Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Open firewall ports for a domain name?

This thread has been viewed 2 times

  • 1.  Open firewall ports for a domain name?

    Posted May 31, 2017 12:13 PM

    Trying to allow Whispersystems Signal app communicate. From their website,

     

    "Please allow *.whispersystems.org, TCP ports 80, 8443, 4433, 443, and 31337, and all UDP. If you have a transparent or reverse proxy it needs to support WebSockets.

    Signal uses a non-standard TCP port to catch filtering issues at the signaling step and a random UDP port. All UDP ports will need to be opened. The underlying IPs are constantly changing, so it'd be hard to define accurate firewall rules."

     

    Im not seeing how to allow *.whispersystems.org in the controller firewall. I tried creating a stateful firewall with the name *.whispersystems.org and allow all. But that didnt work.

     

    Any ideas?

     

     



  • 2.  RE: Open firewall ports for a domain name?

    EMPLOYEE
    Posted May 31, 2017 12:16 PM
    Did you create a netdestination and then permit the user alias to the netdestination alias?

    Please show the output of: show rights <ROLE name=""></ROLE>


  • 3.  RE: Open firewall ports for a domain name?

    Posted May 31, 2017 12:23 PM

    I then created a policy called Whisper, under my guest role. Here is the print out.

     

    guest                     5    Up: No Limit,Dn: No Limit  global-sacl/,apprf-guest-sacl/,dhcp-acl/,ra-guard/,https-acl/,dns-acl/,Proxy Test/,WiFi-Calling/,http-acl/,icmp-acl/,torp/,Commercial-Email/,Whisper/,WhatsApp/,denyall-log/,v6-http-acl/,v6-https-acl/,v6-dhcp-acl/,v6-icmp-acl/,v6-dns-acl/  User



  • 4.  RE: Open firewall ports for a domain name?

    EMPLOYEE
    Posted May 31, 2017 12:28 PM
    Please post the output of: show rights <ROLE name=""></ROLE>


  • 5.  RE: Open firewall ports for a domain name?

    Posted May 31, 2017 12:37 PM

    RoleTable
    ---------
    Name                      ACL  Bandwidth                  ACL List                                                                                                                                                                                                                                           Type
    ----                      ---  ---------                  --------                                                                                                                                                                                                                                           ----
    guest-captive-portal  73   Up: No Limit,Dn: No Limit  global-sacl/,apprf-guest-captive-portal-sacl/                                                                                                                                                                                                  User
    guest-logon           72   Up: No Limit,Dn: No Limit  global-sacl/,apprf-guest-logon-sacl/,allow-CPPM/,logon-control/,captiveportal/                                                                                                                                                             User
    ap-role                   7    Up: No Limit,Dn: No Limit  ra-guard/,control/,ap-acl/,v6-control/,v6-ap-acl/                                                                                                                                                                                                  System
    authenticated             71   Up: No Limit,Dn: No Limit  global-sacl/,apprf-authenticated-sacl/,ra-guard/,allowall/,v6-allowall/                                                                                                                                                                            User
    cpbase                    70   Up: No Limit,Dn: No Limit  global-sacl/,apprf-cpbase-sacl/                                                                                                                                                                                                                    User
    default-iap-user-role     11   Up: No Limit,Dn: No Limit  allowall/                                                                                                                                                                                                                                          User
    default-via-role          67   Up: No Limit,Dn: No Limit  global-sacl/,apprf-default-via-role-sacl/,allowall/                                                                                                                                                                                                User
    default-vpn-role          69   Up: No Limit,Dn: No Limit  global-sacl/,apprf-default-vpn-role-sacl/,ra-guard/,allowall/,v6-allowall/                                                                                                                                                                         User
    denyall                   74   Up: No Limit,Dn: No Limit                                                                                                                                                                                                                                                     User
    guest                     5    Up: No Limit,Dn: No Limit  global-sacl/,apprf-guest-sacl/,dhcp-acl/,ra-guard/,https-acl/,dns-acl/,Proxy Test/,WiFi-Calling/,http-acl/,icmp-acl/,torp/,Commercial-Email/,Whisper/,WhatsApp/,denyall-log/,v6-http-acl/,v6-https-acl/,v6-dhcp-acl/,v6-icmp-acl/,v6-dns-acl/  User
    guest-logon               10   Up: No Limit,Dn: No Limit  ra-guard/,logon-control/,captiveportal/,v6-logon-control/,captiveportal6/                                                                                                                                                                          User
    logon                     2    Up: No Limit,Dn: No Limit  ra-guard/,logon-control/,captiveportal/,vpnlogon/,v6-logon-control/,captiveportal6/                                                                                                                                                                User
    stateful-dot1x            8    Up: No Limit,Dn: No Limit  global-sacl/,apprf-stateful-dot1x-sacl/                                                                                                                                                                                                            System
    sys-ap-role               12   Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/                                                                                                                                                                                                                           System
    voice                     68   Up: No Limit,Dn: No Limit  global-sacl/,apprf-voice-sacl/,ra-guard/,sip-acl/,noe-acl/,svp-acl/,vocera-acl/,skinny-acl/,h323-acl/,dhcp-acl/,tftp-acl/,dns-acl/,icmp-acl/                                                                                                       User



  • 6.  RE: Open firewall ports for a domain name?

    EMPLOYEE
    Posted May 31, 2017 12:46 PM
    You need to run that command at the CLI. Looks like you’re copying from the GUI.


  • 7.  RE: Open firewall ports for a domain name?

    Posted May 31, 2017 12:49 PM

    That is from the CLI

     

     



  • 8.  RE: Open firewall ports for a domain name?

    EMPLOYEE
    Posted May 31, 2017 12:52 PM

    Sorry, reply by email was stripping out part of the command: show rights < role name >



  • 9.  RE: Open firewall ports for a domain name?
    Best Answer

    Posted May 31, 2017 01:19 PM

    Nevermind, im an idiot. I forgot to add the route back in.

     

    Everything is working now.