You are here: CLI_commands > inbound-firewall
Previous TopicNext Topic



rule <subnet> <smask> <dest> <mask> <match/invert> <protocol> <sport> <eport> {permit|deny|src-nat|dst-nat ip <IP-address> <port>}[<option1....option9>]



This command configures inbound firewall rules based on the source subnet.






inbound-firewall Opens the inbound firewall configuration mode.


Creates an access rule.

You can create up to 128 access rules. However, it is recommended to delete any existing configuration and apply changes at regular intervals.


Allows you to specify the source subnet IP address


Specifies the subnet mask of the source IP address.


Allows you to specify the destination IP address.


Specifies the subnet mask for the destination IP address.


l match—Indicates if the rule specific to the destination IP address and subnet mask matches the value specified for protocol.
l invert— Indicates if the rule allows or denies traffic with an exception to the specified destination IP address and subnet mask.





Configures any of the following:

l Protocol number between 0-255
l any: any protocol
l tcp: Transmission Control Protocol
l udp: User Datagram Protocol


Specifies the starting port number from which the rule applies. 1-65534


Specifies the ending port number until which the rule applies 1-65534


Allows the IAP to perform destination NAT on packets.


Allows the IAP to perform source NAT on packets. When configured, the source IP changes to the outgoing interface IP address (implied NAT pool) or from the pool configured (manual NAT pool).

ip <IP-addr>

Specifies the destination NAT IP address for the specified packets when dst-nat action is configured.


Specifies the destination NAT port for the specified packets when dst-nat action is configured.


Creates a rule to reject the specified packets


Allows you to specify any of the following options:

l Log —Creates a log entry when this rule is triggered.
l Blacklist — Blacklists the client when this rule is triggered.
l Classify-media — Performs a packet inspection on all non-NAT traffic and marks the critical traffic.
l Disable-scanning — Disables ARM scanning when this rule is triggered.
l DSCP tag — Specifies a DSCP value to prioritize traffic when this rule is triggered.
l 802.1p priority — Sets an 802.1p priority.
no… Removes the configuration

Usage Guidelines

Use this command to configure inbound firewall rules for the inbound traffic coming through the uplink ports of an IAP. The rules defined for the inbound traffic are applied if the destination is not a user connected to the IAP. If the destination already has a user role assigned, the user role overrides the actions or options specified in inbound firewall configuration. However, if a deny rule is defined for the inbound traffic, it is applied irrespective of the destination and user role. Unlike the ACL rules in a WLAN SSID or wired profile, the inbound firewall rules can be configured based on the source subnet.


For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default.

Management access to the AP is allowed irrespective of the inbound firewall rule. For more information on configuring restricted management access, see restricted-mgmt-access.

The inbound firewall is not applied to traffic coming through GRE tunnel.


The following example configures inbound firewall rules:

(Instant AP)(config)# inbound-firewall

(Instant AP)(inbound-firewall)# rule any any match 6 631 631 permit

(Instant AP)(inbound-firewall)# end

(Instant AP)# commit apply

Command History



Aruba Instant This command is introduced.

Command Information

IAP Platform

Command Mode

All platforms

Configuration mode and inbound firewall configuration sub-mode.