Wireless Access

Is there a means by which the controll firewall logs can be forwarded to an external server?

 

I have already setup the firewall logs under Security in the logging configuration at debugging level and sending to an external syslog received. I'm seeing the messages, but they are not very useful. Most if not all the messages are deny messages (even in debug mode) and I see a number of denied hits for a destination IP of the wireless client gateway versus the external IP they are attempting to hit.

 

Bottom-line I'm trying to debug an issue where certain resources are not accessible from a captive role governed by the stateful firewall policy. I would like to be able to see in real-time a device being denied access as to identify resources that are incorrectly being denied.

Type "show datapath session table <IP address of client>" on the command line of the controller to see what is being allowed and denied in real-time.

Thank you Colin for the quick reply - I'm aware of that CLI command, but that requires determining the controller client is connected to, logging in and then replicating the issue. I was hoping to find a way to log that traffic outbound to an external server as to have both real-time and historical data.

If you are using Airwave, it will automatically locate the controller that the user is on, and you can just use "run a command" for "show datapath session table" on the controller that the user is on;

 

That's an improvement - thank you. However there is no way to export this data via syslog? Even in debug mode the forwarded firewall logs show mostly UDP and ICMP traffic. The TCP traffic I do see (infrequent hits) appear to be denies destined for the network gateway address - not the actual source IP.

You need to log on all ACLs in the user role to see everything.  It can drive the CPU up on the controller to do this, however, so it is not advised to log all sessions in a user role.

 

What is your problem and what are you trying to do specifically?  There might be a better approach..

I have a new out-of-the-box Samsung Android table I'm testing with and I cannot connect to Google Play. I have a number (20) of stateful firewall rules enabled to allow access to a myriad of places. If I remove the device from the captive state governed by those rules, it connects with no issue, so there is something in the firewall rules that is disallowing access to Google Play. I figured watching the firewall logs would point me in the right direction.

For google play, it is tough.  Are you using the method here?  https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-permit-Google-play-store-access-for-captive-portal-guest/ta-p/181652

 

Yes, I have setup a Google Play stateful firewall policy with those URLs as well as a number of others, still unable to access the store from a captive state.

What is the output of "show rights <role>"?

That was the key - thank you very much! The Google play firewall policy was applied to one of our captive roles but not another - once the policies were identical it appears to be working just fine now. Thank you!