Wireless Access

Reply
Occasional Contributor I

Firewall and dpi

Hi,

 

Since one month, we have an issue with our W7210 firewall.

We have an open SSID with an external captive portal (10.7.0.255).

 

occasionally the https trafic from clients to captive portal is allowed by aruba firewall but sometimes not:

(STARSKY) #show datapath session table 10.7.37.221

 

 

Datapath Session Table Entries

------------------------------

 

Flags: F - fast age, S - src NAT, N - dest NAT

       D - deny, R - redirect, Y - no syn

       H - high prio, P - set prio, T - set ToS

       C - client, M - mirror, V - VOIP

       Q - Real-Time Quality analysis

       I - Deep inspect, U - Locally destined

       E - Media Deep Inspect, G - media signal

       A - Application Firewall Inspect

 

 

Source IP       Destination IP  Prot SPort DPort Cntr  Prio ToS Age Destination TAge Packets    Bytes      Flags           

--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- ---------  --------- ---------------

10.7.37.221     10.7.0.255      6    50629 443    0/0  0    0   0   tunnel 2332 1    0          0          FDYCA           

 

How can I investigate this issue ?

 

 

Guru Elite

Re: Firewall and dpi

What is the ip address 10.7.37.221?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Firewall and dpi

It's my test client, can you explain me the A flag ?

Does it seem the dpi have blocked it ?

Guru Elite

Re: Firewall and dpi

A just means that it is looking at it.  What role do you have the client in and what rules do you have?

 

On the commandline type "show rights <role>"

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Firewall and dpi

my client have "eduspot" role, role detail attached.

 

 

Guru Elite

Re: Firewall and dpi

Are you trying to block eduspot?

 

deny-inter-user
---------------
Priority  Source      Destination           Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------      -----------           -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user        10.7.0.255            any                   permit                           Low                                                           4        
2         10.7.0.255  any                   any                   permit                           Low                                                           4        
3         user        10.7.0.0 255.255.0.0  any                   deny                             Low                                                           4        
deny-broadcast-eduspot
----------------------
Priority  Source  Destination   Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------   -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     10.7.255.255  any                   deny                             Low                                                           4        


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Firewall and dpi

My network mask is 255.255.0.0 (/16)

What I want to do:

 

1 : Allow user to reach the captive portal IP which is 10.7.0.255

2 : Allow captive portal to reach clients

3: Block trafic between users

4: Block broadcast

 

 

Guru Elite

Re: Firewall and dpi

user        10.7.0.255            any

1,2 That is the only line you will need to allow users to reach the captive portal.  The firewall is stateful, so it will allow responses to user queries.

 

3. In the Virtual AP profile, you can enable "Deny Inter-User Traffic" 

 

4.  In the Virtual AP profile, you can enable "Drop Broadcast and Unknown Multicast"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Firewall and dpi

Now wihthout modify anything, the trafic is going on !

 

(STARSKY) #show datapath session table 10.7.37.221

 

 

Datapath Session Table Entries

------------------------------

 

Flags: F - fast age, S - src NAT, N - dest NAT

       D - deny, R - redirect, Y - no syn

       H - high prio, P - set prio, T - set ToS

       C - client, M - mirror, V - VOIP

       Q - Real-Time Quality analysis

       I - Deep inspect, U - Locally destined

       E - Media Deep Inspect, G - media signal

       A - Application Firewall Inspect

 

 

Source IP       Destination IP  Prot SPort DPort Cntr  Prio ToS Age Destination TAge Packets    Bytes      Flags           

--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- ---------  --------- ---------------

10.7.37.221     10.7.0.255      6    51465 443    0/0  0    0   0   tunnel 2332 3    56         4184       FC              

10.7.0.255      10.7.37.221     6    443   51465  0/0  0    0   0   tunnel 2332 3    75         86820      F       

 

Any idea ?

       

Guru Elite

Re: Firewall and dpi

Are you blocking any traffic using the apprf dashboard?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: