Controllerless Networks

Reply
Occasional Contributor II
Posts: 11
Registered: ‎02-02-2016

Firewall/NAT-ed Client Visibility?

Hello. We have about 10 APs running in Instant/Virtual Controller mode. I am getting a security alert from our IDS device that the Virtual Controller is trying to access a known malware sinkhole. Obviously this is coming from a wireless client connected to our Aruba infrastructure.

 

Is there a way to view (in the Virtual Controller logs or elsehwere) what device is trying to access that specific IP address?

 

Thanks!

Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Re: Firewall/NAT-ed Client Visibility?

Any client on a Virtual-Controller Assigned VLAN will nat its traffic out of the Virtual Controller.  Unfortunately, you will have to run the "show datapath session table <ip addres>" command on the VC while the client is doing this otherwise the session listing will go away when the client is finished..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎02-02-2016

Re: Firewall/NAT-ed Client Visibility?

Thanks for the reply.

 

Is there any way to collect these events via a Syslog receiver we have for the Virtual Controller? An "outbound" firewall rule that could be triggered/recorded when a wireless client tries to access a specific IP?

MVP
Posts: 428
Registered: ‎07-26-2011

Re: Firewall/NAT-ed Client Visibility?

[ Edited ]

The Instant allows you to configure a firewall rule which is set to "log". When this rule is matched it will log it to a syslog server of your choice (providing a syslog is configured).

 

firewall.jpeg

ACMA, ACMP
If my post addresses your query, give kudos:)
Aruba Employee
Posts: 240
Registered: ‎03-26-2013

Re: Firewall/NAT-ed Client Visibility?

Please try the following steps.

 

1. Add an explicit ACL for traffic going to the that particular server & enable blacklist on the ACL (as shown in screenshot).

 

2. Please enable blacklisting under the Security profile on the SSID

 

SSID-->Security--Blacklist

 

Now in case any user is trying to send traffic to that server , it should get

dynamically blacklisted.

 

The user mac address can be checked from the monitoring page (Alert) as seen in the screenshot.

 

The blacklist time can be changed as well as seen in screenshot

 

System--Show advanced--Blacklisting

 

 

We also have an option to log the acl & hits can be seen under security logs.

 

As indicated from the post, the client is not allowed to access that URL, so its better to blacklist it .

 

 

Occasional Contributor II
Posts: 11
Registered: ‎02-02-2016

Re: Firewall/NAT-ed Client Visibility?

Good stuff, thanks for your guidance. I'll try these options you've given me and post an update when I get some time. Thanks again.

Occasional Contributor II
Posts: 11
Registered: ‎02-02-2016

Re: Firewall/NAT-ed Client Visibility?

Would the System>Monitoring levels shown in the attached screenshot be sufficient to register these block/blacklist events in syslog?

Aruba Employee
Posts: 240
Registered: ‎03-26-2013

Re: Firewall/NAT-ed Client Visibility?

We can see the information by keeping the parameters set to warning levels.

Search Airheads
Showing results for 
Search instead for 
Did you mean: