Controller Based WLANs

What is the functionality of the feature ‘Firewall Visibility’ in AOS version 6.3?

by on ‎07-17-2014 07:24 AM

Introduction :

This article explains
  1. What is Firewall Visibility?
  2. How to configure Firewall Visibility on Aruba controller?
  3. Some helpful debugging commands.

Feature Notes :

 

The “Firewall Visibility” also known as “AppRF” is a new feature introduced in AOS version 6.3.0.0 using which a network administrator can have visibility to all the mobile application traffic in the network that passes through the Aruba controller.
This can be achieved by looking at the pie charts created on the dashboard under Dashboard> Firewall on the controller WebUI.
 
AppRF gives real time as well as historic (through AirWave) view of user/client traffic patterns. Data on the controller gets refreshed every 2 minutes. In case you need to view historic data, the AirWave server should be running version 7.7 or above. AirWave server can store data for up to 30 days depending upon the space available on the disk.

 

Environment : This article applies to all the controllers running AOS version 6.3.0.0 and higher.

 

Configuration Steps : WebUI
 
To enable:
 

  1. Navigate to Dashboard> Firewall
  2. Enable Firewall visibility

User-added image



To disable:
  1. Navigate to Dashboard> Firewall
  2. Scroll to the bottom right of the page
  3. Click “Disable Firewall Visibility”.


rtaImage.png

CLI

To enable Firewall Visibility:
 
(Aruba3200) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
 
(Aruba3200) (config) #firewall-visibility

 
To disable Firewall Visibility:
 
(Aruba3200) #configure  t
Enter Configuration commands, one per line. End with CNTL/Z
 
(Aruba3200) (config) #no firewall-visibility

 

Verification : show firewall-visibility  status” command shows whether Firewall-Visibility option is enable or disabled.
 
(Aruba3200) #show firewall-visibility  status
 
enabled

 

Troubleshooting : You can obtain the destination IP address through nslookup on the client and check the “show datapath session table” to see if it shows “Y” under the flag column meaning there is no sync to the destination.

You can also enable logging for “Firewall Visibility” on the controller to see related logs.

Commands to enable logging for fw-visibility:


(Aruba3200) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200) (config) #logging level debugging system process fw_visibility


To check the logs:     
              

(Aruba3200)  # show log system 30

Aug 20 07:12:29 :334306:  <DBUG> |FW Visibility|  fw_dest_ip_name_remap: MM: 242771. DNS IP 74.125.239.36 maps to 'clients1.google.com' instead of 'tools.google.com'
Aug 20 07:12:29 :334306:  <DBUG> |FW Visibility|  fw_dest_ip_name_remap: MM: 242771. DNS IP 74.125.239.32 maps to 'clients1.google.com' instead of 'tools.google.com'
Aug 20 07:13:36 :334306:  <DBUG> |FW Visibility|  fw_rcv_dns_export: MM: 242775. DNS entry r11---sn-o097znek.c.youtube.com regex match success 'youtube','youtube'
Aug 20 07:13:53 :334306:  <DBUG> |FW Visibility|  fw_rcv_dns_export: MM: 242776. DNS entry fbcdn-profile-a.akamaihd.net regex match success 'facebook','fbcdn'

Comments
khalid Shaikh

Hi , 

 

Thank for the informative article. When debug for fw_visibility, it does not display the Source ip address. As from the above logs we can see only the internet session (destination ). Is there any way i can get the source ip address.(user IP)

 

Show datapath session table shows source and destination . But i am unable to find the debugging option for it

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.