SD-WAN

Hi all, I have a deployment in which a VPNC is used for terminating IPSec tunnels from other locations, but it also works as the main router and one of its ports is configured as WAN with a public IP address.

On the other side, there are many LAN ports with different VLAN and I want to restrict user traffic to streaming, social networking, etc. I already turned on DPI and WebCC in the VPNC and made a policy restricting web categories streaming and social networking.

After doing that, I applied this policy to a new trusted LAN interface (new VLAN also) that I setup for testing purposes, but test clients connected through an unnamaged switch to the VPNC's test LAN interface are still able to open YouTube, Facebook, etc.

What do you think I could be missing here?

Regards.

------------------------------
Abdel Castro Perpuli
------------------------------

when you want to apply any policies to vlan/interface, it is required that to be untrusted.
this applies to all VPNC/BGWs.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 18, 2021 10:30 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

Hi all, I have a deployment in which a VPNC is used for terminating IPSec tunnels from other locations, but it also works as the main router and one of its ports is configured as WAN with a public IP address.

On the other side, there are many LAN ports with different VLAN and I want to restrict user traffic to streaming, social networking, etc. I already turned on DPI and WebCC in the VPNC and made a policy restricting web categories streaming and social networking.

After doing that, I applied this policy to a new trusted LAN interface (new VLAN also) that I setup for testing purposes, but test clients connected through an unnamaged switch to the VPNC's test LAN interface are still able to open YouTube, Facebook, etc.

What do you think I could be missing here?

Regards.

------------------------------
Abdel Castro Perpuli
------------------------------

But Central says that Firewall Policies are applied in trusted interfaces:



------------------------------
Abdel Castro Perpuli
------------------------------

Original Message:
Sent: Jun 19, 2021 08:38 PM
From: Ariya Parsamanesh
Subject: WebCC filtering in VPNC's LAN port

when you want to apply any policies to vlan/interface, it is required that to be untrusted.
this applies to all VPNC/BGWs.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 18, 2021 10:30 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

Hi all, I have a deployment in which a VPNC is used for terminating IPSec tunnels from other locations, but it also works as the main router and one of its ports is configured as WAN with a public IP address.

On the other side, there are many LAN ports with different VLAN and I want to restrict user traffic to streaming, social networking, etc. I already turned on DPI and WebCC in the VPNC and made a policy restricting web categories streaming and social networking.

After doing that, I applied this policy to a new trusted LAN interface (new VLAN also) that I setup for testing purposes, but test clients connected through an unnamaged switch to the VPNC's test LAN interface are still able to open YouTube, Facebook, etc.

What do you think I could be missing here?

Regards.

------------------------------
Abdel Castro Perpuli
------------------------------

i thought you were after applying user role policies.
in either case you need to check if the traffic is matching your interface policies.
check with this
show web-cc stat
show datapath session web-cc


also it is good practice to enable " Drop packets during webcc miss" check box

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 19, 2021 09:54 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

But Central says that Firewall Policies are applied in trusted interfaces:

Actually a policy is currently applied to this test interface and a rule set for restricting a domain name works (although another different one does not).

------------------------------
Abdel Castro Perpuli

Original Message:
Sent: Jun 19, 2021 08:38 PM
From: Ariya Parsamanesh
Subject: WebCC filtering in VPNC's LAN port

when you want to apply any policies to vlan/interface, it is required that to be untrusted.
this applies to all VPNC/BGWs.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 18, 2021 10:30 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

Hi all, I have a deployment in which a VPNC is used for terminating IPSec tunnels from other locations, but it also works as the main router and one of its ports is configured as WAN with a public IP address.

On the other side, there are many LAN ports with different VLAN and I want to restrict user traffic to streaming, social networking, etc. I already turned on DPI and WebCC in the VPNC and made a policy restricting web categories streaming and social networking.

After doing that, I applied this policy to a new trusted LAN interface (new VLAN also) that I setup for testing purposes, but test clients connected through an unnamaged switch to the VPNC's test LAN interface are still able to open YouTube, Facebook, etc.

What do you think I could be missing here?

Regards.

------------------------------
Abdel Castro Perpuli
------------------------------

WebCC commands' output makes me think everything is running well with it.

I rearranged the rules but I'm no sure if that will work:



A question, wouldn't "Drop packets during webcc miss" drop unclassified traffic? There is traffic for internal applications that it is not classified and must not me dropped.

------------------------------
Abdel Castro Perpuli
------------------------------

Original Message:
Sent: Jun 19, 2021 10:52 PM
From: Ariya Parsamanesh
Subject: WebCC filtering in VPNC's LAN port

i thought you were after applying user role policies.
in either case you need to check if the traffic is matching your interface policies.
check with this
show web-cc stat
show datapath session web-cc


also it is good practice to enable " Drop packets during webcc miss" check box

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 19, 2021 09:54 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

But Central says that Firewall Policies are applied in trusted interfaces:

Actually a policy is currently applied to this test interface and a rule set for restricting a domain name works (although another different one does not).

------------------------------
Abdel Castro Perpuli

Original Message:
Sent: Jun 19, 2021 08:38 PM
From: Ariya Parsamanesh
Subject: WebCC filtering in VPNC's LAN port

when you want to apply any policies to vlan/interface, it is required that to be untrusted.
this applies to all VPNC/BGWs.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 18, 2021 10:30 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

Hi all, I have a deployment in which a VPNC is used for terminating IPSec tunnels from other locations, but it also works as the main router and one of its ports is configured as WAN with a public IP address.

On the other side, there are many LAN ports with different VLAN and I want to restrict user traffic to streaming, social networking, etc. I already turned on DPI and WebCC in the VPNC and made a policy restricting web categories streaming and social networking.

After doing that, I applied this policy to a new trusted LAN interface (new VLAN also) that I setup for testing purposes, but test clients connected through an unnamaged switch to the VPNC's test LAN interface are still able to open YouTube, Facebook, etc.

What do you think I could be missing here?

Regards.

------------------------------
Abdel Castro Perpuli
------------------------------

i think it is best to open a TAC case.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 21, 2021 09:03 AM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

WebCC commands' output makes me think everything is running well with it.

I rearranged the rules but I'm no sure if that will work:

A question, wouldn't "Drop packets during webcc miss" drop unclassified traffic? There is traffic for internal applications that it is not classified and must not me dropped.

------------------------------
Abdel Castro Perpuli

Original Message:
Sent: Jun 19, 2021 10:52 PM
From: Ariya Parsamanesh
Subject: WebCC filtering in VPNC's LAN port

i thought you were after applying user role policies.
in either case you need to check if the traffic is matching your interface policies.
check with this
show web-cc stat
show datapath session web-cc


also it is good practice to enable " Drop packets during webcc miss" check box

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 19, 2021 09:54 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

But Central says that Firewall Policies are applied in trusted interfaces:

Actually a policy is currently applied to this test interface and a rule set for restricting a domain name works (although another different one does not).

------------------------------
Abdel Castro Perpuli

Original Message:
Sent: Jun 19, 2021 08:38 PM
From: Ariya Parsamanesh
Subject: WebCC filtering in VPNC's LAN port

when you want to apply any policies to vlan/interface, it is required that to be untrusted.
this applies to all VPNC/BGWs.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 18, 2021 10:30 PM
From: Abdel Castro Perpuli
Subject: WebCC filtering in VPNC's LAN port

Hi all, I have a deployment in which a VPNC is used for terminating IPSec tunnels from other locations, but it also works as the main router and one of its ports is configured as WAN with a public IP address.

On the other side, there are many LAN ports with different VLAN and I want to restrict user traffic to streaming, social networking, etc. I already turned on DPI and WebCC in the VPNC and made a policy restricting web categories streaming and social networking.

After doing that, I applied this policy to a new trusted LAN interface (new VLAN also) that I setup for testing purposes, but test clients connected through an unnamaged switch to the VPNC's test LAN interface are still able to open YouTube, Facebook, etc.

What do you think I could be missing here?

Regards.

------------------------------
Abdel Castro Perpuli
------------------------------