Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Firewall and dpi

  • 1.  Firewall and dpi

    Posted Sep 21, 2015 06:13 AM

    Hi,

     

    Since one month, we have an issue with our W7210 firewall.

    We have an open SSID with an external captive portal (10.7.0.255).

     

    occasionally the https trafic from clients to captive portal is allowed by aruba firewall but sometimes not:

    (STARSKY) #show datapath session table 10.7.37.221

     

     

    Datapath Session Table Entries

    ------------------------------

     

    Flags: F - fast age, S - src NAT, N - dest NAT

           D - deny, R - redirect, Y - no syn

           H - high prio, P - set prio, T - set ToS

           C - client, M - mirror, V - VOIP

           Q - Real-Time Quality analysis

           I - Deep inspect, U - Locally destined

           E - Media Deep Inspect, G - media signal

           A - Application Firewall Inspect

     

     

    Source IP       Destination IP  Prot SPort DPort Cntr  Prio ToS Age Destination TAge Packets    Bytes      Flags           

    --------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- ---------  --------- ---------------

    10.7.37.221     10.7.0.255      6    50629 443    0/0  0    0   0   tunnel 2332 1    0          0          FDYCA           

     

    How can I investigate this issue ?

     

     



  • 2.  RE: Firewall and dpi

    Posted Sep 21, 2015 06:23 AM

    What is the ip address 10.7.37.221?



  • 3.  RE: Firewall and dpi

    Posted Sep 21, 2015 06:30 AM

    It's my test client, can you explain me the A flag ?

    Does it seem the dpi have blocked it ?



  • 4.  RE: Firewall and dpi

    Posted Sep 21, 2015 06:32 AM

    A just means that it is looking at it.  What role do you have the client in and what rules do you have?

     

    On the commandline type "show rights <role>"

     



  • 5.  RE: Firewall and dpi

    Posted Sep 21, 2015 06:47 AM
      |   view attached

    my client have "eduspot" role, role detail attached.

     

     

    Attachment(s)

    txt
    eduspot.txt   8K 1 version


  • 6.  RE: Firewall and dpi

    Posted Sep 21, 2015 06:54 AM

    Are you trying to block eduspot?

     

    deny-inter-user
    ---------------
    Priority  Source      Destination           Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------      -----------           -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user        10.7.0.255            any                   permit                           Low                                                           4        
    2         10.7.0.255  any                   any                   permit                           Low                                                           4        
    3         user        10.7.0.0 255.255.0.0  any                   deny                             Low                                                           4        
    deny-broadcast-eduspot
    ----------------------
    Priority  Source  Destination   Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------   -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     10.7.255.255  any                   deny                             Low                                                           4        


  • 7.  RE: Firewall and dpi

    Posted Sep 21, 2015 08:52 AM

    My network mask is 255.255.0.0 (/16)

    What I want to do:

     

    1 : Allow user to reach the captive portal IP which is 10.7.0.255

    2 : Allow captive portal to reach clients

    3: Block trafic between users

    4: Block broadcast

     

     



  • 8.  RE: Firewall and dpi

    Posted Sep 21, 2015 09:16 AM
    user        10.7.0.255            any

    1,2 That is the only line you will need to allow users to reach the captive portal.  The firewall is stateful, so it will allow responses to user queries.

     

    3. In the Virtual AP profile, you can enable "Deny Inter-User Traffic" 

     

    4.  In the Virtual AP profile, you can enable "Drop Broadcast and Unknown Multicast"



  • 9.  RE: Firewall and dpi

    Posted Sep 21, 2015 09:24 AM

    Now wihthout modify anything, the trafic is going on !

     

    (STARSKY) #show datapath session table 10.7.37.221

     

     

    Datapath Session Table Entries

    ------------------------------

     

    Flags: F - fast age, S - src NAT, N - dest NAT

           D - deny, R - redirect, Y - no syn

           H - high prio, P - set prio, T - set ToS

           C - client, M - mirror, V - VOIP

           Q - Real-Time Quality analysis

           I - Deep inspect, U - Locally destined

           E - Media Deep Inspect, G - media signal

           A - Application Firewall Inspect

     

     

    Source IP       Destination IP  Prot SPort DPort Cntr  Prio ToS Age Destination TAge Packets    Bytes      Flags           

    --------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- ---------  --------- ---------------

    10.7.37.221     10.7.0.255      6    51465 443    0/0  0    0   0   tunnel 2332 3    56         4184       FC              

    10.7.0.255      10.7.37.221     6    443   51465  0/0  0    0   0   tunnel 2332 3    75         86820      F       

     

    Any idea ?

           



  • 10.  RE: Firewall and dpi

    Posted Sep 21, 2015 09:48 AM
    Are you blocking any traffic using the apprf dashboard?


  • 11.  RE: Firewall and dpi

    Posted Sep 23, 2015 04:46 AM
      |   view attached

    Hi,

    I don't block anything in apprf, I applied your recommendation and for two days there wasn't any block and this morning the captive portal is blocked. I join the new "show rights eduspot"

    Attachment(s)

    txt
    eduspot2.txt   7K 1 version