Wireless Access

Reply
Contributor I

Blocking a website on 7210

I need to block a website on 7210 controller
I already enabled the firewall with a license

 

Thanks

Community Administrator

Re: Blocking a website on 7210

Are you using 6.4?
CWNA, ACMP, Security +
Contributor I

Re: Blocking a website on 7210

Yes

Guru Elite

Re: Blocking a website on 7210

Create a netdestination with the DNS name. Then create a firewall policy with source user and destination alias and then choose the drop action.

Make sure your controller has a DNS server defined and that name lookups are enabled.

Sent from Windows Mail

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Blocking a website on 7210

Thanks,

 

Would you please send the commands or the steps if I can make it through GUI

Guru Elite

Re: Blocking a website on 7210

Some will require command line:

 

 

COMMAND LINE:

 

ip name-server <dns-server-ip-1>
ip name-server <dns-server-ip-2>
ip domain lookup

 (it will tell you that you need to reboot however it should work without rebooting the controller)

 

GUI example blocking all of facebook.com including subdomains.

 

Create a netdestination under Configuration > Advanced Services > Stateful Firewall > Destination

    - Give it a name and add a new rule of type "Name". 

    - Enter the domain name you are trying to block. Since we are blocking subdomains as well (www.facebook, login.facebook), we will put an asterisk in front (see screenshot)

 

facebook-netdest.PNG

 

Now you'll want to create a new session ACL to block the traffic.

   - Navigate to Configuration > Security > Policies

   - Click Add to create a new session policy. Give it a name.

   - Click the add button to add an ACL entry. The screenshot below will block all traffic to any facebook website that ends in facebook.com

   - Notice for destination, you will select "Alias" and then choose the netdestination that you created in the previous step.

 

facebook-deny-acl.PNG

 

 

The last step is to add that policy to a user-role. Make sure it is higher than an allowall or allow all http/https.

 

 

 

If you'd like to see the current DNS cache on the controller, run:

 

#show firewall dns-names

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: