Q:
How to restrict the firewall policy based on AP group ?
A: We can restrict the firewall policies based on AP group under the user role . For example if both staff and student are in same user-role however belongs to different ap-groups and we want to restrict the corporate subnet only to Staff .This can be achieved using the ap-group based policies
(config) #user-role Test
(config-role) #access-list session logon-control
(config-role) #access-list session Internal-Networks ap-group staff
(config-role) #access-list session Internal-Network-Deny ap-group student
(config-role) #access-list session Denyall
Here the Corp-Networks i.e 10.x.x.x subnet is denied for student ap-group
#show user-table
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
5.1.1.2 a4:17:31:5f:00:13 Test 00:00:15 AP215 Wireless student/ac:a3:1e:e3:63:80/g-HT default-dot1x-psk tunnel
#show rights Test
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'Test'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
ACL Number = 60/0
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-Test-sacl session
3 Internal-Networks session staff/3
4 Internal-Network-Deny session student/2
5 logon-control session
6 Denyall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-Test-sacl
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
Internal-Networks
-----------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any Corp-Networks any permit Low 4
Internal-Network-Deny
---------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any Corp-Networks any deny Low 4
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
Denyall
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any deny Low 4
Expired Policies (due to time constraints) = 0
When the student tries to communicate with cooperate subnet controller denies/drops the traffic
#show datapath session table 5.1.1.2
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop
A - Application Firewall Inspect
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
5.1.1.2 10.1.1.1 1 29 2048 0/0 0 0 0 tunnel 14 4 0 0 FDYC
5.1.1.2 10.1.1.1 1 27 2048 0/0 0 0 0 tunnel 14 f 0 0 FDYC
#show acl hits role Test
User Role ACL Hits
------------------
Role Policy Src Dst Service/Application Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
---- ------ --- --- ------------------- ------ ----------- -------- ---------- ----- ---------
Test Internal-Network-Deny any Corp-Networks any deny 7 7 524 ipv4