Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Firewall policy specify port as source or destination

This thread has been viewed 1 times

  • 1.  Firewall policy specify port as source or destination

    Posted Aug 08, 2012 09:13 AM

    Hello all,

     

    I am reading how to create Firewall policy and I see something like user any udp 68 deny, but how can I know if this is source or destination port number, and how can I configure port and destination ports specifically ? If I added two port numbers will the first one be source PN and second as destination PN.

     

    In addition, does each policy has an implecit deny?

                                  

    in the campus configureation document release 8, when they define the employee role they have four polices in this role:

    1- common

    2-sip

    3-ocs

    4-allow all (predifined)

     

    if common will have implicit deny at the end this mean  nothing will reach the remaining policies,

     

    if common will not have explicit deny at the end and it will exist at the end of allow-all then why aruba defined a permit to certain DNS server IF they are not going to deny traffic to other dns servers.:-

     

    the following is from aruba document:

    MC1-Sunnyvale-3600

    !

    ip access-list session common

    user any udp 68 deny

    any any svc-dhcp permit

    any any svc-icmp permit <-- allow icmp 0

    user alias dns-servers svc-dns permit

    !

     

    I belive we need also (at the end of the above red lines),

     

    any any icmp deny

    user any svc-dns deny

     

     

    can someone classify if I am right or how aruba denied other DNS traffic ?



  • 2.  RE: Firewall policy specify port as source or destination

    Posted Aug 25, 2012 02:02 AM

    will anyone respond to this topic from the administrators/moderators ?



  • 3.  RE: Firewall policy specify port as source or destination
    Best Answer

    EMPLOYEE
    Posted Aug 25, 2012 03:59 AM

    Sorry for not answering your question the first time:

     

    You can only specify a source, destination and a destination port (no source port).  It is implied to mean ANY source port.

     

    In the example "user any udp 68 deny", it is denying traffic from any user in the user table,  to anywhere via udp port 68.  Specifically it is denying users from answering DHCP request from other devices.

     

    There IS an implicit deny all at the end of all firewall policies.

     

    If there is an allow all somewhere in the policy, that means all traffic is allowed at that point and no other rules will be processed.  All traffic will be allowed.

     

    In the access list below, traffic is allowed to a specific set of DNS servers, but all other traffic (dns or otherwise) will be denied by the implicit deny at the end of all access lists.  I hope this helps and let us know if you have any further questions.

     

     

    ip access-list session common
    user any udp 68 deny
    any any svc-dhcp permit
    any any svc-icmp permit <-- allow icmp 0
    user alias dns-servers svc-dns permit

     

     



  • 4.  RE: Firewall policy specify port as source or destination

    Posted Aug 25, 2012 09:44 AM

    " In the access list below, traffic is allowed to a specific set of DNS servers, but all other traffic (dns or otherwise) will be denied by the implicit deny at the end of all access lists "

     

    In this case why we have (sip-policy) & allow-all in the same user-role if the packet is not going to reach them ?!



  • 5.  RE: Firewall policy specify port as source or destination
    Best Answer

    EMPLOYEE
    Posted Aug 25, 2012 09:46 AM

    At the end of the LAST policy is an explicity deny.  If you have four policies attached to a role, the end of the fourth policy is an explicit deny.