Yes. I reviewed the following posting, along with additional postings on the community boards. In addition, I've exchanged several e-mails with multiple Aruba TAC Engineers and based on feedback/advice, I added the addition ports to the Firewall policy.
I noticed that there are some inconsistencies with respect to the firewall port requirements for both Airwave Clarity and Clarity Synthetic.
After reviewing multiple online posts and engaging Aruba TAC, I revised my firewall rules and added the addition ports.
https://community.arubanetworks.com/t5/Monitoring-Management-Location/Clarity-Synthetic-Firewall-requirements/ta-p/292041
I confirmed that Airwave receives data from the controller on port 8211, just not 8209. Unfortunately, the Clarity Dashboard remains unchanged.
For testing, I applied an any/any policy on the Firewall. What is interesting with the show firewall-cp internal is that it appears the controller's firewall, not the office firewall, is denying(initially) any packets from being sent out on port 8209, along with 8211.
CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract
---------- --------- ----------- -------- ---------- -------- -------------- ---- --------
ipv4 any 6 1723 1723 Permit 280
ipv4 any 17 1701 1701 Permit 121
ipv4 any 6 23 23 Deny 245 cpbwc-ipv4-telnet
ipv4 any 6 8084 8084 Deny 0
ipv4 any 6 3306 3306 Deny 44
ipv4 any 17 8209 8209 DenyNotSecure 10578867
ipv4 any 6 8211 8211 DenyNotMaster 802379
Later in the show firewall-cp internal results, it appears both ports 8211 and 8209 are then permitted.
.ipv4 any 17 161 161 Permit 256284188 cpbwc-ipv4-snmp
ipv4 any 17 5060 5060 Permit 61
ipv4 any 17 8209 8209 Permit 10578867
If the local office firewall has an any/any policy, why am I not seeing any traffic(packet capture) flow from the controller to airwave on port 8209?
There is no problem receiving data from the Controller to Airwave on port 8211. I see plenty of traffic on port 8211, along with 514(syslog).
With CPSec enabled and an any/any policy on the firewall, there is still no packet flow on port 8209 from the controller to airwave.
You mentioned that Airwave receives Clarity Data on Port 8211. And I believe in an earlier posting, you mentioned that the controller ‘pushes’ the clarity data to Airwave using AMON. With CPSec enable, will the controller use port 8211 or 8209 to send Clarity data to Airwave?
If the Office Firewall is set to any/any, why does the Controller Firewall show a ‘DenyNotSecure’ for ports 8209 and 8211(show firewall-cp internal) and later a ‘Permit’ for the same ports?
Is it possible to modify the Action on initial DenyNotSecure entries for Port 8209 and 8211 in Stateful Firewall ACL White List?