Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Monitor Firewall Policies through CLI

Good Morning All

We have setup a guest wireless environment for student teachers and district guests to use while on site. I have it working great except we do have several internal but public web apps that the student teacher will need to access. I currently have a policy that blocks internal access but I need to allow access to the part of our network that houses these web apps. I tried excluding the subnet from the internal acl but no luck. I also tried to add a line in the block internal policy to allow internal dns look-ups but that failed as well. If I could find where the log says what part of the policy is blocking those requests that would be great or if anyone knows exactly what I need to do and would like to share that would be great as well.

Thanks
Ed
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Monitor Firewall Policies through CLI

Ed,

The ACLs are processed in top -> down order. You would have to specify the permit statements higher than a deny that dropped the packets.

To see the order, do a "show rights " on the CLI and you will get the ordered list.

For example, the ACL:

any any svc-dns permit
any any svc-dhcp permit
any alias internal any deny
any any any permit

would allow all dns and dhcp (to any destination and from any source), then would drop all packets destined to an alias called "internal", then permit everything else.

The ACL:

any any svc-dns permit
any any svc-dhcp permit
any alias execptions any permit
any alias internal any deny
any any any permit

would allow the dns/dhcp, allow everything to an alias called "exceptions" (where you would add the hosts that are internal but still allowed), drop all packets to "internal", then allow everything else.

If that doesnt make sense, post the output from "show rights " and we can figure this out.
Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Re: Monitor Firewall Policies through CLI

ok..I follow but another question does it matter whether you woudl use "user" as source instead of "any"? Re guide I followed was for Aruba OS v2.5 and a lot of things changed between that vesion adn the current.

Thanks
Ed
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Monitor Firewall Policies through CLI

In your case it doesn't matter. User means that the packet has to be from a current user that is authenticated to the controller. Any means that the packet could come from any device. You should probably use "User", but either would work.

Any would be required if you placed the ACL on a port to filter inbound packets from an untrusted medium (such as an uplink to the Internet).
Frequent Contributor II
Posts: 128
Registered: ‎03-13-2008

Re: Monitor Firewall Policies through CLI

If your not using 2.5 code get an updated user guide. The latest guides are much better then the old ones.

Look at the order of the policies first. If you don't find anything there do you have ACLs on the inbound or outbound ports?
David Dipert
Search Airheads
Showing results for 
Search instead for 
Did you mean: