Security

Hi Guys,

 

 

I need to block URL´s like facebook.com and youtube.com, directly on aruba.

 

I create a policy:

 

netdestination block-url

  name www.youtube.com

  name youtube.com

  name facebook.com

  name www.facebook.com

 

then added it to acl:

 

ip access-list session blockpolicy

  user   alias block-url any  deny

 

This blocks facebook and youtube but also simple sites like www.google.pt and gmail gets to slow on opening when it opens..

 

Any clues ?

Regards

you need to define a DNS server on your controller, a DNS name and turn on lookups:

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-264

Hi cjoseph,

I have already a DNS 8.8.8.8 defined on the controller dhcp..

It' s strange why a block url blocks also or makes access to google.pt or gmail slower.

As soon as i disable block url google ( my default page comes instant..
Regards

Did you take a look at the instructions I linked to? Do you have all of those parts configured?

When this is happening, can you look at the output of the "show datapath session table"?  Or log the denies in the firewall policy to catch what is happening at the controller's firewall?

I will try that... and see..

 

I activate the log  under stateful firewall correct? and then issue like a Show log security?

 

 

Also in the meantime I am not able to ping the AP´s.. but  I can ping them from the controller.. But can´t ping them from the wireless...

 

Regards

Not sure why you cannot ping the APs.  Is there a reason you're trying?  What role do you have as a client (show user will tell you).

When you block the FQDN youtube.com, the controller resolve the DNS to IP and block the IP as a firewall police. However, Google use the same IP range for more than one service. This method it's not the best way to do this.

 

You will need to wait ArubaOS 6.4 (AppRF 2.0) that will provide "apps signatures" and works fine with this.

 

 

Regards,

Paulo Raponi

---

@pcraponi wrote:

When you block the FQDN youtube.com, the controller resolve the DNS to IP and block the IP as a firewall police. However, Google use the same IP range for more than one service. This method it's not the best way to do this.

 

You will need to wait ArubaOS 6.4 (AppRF 2.0) that will provide "apps signatures" and works fine with this.

 

 

Regards,

Paulo Raponi

---

 

Good point.  I will not comment on any roadmap item here but in the firewall denies, I am looking for non http/https ports that are looking to connect.  I would suggest that those are allowed while 80/443 remain blocked IF those ports are truly not being used in the background.

I need to block several URL´s on Wireless..

 

Assuming that this is working ok, I can block but then i will need to redirect to a page saying that content is blocked because of internal policy..

 

Is it possible?

 

Regards

 

 

Hi Guys,

 

Sorry but wait a new release is not an option.

 

Hi is not possible since Stateful firewal is embbeded?

 

 

Hi all

 

Could this be solved when we implement clearpass guest and policy manager?

 

That is the second phase

---

@brunoaraujocosta wrote:

Hi all

 

Could this be solved when we implement clearpass guest and policy manager?

 

That is the second phase

---

No, that is not possible.  You should get a web filter for blocking sets, types of URLs and sending users to a page as a result.

Hi,

 

web filter is done almost all on the fortinet firewall. That filtering i can reach and its done also on wireless

 

But facebook and youtube for example are blocked in the ISA servers internally. thats the issue

 

Regards