Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Mobility Controller Firewall or Policy Hits

Jump to Best Answer
  • 1.  Mobility Controller Firewall or Policy Hits

    Posted Jun 07, 2019 10:39 AM

    Hi all,

     

    I did a brief search, so apologies if this is a repeat discussion, but is there a way on the MM (or maybe Clearpass?) to see how many times a certain role or policy is hit on the network?

     

    Also, is there a way to export all roles and policies off the MM and MD via the GUI or CLI?

     

    We are running 8.3.0.4 if that matters at all.

     

    Thanks for any and all input!



  • 2.  RE: Mobility Controller Firewall or Policy Hits
    Best Answer

    Posted Jun 07, 2019 12:20 PM

    For each MD, you could type "show acl hits" to see how many times a policy was hit.



  • 3.  RE: Mobility Controller Firewall or Policy Hits

    Posted Jun 07, 2019 01:54 PM

    Awesome, thank you!



  • 4.  RE: Mobility Controller Firewall or Policy Hits

    Posted Jun 07, 2019 02:49 PM

    The 'show rights' command will display a list of all of the roles. Next to each role name is an ACL List which is just a listing of all of the policies assigned to each role.

     

    'show rights <rolename>' will display the specified role, the policies assigned to it, and the rules assigned to each policy. I believe it is the only place you can see the whole picture; role - policies assigned to the role - rules assigned to each policy.

     

    'show datapath acl id <id#>' display the line by line interpretation of the role. This output converts any aliases to their definition. If a single firewall rule references a netdestination alias that contains 4 hosts, this output shows 4 rules, one for each netdestination alias. This is the hardcore presentation of how the controller processes the firewall rules. The <id#> can be found from either of the previous commands i mentioned. You will need to go to the CLI reference guide and do some digging to understand how to interpret this output.

     

    This doesn't give you exactly what you were looking for as far as exporting the roles, but it may help. A simple copy from the CLI will allow you paste any of these elsewhere.

     

    I hope this helps,