ArubaOS and Controllers

Occasional Contributor II

Restricting WAN Access

I have a controller that is acting as a gateway for a guest network, and i'm interested in restricting access to the WAN interface of the controller.

The WAN interface is trusted, and i've tried to apply a restrictive policy to the port.
This seems to work halfway...

Certain protocols seem to be blocked successfully (SSH, FTP), but others that I try to block (HTTP, HTTPS) do not.

When flip the port to untrusted, of course nothing works because everything is piped through the logon role (which is not what I want...).

Am I screwed in trying to restrict access to this interface while it is trusted?
Guru Elite

Restrict Via the user role


Whatever role the "guest" user is in, make the first firewall policy rule "any host any drop" and this will work. ArubaOS is a policy-based system that relies heavily on policing the traffic of users, so go with the flow and put that ACL in there, first. That is all you have to do.
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Restricting WAN Access

Thanks for your reply...

I should be more specific... i'm not too worried about guests accessing the WAN interface, as you're right, that is easliy blocked.

What I want to restrict are external hosts accessing the WAN interface.
Aruba controllers expose quite a few services that i'd like to ideally block with a firewall policy.
Guru Elite



If you have no incoming traffic, you could put an ACL on that port that has a deny all. Only INCOMING traffic is inspected via a port's session ACL. Outgoing traffic will be allowed back in with no problem, because it creates an entry in the firewall table. Notable exceptions are if you get dhcp from a cable modem; you would have to allow that (any any svc-dhcp permit, any any any deny all) and drop everything else, if that was the case.
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
New Contributor

WAN firewall

I have a running config almost exactly like Colin explains but I didn't create the any any any deny all rule as there is an implicit deny on all rules at the bottom.

Under Configuration>Security>Access Control, click on the Policies tab. Click Add. Put in a firewall name. I chose WANfirewall. There I created a rule for-- any any svc-dhcp permit.

Then under Configuration>Ports, in the Enter VLANs section, by the "VLAN firewall policy" I picked my rule for WANfirewall on the drop down. Then click apply.

I have rebooted several times and received DHCP with no problems. I have run several external security scans against it and can only see the one port open.

Hope this helps.
Search Airheads
Showing results for 
Search instead for 
Did you mean: