managed device during traffic session processing by prohibiting traffic from being automatically forwarded to the managed device if it was not specifically denied in a blacklist. The maximum number of entries allowed in the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list is 256. To create an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list, you must first define a white list bandwidth contract, and then assign it to an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Creating a Bandwidth Contract

The following procedure describes how to create a bandwidth contract:

  1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > Firewall tab.
  2. Expand the White List BW Contracts accordion.
  3. Click + to create a new contract.
  4. In the White list contract name field, enter the name of a bandwidth contract.
  5. In the Bandwidth rate field, enter a bandwidth rate value.
  6. Click Submit.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a bandwidth contract:

(host) [mynode] (config) #cp-bandwidth-contract

Configuring the ACL White List

The following procedure describes how to configure an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list:

  1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > Firewall tab.
  2. Expand the Acl White List accordion.
  3. Click + to create a new protocol.
  4. Select permit or deny from the Action drop-down list.

    Permit allows session traffic to be forwarded to the managed device and deny blocks session traffic.

  5. Select Ipv4 or Ipv6 filter from the IP version drop-down list.
  6. Select one of the following from the Source drop-down list:
    • For a specific IPv4 or IPv6 filter, select addr_mask. Enter the IP address and mask of the IPv4 or IPv6 filter in the corresponding fields.
    • For a IPv4 or IPv6 host, select any.
  7. Enter the IP address and Subnet Subnet is the logical division of an IP network. Mask.
  8. In the IP protocol number(1-255) or IP protocol field, enter the number for a protocol and select the protocol from the drop-down list used by session traffic.
  9. In the Starting ports field, enter a starting port. This is the first port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535.
  10. In the End port field, enter an ending port. This is the last port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535.
  11. (Optional) Select the name of the bandwidth contract to which the session traffic should be applied, from the White list bandwidth contract drop-down list.
  12. For further information on creating bandwidth contracts, see Configuring Bandwidth Contracts
  13. Click Submit. The ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. displays on the white list section.
  14. To delete an entry, click Delete next to the entry you want to delete.
  15. Click Submit.
  16. Click Pending Changes.
  17. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. white lists:

(host) [mynode] (config)firewall cp

Override Local Network Destination

To implement this feature, a new sub-command, host vlan – offset under the netdestination configuration command is introduced. An example and description are as follows:

netdestination store

host vlan 10 offset 5

host vlan 10 offset 8

With the above, select the subnet Subnet is the logical division of an IP network. (for example, 10.1.1.0/24) assigned to vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.

The following procedure describes how to configure an override local network destination:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Roles tab.
  2. Select a role and click + under Rules of this Role only to create a rule.
  3. Click one of the options in the Rule Type filed to select a rule and click OK.
  4. Select Alias from the Destination drop-down list.
  5. Select + from the Destination alias drop-down list.
  6. Click + in the Rule table.
  7. Select Override from the Rule type drop-down list.
  8. Select a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. offset number which is the Netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. or range, from the Vlan drop-down list.
  9. Click OK.
  10. Click Submit in the Add New Destination window.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the local override netdestination:

(host) [md] (config) #netdestination store

(host) [md] (config-submode) #?

description Brief description about this destination (up to 128 characters in quote)

host Configure a single IPv4 host

invert Use all destinations EXCEPT this destination

name Configure a single host name or domain, Max 63 characters

network Configure a IPv4 subnet

no Delete Command

range Configure a range of IPv4 addresses

(host) [md] (config-submode) #host?

vlan IPv4 Address based on VLAN

A.B.C.D IPv4 Address of host

(host) [md] (config-submode) #host vlan ?

<1-4094> VLAN ID

(host) [md] (config-submode) #host vlan 55 ?

offset Offset in the VLAN subnet

(host) [md] (config-submode) #host vlan 55 offset ?

<1-254> Offset number in the VLAN subnet

(host) [md] (config-submode) #host vlan 55 offset 36

Execute the following command to show the local override netdestination:

(host) [md] #show netdestination store

Name: store

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 override vlan 55 offset 36

One netdestination definition can have a maximum of 256 netdestination entries. On the whole, there can be a maximum of 1024 netdestination entries on the Controller or Managed Device.

How to use the local-override netdestination alias in the managed device:

(host) [md] (config) #ip access-list session store-override

(host) [md] (config-sess-store-override) #any alias store any permit

(host) [md] (config-sess-store-override) #alias store any any deny

(host) [md] (config-sess-store-override) #!

(host) [md] #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol

vlan 1 172.72.10.254 / 255.255.255.0 up up

vlan 55 55.55.55.1 / 255.255.255.0 up up

loopback unassigned / unassigned up up

 

(host) [md] #show acl acl-table | include dummy-acl

75 session 620 2 3 dummy-acl 0

 

(host) [md] #show acl ace-table acl 75

 

620: any netdest-id: 34 0 0-0 0-0 f1000080001:permit alias-dst hits-table-index 24578

621: netdest-id: 34 any 0 0-0 0-0 f800080001:permit alias-src hits-table-index 24579

622: any any 0 0-0 0-0 f180000:deny

RTP Traffic without Changing DSCP value

The RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic can be passed without changing the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value set by the end user device. This allows the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic to pass through the managed devices.

To pass the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic without changing the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value, execute the following command:

(host) [md] (config) #firewall

(host) [md] (config-submode)#voip-qos-trusted

To verify if the RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic is passed without changing the DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value, execute the following command:

(host) [md] #show firewall | include Trust

 

Trust packet QoS Enabled

To verify the client DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value (for example, 48) for RTP Real-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic, execute the following command:

(host) #show datapath session dpi | include V

 

C - client, M - mirror, V - VOIP

r - Route Nexthop, h - High Value

 

Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge

10.15.123.147 10.15.16.19 17 33262 2060 0/0 6 48 0 local 2876

10.15.16.19 10.15.123.147 17 2060 33262 0/0 6 48 0 local 2876

 

Packets Bytes AclVer Int-Flag Sess-Flag2 PktsDpi UplnkVlan AppID

1 40 8009 81095 0 3 none alg-rtp

0 0 0 1094 0 2 none alg-rtp

 

AceIdx Flags DpiTIdx CPU ID

(3404) 1142/1138 FHPTCVBO dc 7

(3404) 0/1138 FHPTCVBO dc 6