Wireless Access

Reply
Occasional Contributor II
Posts: 36
Registered: ‎04-03-2007

Moving Border Firewall rules

All,

We are thinking of moving some of our border firewall rules that apply to all the wireless user to our 9 M3 controllers.

I wanted to know if anybody else has done this? We feel that this will lighten the load on our Border firewall and distribute the load.

My understanding is that the firewall is statefull for a user profile, as well as on the interfaces to the controllers, but wanted to confirm this.


.

 

Brian
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Moving Border Firewall rules

Do you have PEFNG licenses in your controllers? In that case you can easily create session-based ACL's and bind them to user-roles. Then make sure your users are dropped into the correct user-role.

 

It can be practical to apply firewall policies on the controller, especially if you need good throughput to for example your internal network but want to restrict access to certain resources over the WiFi. If your existing firewall can not support this kind of traffic it's a good idea todo it on the controller.

 

However, if you want to prevent having to maintain ACL's and logs in two places (the controller + firewall) this might not be a good idea.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Super Contributor I
Posts: 300
Registered: ‎12-01-2010

Re: Moving Border Firewall rules

Shouldn't be an issue as this is quite common using Aruba wireless, the controller have a separate processor for the firewall thus no issue on performance on the M3s. Remember must have PEFNG licenses.

Normal Guy
Occasional Contributor II
Posts: 36
Registered: ‎04-03-2007

Re: Moving Border Firewall rules

Thank you for the information..We do have the PEFNG licenses on all the controllers. What we are finding is the Border firewall is showing its age. This option will lighten the load for it and enable us to get another year out of it before we upgrade. Would you happen to know how many packets per second can the firewall handle? That was one of our concerns. We get our share of  DDoS attacks and wanted to make sure the Controllers don't go belly up.

Brian
Occasional Contributor II
Posts: 36
Registered: ‎04-03-2007

Re: Moving Border Firewall rules

Thank you for the confirmation Normal Guy. I did a search on Airheads and didn't find anybody asking this question. I guess it's just the norm for people to use it as an alternative to putting everything on the Border firewall.

Brian
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Moving Border Firewall rules

Specs for the Aruba 6000 M3 card:

 

Active firewall sessions: 524,300
Firewall throughput: 20 Gbps


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: Moving Border Firewall rules


davidbr wrote:

All,

We are thinking of moving some of our border firewall rules that apply to all the wireless user to our 9 M3 controllers.

I wanted to know if anybody else has done this? We feel that this will lighten the load on our Border firewall and distribute the load.

My understanding is that the firewall is statefull for a user profile, as well as on the interfaces to the controllers, but wanted to confirm this.


.

 


Davidbr,

 

If you have wired clients at your sites, they need border firewall protection and that should be an essential part of the "belt and suspenders" approach to security.  The Aruba built-in firewall allows you to layer additional protection that will cover your clients when they get placed onto the wired network.  With that being said, a border firewall guarantees that all of your clients, regardless of their type of connection have a minimum level of protection.  You can use the Aruba firewall to layer on top of this and to give different users different protection, but at minimum you should be using an effective border firewall.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 36
Registered: ‎04-03-2007

Re: Moving Border Firewall rules

Cjoseph,

The Border firewall isn't going away, we just want to lighten the load of it until we upgrade it. We are basically moving around 40 lines in the ACL that are pretty much static from the border to the controllers. Most of our user traffic is of course from/to wireless users. 

Doing this will enable us to tighten the border firewall up more and not put even more damand on it than it already has.

 

 

Brian
Search Airheads
Showing results for 
Search instead for 
Did you mean: