Security

 View Only
  • 1.  Web and Application filtering Question

    Posted 5 days ago

    Hello,

    I am testing out an Aruba 9004 in Wireless Gateway mode and wanted to play around with some of the Advanced Firewall features such as Web categories, and Applications. Example: Block all traffic to Netflix, rate-limit O365.  I can't figure it out though with the validated design guides or the search bar in Central. Is there a step-by-step document I might have missed? 

    Thanks in advance,



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------


  • 2.  RE: Web and Application filtering Question

    Posted 5 days ago

    Like this?



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: Web and Application filtering Question

    Posted 5 days ago
    Hi Marcel,

    Thanks for sharing. I actually came that far already, but it appears that it isn't getting applied. When I test it with a client for example the web sites still are allows





  • 4.  RE: Web and Application filtering Question

    Posted 5 days ago
    Edited by Herman Robers 5 days ago

    Have you enabled DPI/App Visibility on your gateway?

    Do you see Applications being recognized?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Web and Application filtering Question

    Posted 4 days ago

    Hi Herman,

    Yes, I did turn that on. In Aruba central, when selecting the Gateway I see several applications (Apple store, MS office 265, WhatsApp etcetera). I configured a policy and applied it on the VLAN that serves the Wi-Fi clients. I did not do anything specific with roles though

    and applied the policy as below


    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 6.  RE: Web and Application filtering Question
    Best Answer

    Posted 4 days ago
    Edited by mvanoverbeek an hour ago

    When testing at home, I created a policy to block the Netflix app category and applied it to the role assigned to my Wi-Fi SSID. This successfully blocked Netflix both in the app and in the Safari browser on my Mac. However, on my Windows PC using Chrome or Edge, I was still able to access Netflix via the browser.›

    It seems the effectiveness of the block depends on how the browser handles the traffic. To address this, you might need to identify Netflix's CDN addresses and block those as well.

    Additionally, ensure that a role-assignment (AAA profile) is applied to the VLAN associated with the device. Without this, the policy may not take effect for all connected clients.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 7.  RE: Web and Application filtering Question

    Posted 4 days ago

    Thank you Marcel, let me test this a little further, that AAA profile you mentioned is something I had not applied yet. I am going to take a look at that. 



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 8.  RE: Web and Application filtering Question

    Posted 2 hours ago

    Hi Marcel,

    Thanks again for explaining, I think I understand it now

    In it's simplest form this worked for me:

    • You create a role in the AP group (either the SSID or some other role)
    • For "Access" use Role based or unrestricted for the SSID
    • You enforce the Role in the gateway group at device/group level

    The only last thing I want to figure out if how to use the filtering at the VLAN level instead of the role so it applies to all SSIDs that traverse the gateway.



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------