Security

Reply
Regular Contributor II

block URL

Hi Guys,

 

 

I need to block URL´s like facebook.com and youtube.com, directly on aruba.

 

I create a policy:

 

netdestination block-url

  name www.youtube.com

  name youtube.com

  name facebook.com

  name www.facebook.com

 

then added it to acl:

 

ip access-list session blockpolicy

  user   alias block-url any  deny

 


This blocks facebook and youtube but also simple sites like www.google.pt and gmail gets to slow on opening when it opens..

 

Any clues ?

Regards

Guru Elite

Re: block URL

you need to define a DNS server on your controller, a DNS name and turn on lookups:

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-264



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II

Re: block URL

Hi cjoseph,

I have already a DNS 8.8.8.8 defined on the controller dhcp..

It' s strange why a block url blocks also or makes access to google.pt or gmail slower.

As soon as i disable block url google ( my default page comes instant..
Regards
Guru Elite

Re: block URL

Did you take a look at the instructions I linked to? Do you have all of those parts configured?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: block URL

When this is happening, can you look at the output of the "show datapath session table"?  Or log the denies in the firewall policy to catch what is happening at the controller's firewall?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor II

Re: block URL

I will try that... and see..

 

I activate the log  under stateful firewall correct? and then issue like a Show log security?

 

 

Also in the meantime I am not able to ping the AP´s.. but  I can ping them from the controller.. But can´t ping them from the wireless...

 

Regards

Re: block URL

Not sure why you cannot ping the APs.  Is there a reason you're trying?  What role do you have as a client (show user will tell you).

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I

Re: block URL

When you block the FQDN youtube.com, the controller resolve the DNS to IP and block the IP as a firewall police. However, Google use the same IP range for more than one service. This method it's not the best way to do this.

 

You will need to wait ArubaOS 6.4 (AppRF 2.0) that will provide "apps signatures" and works fine with this.

 

 

Regards,

Paulo Raponi

Re: block URL


pcraponi wrote:

When you block the FQDN youtube.com, the controller resolve the DNS to IP and block the IP as a firewall police. However, Google use the same IP range for more than one service. This method it's not the best way to do this.

 

You will need to wait ArubaOS 6.4 (AppRF 2.0) that will provide "apps signatures" and works fine with this.

 

 

Regards,

Paulo Raponi


 

Good point.  I will not comment on any roadmap item here but in the firewall denies, I am looking for non http/https ports that are looking to connect.  I would suggest that those are allowed while 80/443 remain blocked IF those ports are truly not being used in the background.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor II

Re: block URL

I need to block several URL´s on Wireless..

 

Assuming that this is working ok, I can block but then i will need to redirect to a page saying that content is blocked because of internal policy..

 

Is it possible?

 

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: