Security

Hello,
In our environment we have a Forigate 311B that serves as a unified threat appliance and our external gateway for both our wired and wireless networks. When I look at traffic logs and alerts passing through the Fortigate, I see the internal addresses of wired clients (who recieve their IP addresses from a Windows DHCP server) as the source address, which makes them relatively easy to track down. But for wireless clients, who recieve their IP addresses from the same Windows DHCP server, the 'source address' is always the IP of the Aruba 7210 controller, so it is next-to-impossible to discern which specific client device is triggering any given alert. I'm hoping that there is a way to integrate the controller with the firewall to gain more transparency from the firewall alert messages. Thanks in advance for any suggestions.

It sounds like you have src-nat enabled on the controller for the user VLANs, thus all traffic is showing the controller as the source.   Check your VLAN on the controller:

show vlan status

Look at the NAT Inside column.

This is true, NAT Inside is enabled, but if I disable the checkbox to 'enable source NAT for this VLAN' in the GUI then the clients get no Internet access. What is the process by which I can leave src-nat unchecked and still have clients routed to the Internet?

There are probably no return routes for those networks to the controller.

Consider one of the following:

1) Put the users on a VLAN where the controller is not their default gateway; but rather another core infrastructure product (router/switch/fw)

2) Add routes within your network to the user VLAN that exists on the controller; point the next hop to the controller's IP

The first is recommended as it typically is easier.   The second choice may require multiple routes added on different devices depending on your wired architecture.

Hi - Sorry to be obtuse, but I can't seem to work out how to set a different device as the gateway from within the controller. The VLANs in question only exist within the controller - they don't match any VLANs we maintain on the wired end. [Presently, the VLAN is associated with the WLAN via the virtual AP profile and not by users roles or rules, if that makes a difference.]
When I create a VLAN in the controller and set the address within that VLAN, there doesn't appear to be a place to specify an external gateway.
As an experiment, I've activated a port in the firewall (policies wide open to 'allow all' for traffic among interfaces for testing) with an IP address in the VLAN's assigned range, but after setting that as the gateway within the DHCP scope there is no connectivity (regadless of src-NAT setting).  So trying option 2, I added a route to the controller's VLAN IP on the firewall interface and edge switch [which connects to the testing WAP]. Traffic flows fine until src-NAT is disabled, so clearly I haven't got that quite worked out either. Thanks for helping me stick with it - I'm open to any ideas about things I must be missing.

So the way you have it setup, you have to NAT out as the IP of the controller as the networks "don't exist" to the wired side....so therefore no routes are in place to return traffic to those wireless networks.

As an alternative, you could try using the External Services Interface (ESI) to see if one of the modes would work in your setup :

http://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/ESI/ESI.htm%3FTocPath%3DExternal%20Services%20Interface

Hi - I'm certainly amenable to making those networks 'exist' on the wired side, but I'm not having any luck with that. I've trunked a port from the 7210 directly to the Fortigate (firewall and router) and set a static IP on that Fortiagte interface in that VLAN's IP range, and a route on the Fortigate to point to the VLAN IP of the controller for that network. I've added a VLAN with the same ID as the VLAN on the controller to the wired side and tagged it to all ports leading into the controller and into the Fortigate. I did add that route statement to the core switch as well. I can ping that Ip from anywhere on the wired side. Do I need to play with the routing statements on the controller at all? What steps do I need to take to disable NAT-inside for that network?
I've actually been looking at ESI, too, using http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/ESI.php as a guide. The content seems substantively equivalent to your link. On the surface it sounds right for the scenario I've described.  I'll post back if that provides the results I'm looking for.
Thanks.

Courtesy of an old thread  - http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Is-it-possible-to-use-two-gateways-on-the-controller/td-p/27142  (kudos to mike-narine), I've been able to set the network as external (using Option 1 below).

[

Let's assume VLAN100 is the VLAN you want to make the modifications to:

- VLAN100

- Network: 192.168.100.0/24

- Gateway: 192.168.100.1/24 (Terminates on the Aruba controller)

- Assuming you use an external DHCP server to hand out IPs for VLAN100

You have 2 ways to make this changes:

Option1:

• Remove the L3 IP for VLAN100 (if it's not required for any other functionality)
• Assign the L3 IP to your upstream router/gateway
• Trunk VLAN100 to the Aruba controller so the router and Aruba controller are part of VLAN100
• Update routing for VLAN100 (core/upstream)

Options2:

• Trunk VLAN100 to the controller so router/controller are part of VLAN100
• Assign a different IP to the router for VLAN100
• On DHCP server, change the gateway to the IP of the router in VLAN100
• Update routing for VLAN100 (core/upstream)

With Option1 the controller is just L2 in VLAN100.  With Option2 the controller remain L3 but is not the default gateway for the VLAN100.  You may require Option2 if you're using Captive Portal.  Otherwise, go with Option1 unless there is a need to a VLAN100 IP on your controller.  No other changes are required on the controller. 

Hope that helps.]

They piece I was overlooking was deleting the existing IP address on the Aruba controller. ... So I think we're in business.
Thanks - JCA