Wireless Access

Reply
Frequent Contributor I

Security Policies not having rule statements

we have newly installed controller 7030 with 6.4.2.12 and noticed that the security policies have no rules.

i checked the user guide below and found whiche rules schould be in the policies

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Defaults.php

what could be the cause and should i open a TAC case for that behaviour?

 

 

Guru Elite

Re: Security Policies not having rule statements

Did you install the policy enforcement license?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Security Policies not having rule statements

Yes the PEF Licence is installed but not within the setup wizzard, it was installed after completing the wizzard

Guru Elite

Re: Security Policies not having rule statements

If you install the PEF license after you start configuring, the default policies, roles and netdestinations will not be added.  Just paste in the information below to the commandline to add them:

 

config t
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-ipp-tcp tcp 631
netservice svc-citrix tcp 2598
netservice svc-tftp udp 69 alg tftp
netservice svc-netbios-ssn tcp 139
netservice svc-pcoip-udp udp 50002
netservice svc-papi udp 8211
netservice svc-natt udp 4500
netservice svc-ica tcp 1494
netservice svc-smtp tcp 25
netservice svc-msrpc-udp udp 135 139
netservice svc-msrpc-tcp tcp 135 139
netservice svc-syslog udp 514
netservice svc-microsoft-ds tcp 445
netservice svc-lpd tcp 515
netservice svc-cfgm-tcp tcp 8211
netservice svc-http-proxy2 tcp 8080
netservice svc-4343 tcp 4343
netservice vnc tcp 5900 5905
netservice svc-http tcp 80
netservice svc-telnet tcp 23
netservice svc-bootp udp 67 69
netservice svc-sccp tcp 2000 alg sccp
netservice svc-h323-udp udp 1718 1719
netservice svc-web tcp list "80 443"
netservice svc-ipp-udp udp 631
netservice svc-vmware-rdp tcp 3389
netservice svc-esp 50
netservice svc-vocera udp 5002 alg vocera
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-http-proxy1 tcp 3128
netservice svc-sec-papi udp 8209
netservice svc-gre 47
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-l2tp udp 1701
netservice svc-svp 119 alg svp
netservice svc-snmp udp 161
netservice svc-pptp tcp 1723
netservice svc-sip-tcp tcp 5060
netservice svc-icmp 1
netservice svc-smb-tcp tcp 445
netservice svc-ssh tcp 22
netservice svc-v6-icmp 58
netservice svc-pcoip2-tcp tcp 4172
netservice svc-pop3 tcp 110
netservice svc-ntp udp 123
netservice svc-h323-tcp tcp 1720
netservice svc-adp udp 8200
netservice svc-netbios-ns udp 137
netservice svc-dns udp 53 alg dns
netservice svc-v6-dhcp udp 546 547
netservice svc-kerberos udp 88
netservice svc-sip-udp udp 5060
netservice svc-http-proxy3 tcp 8888
netservice svc-netbios-dgm udp 138
netservice svc-sips tcp 5061 alg sips
netservice svc-snmp-trap udp 162
netservice svc-ike udp 500
netservice svc-nterm tcp 1026 1028
netservice svc-noe udp 32512 alg noe
netservice svc-pcoip-tcp tcp 50002
netservice svc-pcoip2-udp udp 4172
netservice svc-https tcp 443
netservice svc-ftp tcp 21 alg ftp
netservice svc-smb-udp udp 445
netdestination6 ipv6-reserved-range
  invert
  network 2000::/3
!
netexthdr default
!
time-range working-hours periodic
 weekday 08:00 to  18:00
!
time-range night-hours periodic
 weekday 18:01 to  23:59
 weekday 00:00 to  07:59
!
time-range weekend periodic
 weekend 00:00 to  23:59
!
ip access-list session svp-acl
  any any svc-svp  permit queue high 
  user host 224.0.1.116 any  permit 
!
ip access-list session apprf-stateful-dot1x-sacl
!
ip access-list session logon-control
  user any udp 68  deny 
  any any svc-icmp  permit 
  any any svc-dns  permit 
  any any svc-dhcp  permit 
  any any svc-natt  permit 
  any network 169.254.0.0 255.255.0.0 any  deny 
  any network 240.0.0.0 240.0.0.0 any  deny 
!
ip access-list session apprf-default-vpn-role-sacl
!
ip access-list session apprf-voice-sacl
!
ip access-list session ap-uplink-acl
  any any udp 68  permit 
  any any svc-icmp  permit 
  any host 224.0.0.251 udp 5353  permit 
!
ip access-list session vocera-acl
  any any svc-vocera  permit queue high 
!
ip access-list session icmp-acl
  any any svc-icmp  permit 
!
ip access-list session http-acl
  any any svc-http  permit 
!
ip access-list session v6-logon-control
  ipv6  user any udp 68  deny 
  ipv6  any any svc-v6-icmp  permit 
  ipv6  any any svc-v6-dhcp  permit 
  ipv6  any any svc-dns  permit 
  ipv6  any network fc00::/7 any  permit 
  ipv6  any network fe80::/64 any  permit 
  ipv6  any   alias ipv6-reserved-range any  deny 
!
ip access-list session v6-http-acl
  ipv6  any any svc-http  permit 
!
ip access-list session sip-acl
  any any svc-sip-udp  permit queue high 
  any any svc-sip-tcp  permit queue high 
!
ip access-list session tftp-acl
  any any svc-tftp  permit 
!
ip access-list session citrix-acl
  any any svc-citrix  permit tos 46 dot1p-priority 6 
  any any svc-ica  permit tos 46 dot1p-priority 6 
!
ip access-list session vmware-acl
  any any svc-vmware-rdp  permit tos 46 dot1p-priority 6 
  any any svc-pcoip-tcp  permit tos 46 dot1p-priority 6 
  any any svc-pcoip-udp  permit tos 46 dot1p-priority 6 
  any any svc-pcoip2-tcp  permit tos 46 dot1p-priority 6 
  any any svc-pcoip2-udp  permit tos 46 dot1p-priority 6 
!
ip access-list session srcnat
  user any any  src-nat 
!
ip access-list session ra-guard
  ipv6  user any icmpv6 rtr-adv  deny 
!
ip access-list session global-sacl
!
ip access-list session v6-dhcp-acl
  ipv6  any any svc-v6-dhcp  permit 
!
ip access-list session cplogout
  user   alias controller svc-https  dst-nat 8081 
!
ip access-list session public-facing-control
  any   alias localip svc-https  permit 
  any   alias localip svc-4343  permit 
  any   alias localip svc-ssh  permit 
!
ip access-list session apprf-authenticated-sacl
!
ip access-list session allow-diskservices
  any any svc-netbios-dgm  permit 
  any any svc-netbios-ssn  permit 
  any any svc-microsoft-ds  permit 
  any any svc-netbios-ns  permit 
!
ip access-list session v6-control
  ipv6  user any udp 547  deny 
  ipv6  any any svc-v6-icmp  permit 
  ipv6  any any svc-dns  permit 
  ipv6  any any svc-papi  permit 
  ipv6  any any svc-sec-papi  permit 
  ipv6  any any svc-cfgm-tcp  permit 
  ipv6  any any svc-adp  permit 
  ipv6  any any svc-tftp  permit 
  ipv6  any any svc-dhcp  permit 
  ipv6  any any svc-natt  permit 
!
ip access-list session vpnlogon
  user any svc-ike  permit 
  user any svc-esp  permit 
  any any svc-l2tp  permit 
  any any svc-pptp  permit 
  any any svc-gre  permit 
!
ip access-list session apprf-guest-sacl
!
ip access-list session apprf-public-facing-control-sacl
!
ip access-list session v6-ap-acl
  ipv6  any any svc-gre  permit 
  ipv6  any any svc-syslog  permit 
  ipv6  any user svc-snmp  permit 
  ipv6  user any svc-snmp-trap  permit 
  ipv6  user any svc-ntp  permit 
  ipv6  user any svc-ftp  permit 
!
ip access-list session v6-icmp-acl
  ipv6  any any svc-v6-icmp  permit 
!
ip access-list session v6-allowall
  ipv6  any any any  permit 
!
ip access-list session apprf-default-via-role-sacl
!
ip access-list session validuser
  network 127.0.0.0 255.0.0.0 any any  deny 
  network 169.254.0.0 255.255.0.0 any any  deny 
  network 224.0.0.0 240.0.0.0 any any  deny 
  host 255.255.255.255 any any  deny 
  network 240.0.0.0 240.0.0.0 any any  deny 
  any any any  permit 
  ipv6 host fe80:: any any  deny 
  ipv6 network fc00::/7 any any  permit 
  ipv6 network fe80::/64 any any  permit 
  ipv6  any any any  permit 
!
ip access-list session captiveportal
  user   alias controller svc-https  dst-nat 8081 
  user any svc-http  dst-nat 8080 
  user any svc-https  dst-nat 8081 
  user any svc-http-proxy1  dst-nat 8088 
  user any svc-http-proxy2  dst-nat 8088 
  user any svc-http-proxy3  dst-nat 8088 
!
ip access-list session v6-dns-acl
  ipv6  any any svc-dns  permit 
!
ip access-list session apprf-cpbase-sacl
!
ip access-list session allowall
  any any any  permit 
  ipv6  any any any  permit 
!
ip access-list session h323-acl
  any any svc-h323-tcp  permit queue high 
  any any svc-h323-udp  permit queue high 
!
ip access-list session dhcp-acl
  any any svc-dhcp  permit 
!
ip access-list session v6-https-acl
  ipv6  any any svc-https  permit 
!
ip access-list session allow-printservices
  any any svc-lpd  permit 
  any any svc-ipp-tcp  permit 
  any any svc-ipp-udp  permit 
!
ip access-list session skinny-acl
  any any svc-sccp  permit queue high 
!
ip access-list session https-acl
  any any svc-https  permit 
!
ip access-list session ap-acl
  any any svc-gre  permit 
  any any svc-syslog  permit 
  any user svc-snmp  permit 
  user any svc-snmp-trap  permit 
  user any svc-ntp  permit 
  user any svc-ftp  permit 
!
ip access-list session control
  user any udp 68  deny 
  any any svc-icmp  permit 
  any any svc-dns  permit 
  any any svc-papi  permit 
  any any svc-sec-papi  permit 
  any any svc-cfgm-tcp  permit 
  any any svc-adp  permit 
  any any svc-tftp  permit 
  any any svc-dhcp  permit 
  any any svc-natt  permit 
!
ip access-list session captiveportal6
  ipv6  user   alias controller6 svc-https  captive 
  ipv6  user any svc-http  captive 
  ipv6  user any svc-https  captive 
  ipv6  user any svc-http-proxy1  captive 
  ipv6  user any svc-http-proxy2  captive 
  ipv6  user any svc-http-proxy3  captive 
!
ip access-list session noe-acl
  any any svc-noe  permit queue high 
!
ip access-list session dns-acl
  any any svc-dns  permit 
!
vpn-dialer default-dialer
  ike authentication PRE-SHARE ******
!
user-role default-via-role
 access-list session global-sacl
 access-list session apprf-default-via-role-sacl
 access-list session allowall
!
user-role ap-role
 access-list session ra-guard
 access-list session control
 access-list session ap-acl
 access-list session v6-control
 access-list session v6-ap-acl
!
user-role stateful-dot1x
 access-list session global-sacl
 access-list session apprf-stateful-dot1x-sacl
!
user-role guest-logon
 captive-portal "default"
 access-list session ra-guard
 access-list session logon-control
 access-list session captiveportal
 access-list session v6-logon-control
 access-list session captiveportal6
!
user-role public-facing-control
 access-list session global-sacl
 access-list session apprf-public-facing-control-sacl
 access-list session public-facing-control
!
user-role voice
 access-list session global-sacl
 access-list session apprf-voice-sacl
 access-list session ra-guard
 access-list session sip-acl
 access-list session noe-acl
 access-list session svp-acl
 access-list session vocera-acl
 access-list session skinny-acl
 access-list session h323-acl
 access-list session dhcp-acl
 access-list session tftp-acl
 access-list session dns-acl
 access-list session icmp-acl
!
user-role default-vpn-role
 access-list session global-sacl
 access-list session apprf-default-vpn-role-sacl
 access-list session ra-guard
 access-list session allowall
 access-list session v6-allowall
!
user-role logon
 access-list session ra-guard
 access-list session logon-control
 access-list session captiveportal
 access-list session vpnlogon
 access-list session v6-logon-control
 access-list session captiveportal6
!
user-role cpbase
 access-list session global-sacl
 access-list session apprf-cpbase-sacl
!
user-role authenticated
 access-list session global-sacl
 access-list session apprf-authenticated-sacl
 access-list session ra-guard
 access-list session allowall
 access-list session v6-allowall
!
user-role denyall
!
user-role guest
 access-list session global-sacl
 access-list session apprf-guest-sacl
 access-list session ra-guard
 access-list session http-acl
 access-list session https-acl
 access-list session dhcp-acl
 access-list session icmp-acl
 access-list session dns-acl
 access-list session v6-http-acl
 access-list session v6-https-acl
 access-list session v6-dhcp-acl
 access-list session v6-icmp-acl
 access-list session v6-dns-acl

end



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: