Understanding Global Firewall Parameters

Each firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy has a each of parameters that require configuration. In order to set up robust firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies, it is essential to understand what each parameter does, it's functionality, and purpose. Table 1 describes optional firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. parameters you can set on the managed devices for IPv4 traffic.

To configure global firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. parameters, in the Mobility Master node hierarchy, navigate to the Configuration > Services > Firewall > Global Settings accordion and select or enter values in the IPv4 column.

You can also use the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command firewall for configuration.

See IPv6 Support for information about configuring firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. parameters for IPv6 traffic.

Table 1: Pv4 Firewall Parameters

Parameter

Description

Monitor Ping Attack (per 30 seconds)

Number of ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. pings per 30 second, which if exceeded, can indicate a DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack. Valid range is 1-16384 pings per 30 seconds.

Recommended value is 120 packets per 30 seconds.

Default: No default

Monitor TCP SYN Attack rate (per 30 seconds)

Number of TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. SYN messages per 30 second, which if exceeded, can indicate a DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack. Valid range is 1-16384 pings per 30 seconds.

Recommended value is 960 packets per 30 seconds.

Default: No default

Monitor IP Session Attack (per 30 seconds)

Number of TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. or UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. connection requests per 30 second, which if exceeded, can indicate a DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack. Valid range is 1-16384 requests per 30 seconds.

Recommended value is 960 packets per 30 seconds.

Default: No default

Monitor/Police ARP Attack (non Gratuitous ARP) rate (per 30 seconds)

Number of ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets (other than Gratuitous ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets) per 30 seconds, which if exceeded, can indicate a DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack. Valid range is 1-16384 packets per 30 seconds.

Recommended value is 960 packets per 30 seconds.

Default: No default

Monitor/Police Gratuitous ARP Attack rate (per 30 seconds)

 

 

Number of Gratuitous ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets per 30 seconds, which if exceeded, can indicate DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack. Valid range is 1-16384 packets per 30 seconds.

Recommended value is 50 packets per 30 seconds.

Default: 50 packets

Monitor/Police Gratuitous ARP Attack Action

Select Blacklist to block the gratuitous ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. or Drop to disallow a gratuitous ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. from untrusted ports.

Monitor/Police CP Attack rate (per 30 seconds)

Rate of misbehaving user’s traffic, which if exceeded, can indicate a denial or service attack.

Recommended value is 3000 frames per 30 seconds.

Default: No default

Deny Inter User Bridging

Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX, from being forwarded.

Default: Disabled

Deny Inter User Traffic

Denies traffic between untrusted users by disallowing layer-2 and layer-3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

Default: Disabled

Deny Source Routing

Permits the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. to reject and log packets with the specified IP options loose source routing, strict source routing, and record route. Note that network packets where the IPv6 source or destination address of the network packet is defined as an link-local address (fe80::/64) are permitted.

Default: Disabled

Deny All IP Fragments

Drops all IP fragments.

NOTE: Do not enable this option unless instructed to do so by an Aruba representative.

Default: Disabled

Enforce TCP Handshake Before Allowing Data

Prevents data from passing between two clients until the three-way TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

Default: Disabled

Prohibit IP Spoofing

Enables detection of IP spoofing (where an intruder sends messages using the IP address of a trusted client). When this option is enabled, source and destination IP and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses are checked for each ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. request or response. Traffic from a second MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address using a specific IP address is denied, and the entry is not added to the user table. Possible IP spoofing attacks are logged and an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

Default: Enabled

Prohibit RST Replay Attack

When enabled, closes a TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. connection in both directions if a TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. RST is received from either direction. You should not enable this option unless instructed to do so by an Aruba representative.

Default: Disabled

Log all received ICMP Errors

Enables logging of received ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. errors. You should not enable this option unless instructed to do so by an Aruba representative.

Default: Disabled

Stateful SIP Processing

 

 

Disables monitoring of exchanges between a VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. or VoWLAN Voice over WLAN. VoWLAN is a method of routing telephone calls for mobile users over the Internet using the technology specified in IEEE 802.11b. Routing mobile calls over the Internet makes them free, or at least much less expensive than they would be otherwise. device and a SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. server. This option should be enabled only when there is no VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. or VoWLAN Voice over WLAN. VoWLAN is a method of routing telephone calls for mobile users over the Internet using the technology specified in IEEE 802.11b. Routing mobile calls over the Internet makes them free, or at least much less expensive than they would be otherwise. traffic on the network.

Default: Disabled (stateful SIP Session Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. processing is enabled)

Allow Tri-session with DNAT

Allows three-way session when performing destination NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.. This option should be enabled when the managed device is not the default gateway Gateway is a network node that allows traffic to flow in and out of the network. for wireless clients and the default gateway Gateway is a network node that allows traffic to flow in and out of the network. is behind the managed device. This option is typically used for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. configuration.

Default: Disabled.

AMSDU Configuration

 

Enables handling AMSDU traffic from clients.

Default: Disabled

Session Idle Timeout (sec)

Set the time, in seconds, that a non-TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. session can be idle before it is removed from the session table. Specify a value in the range 16-300 seconds. You should not set this option unless instructed to do so by an Aruba representative.

Default: 16 seconds

Session Mirror Destination

 

 

Destination (IP address or port) to which mirrored session packets are sent. This option is used only for troubleshooting or debugging.

Packets can be mirrored in multiple ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port., so only a single copy is mirrored if there is a match within more than one ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

You can configure the following:

Default: N/A

Disable FTP Server

Disables the FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. server on the managed device. Enabling this option prevents FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. transfers. You should not enable this option unless instructed to do so by an Aruba representative.

Default: Disabled (FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. server is enabled)

GRE Call ID Processing

Creates a unique state for each PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. tunnel. You should not enable this option unless instructed to do so by an Aruba representative.

Default: Disabled

Optimize duplicate access detection frames

Optimizes DAD frames and reduces flooding of IPv4 gARPs / IPv6 DAD frames onto wireless clients.

Default: Enabled

Stall detection

Triggers datapath crash on stall detection. This is applicable only to 7200 Series controllers. You should not enable this option unless instructed to do so by an Aruba representative.

Default: Disabled

Immediate freeback

If enabled, it immediately frees buffers on controllers. You should not enable this option unless instructed to do so by Aruba representative.

Stateful ICMP processing

It creates sessions for ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. errors and denies unidirectional replies.

Default: Disabled

Mcast RED

Configures multicast random early detection algorithms. Click the toggle switch to enable this setting. The following parameters are displayed only when Mcast RED is enabled:

  • Inverse mark probability—Specify an Inverse mark probability value. For example, an inverse mark probability parameter of 10 corresponds to a mark probability of 1/10 which means 1 in 10 packets will be dropped.
  • Minimum threshold—Specify a minimum threshold value. Range is 0-99.
  • Maximum threshold—Specify a maximum threshold value. Range is 1-100.

Per-packet Logging

Enables logging of every packet if logging is enabled for the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an Aruba representative, as doing so may create unnecessary overhead on the managed device.

Default: Disabled (per-session logging is performed)

Broadcast-filter ARP

Reduces the number of broadcast packets sent to VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. clients, thereby improving the battery life of voice handsets. You can enable this option for voice handsets in conjunction with increasing the DTIM Delivery Traffic Indication Message. DTIM is a kind of traffic indication map. A DTIM interval determines when the APs must deliver broadcast and multicast frames to their associated clients in power save mode. interval on

clients.

Default: Disabled

Prohibit ARP Spoofing

Detects and prohibits ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. spoofing. When this option is enabled, possible arp spoofing attacks are logged and an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent.

Default: Disabled

Prevent DHCP Exhaustion

Enable check for DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  client hardware address against the packet source MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. This command checks the frame's source-MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. against the DHCPv4 client hardware address and drops the packet if it does not match. Enabling this feature prevents a client from submitting multiple DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  requests with different hardware addresses, thereby preventing DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  pool depletion.

Default: Disabled

Only Allow Local Subnets in User Table

Adds only IP addresses, which belong to a local subnet Subnet is the logical division of an IP network., to the user-table.

Default: Disabled

Session-tunnel FIB

Enable session-tunnel based forwarding.

NOTE: Best practices is to enable this parameter only during maintenance window or off-peak production hours.

Multicast Automatic Shaping

Enables multicast optimization and provides excellent streaming quality regardless of the amount of VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or IP IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. groups that are used.

Default: Disabled

Enforce BW Contracts for Broadcast Traffic

Applies bw contracts to local subnet Subnet is the logical division of an IP network. broadcast traffic.

Enforce TCP Sequence Numbers

Enforces the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. sequence numbers for all packets.

Default: Disabled

Session VOIP Timeout (sec)

Sets the idle session timeout for sessions that are marked as voice sessions. If no voice packet exchange occurs over a voice session for the specified time, the voice session is removed. Range is 16 – 300 seconds.

Default: 300 seconds

Stateful H.323 Processing

Disables stateful H.323 processing.

Default: Enabled

Stateful SCCP Processing

Disables stateful SCCP processing.

Default: Disabled

Session Mirror IPSEC

Configures session mirroring of all frames that are processed by IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.. Frames are sent to IP address specified by the session-mirror-destination option.

NOTE: Use this option for debugging or troubleshooting only.

Default: Disabled

Stateful VOCERA Processing

Disables stateful VOCERA processing.

Default: Disabled

Stateful UA Processing

Disables stateful UA processing.

Default: Disabled

Enforce WMM Voice Priority Matches Flow Content

If traffic to or from the user is inconsistent with the associated QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. policy for voice, the traffic is reclassified to best effort and data path counters incremented.

Default: Disabled

Rate Limit CP Untrusted Ucast Traffic (pps)

Specifies the untrusted unicast traffic rate limit. Range is 1-65535 packets per seconds (pps).

Default: 9765 pps

Rate Limit CP Untrusted Mcast Traffic (pps)

Specifies the untrusted multicast traffic rate limit. Range is 1-65535 packets per seconds (pps).

Default: 1953 pps

Rate Limit CP Trusted Ucast Traffic (pps)

Specifies the trusted unicast traffic rate limit. Range is 1-98304 packets per seconds (pps).

Default: Disabled

Rate Limit CP Trusted Mcast Traffic (pps)

Specifies the trusted multicast traffic rate limit. Range is 1-65535 packets per seconds (pps).

Default: 1953 pps

Rate Limit CP Route Traffic (pps)

Specifies the traffic rate limit that needs ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. requests. Range is 1-65535 packets per seconds (pps).

Default: 976 pps

Rate Limit CP Session Mirror Traffic (pps)

Specifies the session mirrored traffic forwarded to the managed device. Range is 1-65535 packets per seconds (pps).

Default: 976 pps

Rate limit CP VRRP traffic(pps)

Rate of the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. traffic hitting the control plane.

Default: 512 pps

Rate limit CP ARP traffic(pps)

Rate of the ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. traffic hitting the control plane.

Default: 976 pps

Rate limit CP I2 protocol / other traffic (pps)

Rate of other L2 traffic (non- IP and ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. ) hitting the control plane.

Rate Limit CP Auth Process Traffic (pps)

 

Specifies the traffic rate limit that is forwarded to the authentication process. Range is Range is 1-65535 packets per seconds (pps).

Default: 976 pps

Rate Limit CP IKE Traffic

The bandwidth contract for CP IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. traffic.

Default: 1953 pps

Jumbo Frames Processing

Enables jumbo frame processing for data frames that are larger than 1500 bytes.

Default: Disabled

Enable deep packet inspection

If enabled, it performs deep packet inspection.

Default: Disabled

Enable web content classification

Enables web content classification for all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.

Drop packets using web content cache miss

Drops data packets that do not match any web content category or reputation levels in the

managed device's internal web content cache.

Default: Disabled

Working in the Presence of Web Proxy

When the Mobility Master needs to access data on the cloud or the internet, and if the internet bound traffic needs to pass through a proxy, execute the web-proxy server command. Once the command is executed the Mobility Master routes web (HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) traffic through the proxy server.

Execute the following command in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. to route web traffic through the proxy server:

(host) [mynode] (config) #web-proxy server arubaproxy.com port 8080

(host) [mynode] (config) #show web-proxy

Server: arubaproxy.com

port: 8080

Support for Desktop Virtualization Protocols

ArubaOS supports desktop virtualization protocols by providing preconfigured ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for Citrix and VMware clients. You can apply these ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to the user-role when using the Virtual Desktop Infrastructure clients. This ensures that any enterprise application that uses the VDI client performs optimally with appropriate QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies..

Configuring Firewall Settings for Protection from ARP Attacks

The following procedure describes how to configure firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. settings to protect the network against attacks:

  1. In the Mobility Master node hierarchy, navigate to Configuration > Services > Firewall tab.
  2. Under Software Management click Reboot.

Blacklisting Wired Clients

Starting ArubaOS 8.2.0.0, you can blacklist wired clients. This feature is useful where firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies are applied for wired traffic. For example, remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. in which wired ports are used or remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. in tunneled node.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the blacklist timer for a wired client:

(host) [mynode] (config) #aaa authentication wired

(host) [mynode] (Wired Authentication Profile) # blacklist-time <timer>

Limitations

Blacklisting wired clients has certain limitations also. The limitations of this feature are: