You are here: Roles and Policies > Firewall Policies > Configuring Access Rules
Previous TopicNext Topic

Configuring Access Rules for Network Services

This section describes the procedure for configuring ACLs to control access to network services. For information on:

Configuring access rules based on application and application categories, see Configuring Access Rules for Application and Application Categories.
Configuring access rules based on web categories and web reputation, see Configuring Web Policy Enforcement .

In the Instant UI

To configure ACL rules for a user role:

1. Navigate to Security > Roles tab. The Roles tab contents are displayed.

You can also configure access rules for a wired or wireless client through the WLAN wizard (Network tab>WLAN SSID> Edit>Edit WLAN > Access ) or the Wired profile (More > Wired>Edit> Edit Wired Network> Access) window.

2. Select the role for which you want to configure access rules.
3. In Access rules section, click New to add a new rule. The New Rule window is displayed.
4. Ensure that the rule type is set to Access Control
5. To configure a rule to control access to network services, select Network under service category and specify the following parameters:

Table 1: Access Rule Configuration Parameters

Service Category

Description

Network

Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement:

l any—Access is allowed or denied to all services.
l custom—Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.

NOTE: If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access.

Action

Select any of following actions:

l Select Allow to allow access users based on the access rule.
l Select Deny to deny access to users based on the access rule.
l Select Destination-NAT to allow changes to destination IP address.
l Select Source-NAT to allow changes to the source IP address.

The destination-nat and source-nat actions apply only to the network services rules.

Destination

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

l to all destinations— Access is allowed or denied to all destinations.
l to a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
l except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
l to a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
l except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
l to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.
Log

Select this checkbox if you want a log entry to be created when this rule is triggered. Instant supports firewall based logging function. Firewall logs on the IAPs are generated as security logs.

Blacklist

Select the Blacklist checkbox to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients.

Classify media

Select the Classify media checkbox to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows:

l Video: Priority 5 (Critical)
l Voice: Priority 6 (Internetwork Control)

Disable scanning

Select Disable scanning checkbox to disable ARM scanning when this rule is triggered.

The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Settings for an IAP.

DSCP tag Select the DSCP tag checkbox to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63. To assign a higher priority, specify a higher value.

802.1p priority

Select the 802.1p priority checkbox to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.
6. Click OK and then click Finish.

In the CLI

To configure access rules:

(Instant AP)(config)# wlan access-rule <access-rule-name>

(Instant AP)(Access Rule <Name>)#rule <dest> <mask> <match/invert> {<protocol> <start-port> <end-port> {permit|deny|src-nat|dst-nat{<IP-address> <port>| <port>}}[<option1....option9>]

(Instant AP)(Access Rule <Name>)# end

(Instant AP)# commit apply

Example

(Instant AP)(config)# wlan access-rule employee

(Instant AP)(Access Rule "employee")# rule 10.17.88.59 255.255.255.255 match 6 4343 4343 log classify-media

(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 110 110 permit

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 match tcp 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 match udp 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 match 6 631 631 permit

(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.1 255.255.255.0 invert 17 67 69 deny

(Instant AP)(Access Rule "employee")# end

(Instant AP)# commit apply