03-13-2017 09:09 AM
Hello. We have about 10 APs running in Instant/Virtual Controller mode. I am getting a security alert from our IDS device that the Virtual Controller is trying to access a known malware sinkhole. Obviously this is coming from a wireless client connected to our Aruba infrastructure.
Is there a way to view (in the Virtual Controller logs or elsehwere) what device is trying to access that specific IP address?
Solved! Go to Solution.
03-13-2017 09:13 AM
Any client on a Virtual-Controller Assigned VLAN will nat its traffic out of the Virtual Controller. Unfortunately, you will have to run the "show datapath session table <ip addres>" command on the VC while the client is doing this otherwise the session listing will go away when the client is finished..
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-13-2017 09:18 AM
Thanks for the reply.
Is there any way to collect these events via a Syslog receiver we have for the Virtual Controller? An "outbound" firewall rule that could be triggered/recorded when a wireless client tries to access a specific IP?
03-14-2017 12:44 AM - edited 03-14-2017 12:48 AM
The Instant allows you to configure a firewall rule which is set to "log". When this rule is matched it will log it to a syslog server of your choice (providing a syslog is configured).
If my post addresses your query, give kudos:)
03-14-2017 01:13 AM
Please try the following steps.
1. Add an explicit ACL for traffic going to the that particular server & enable blacklist on the ACL (as shown in screenshot).
2. Please enable blacklisting under the Security profile on the SSID
Now in case any user is trying to send traffic to that server , it should get
The user mac address can be checked from the monitoring page (Alert) as seen in the screenshot.
The blacklist time can be changed as well as seen in screenshot
We also have an option to log the acl & hits can be seen under security logs.
As indicated from the post, the client is not allowed to access that URL, so its better to blacklist it .