Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

What is the functionality of the feature ‘Firewall Visibility’ in AOS version 6.3? 

Jul 17, 2014 10:24 AM

Introduction :

This article explains
  1. What is Firewall Visibility?
  2. How to configure Firewall Visibility on Aruba controller?
  3. Some helpful debugging commands.

Feature Notes :

 

The “Firewall Visibility” also known as “AppRF” is a new feature introduced in AOS version 6.3.0.0 using which a network administrator can have visibility to all the mobile application traffic in the network that passes through the Aruba controller.
This can be achieved by looking at the pie charts created on the dashboard under Dashboard> Firewall on the controller WebUI.
 
AppRF gives real time as well as historic (through AirWave) view of user/client traffic patterns. Data on the controller gets refreshed every 2 minutes. In case you need to view historic data, the AirWave server should be running version 7.7 or above. AirWave server can store data for up to 30 days depending upon the space available on the disk.

 

Environment : This article applies to all the controllers running AOS version 6.3.0.0 and higher.

 

Configuration Steps : WebUI
 
To enable:
 

  1. Navigate to Dashboard> Firewall
  2. Enable Firewall visibility





To disable:
  1. Navigate to Dashboard> Firewall
  2. Scroll to the bottom right of the page
  3. Click “Disable Firewall Visibility”.


rtaImage.png

CLI

To enable Firewall Visibility:
 
(Aruba3200) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
 
(Aruba3200) (config) #firewall-visibility
 
To disable Firewall Visibility:
 
(Aruba3200) #configure  t
Enter Configuration commands, one per line. End with CNTL/Z
 
(Aruba3200) (config) #no firewall-visibility
 

Verification : show firewall-visibility  status” command shows whether Firewall-Visibility option is enable or disabled.
 
(Aruba3200) #show firewall-visibility  status
 
enabled

 

Troubleshooting : You can obtain the destination IP address through nslookup on the client and check the “show datapath session table” to see if it shows “Y” under the flag column meaning there is no sync to the destination.

You can also enable logging for “Firewall Visibility” on the controller to see related logs.

Commands to enable logging for fw-visibility:

(Aruba3200) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200) (config) #logging level debugging system process fw_visibility

To check the logs:     
              
(Aruba3200)  # show log system 30

Aug 20 07:12:29 :334306:  <DBUG> |FW Visibility|  fw_dest_ip_name_remap: MM: 242771. DNS IP 74.125.239.36 maps to 'clients1.google.com' instead of 'tools.google.com'
Aug 20 07:12:29 :334306:  <DBUG> |FW Visibility|  fw_dest_ip_name_remap: MM: 242771. DNS IP 74.125.239.32 maps to 'clients1.google.com' instead of 'tools.google.com'
Aug 20 07:13:36 :334306:  <DBUG> |FW Visibility|  fw_rcv_dns_export: MM: 242775. DNS entry r11---sn-o097znek.c.youtube.com regex match success 'youtube','youtube'
Aug 20 07:13:53 :334306:  <DBUG> |FW Visibility|  fw_rcv_dns_export: MM: 242776. DNS entry fbcdn-profile-a.akamaihd.net regex match success 'facebook','fbcdn'

Statistics
0 Favorited
7 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.