Security

 View Only
Back to discussions
Expand all | Collapse all

Web and Application filtering Question

This thread has been viewed 32 times

  • 1.  Web and Application filtering Question

    Posted Jan 09, 2025 05:23 PM

    Hello,

    I am testing out an Aruba 9004 in Wireless Gateway mode and wanted to play around with some of the Advanced Firewall features such as Web categories, and Applications. Example: Block all traffic to Netflix, rate-limit O365.  I can't figure it out though with the validated design guides or the search bar in Central. Is there a step-by-step document I might have missed? 

    Thanks in advance,



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------


  • 2.  RE: Web and Application filtering Question

    Posted Jan 09, 2025 06:59 PM

    Like this?



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------

    Original Message


  • 3.  RE: Web and Application filtering Question

    Posted Jan 09, 2025 08:07 PM
    Hi Marcel,

    Thanks for sharing. I actually came that far already, but it appears that it isn't getting applied. When I test it with a client for example the web sites still are allows



    Original Message


  • 4.  RE: Web and Application filtering Question

    Posted Jan 10, 2025 03:10 AM
    Edited by Herman Robers Jan 10, 2025 03:10 AM

    Have you enabled DPI/App Visibility on your gateway?

    Do you see Applications being recognized?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Web and Application filtering Question

    Posted Jan 10, 2025 11:04 AM

    Hi Herman,

    Yes, I did turn that on. In Aruba central, when selecting the Gateway I see several applications (Apple store, MS office 265, WhatsApp etcetera). I configured a policy and applied it on the VLAN that serves the Wi-Fi clients. I did not do anything specific with roles though

    and applied the policy as below


    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------

    Original Message


  • 6.  RE: Web and Application filtering Question
    Best Answer

    Posted Jan 10, 2025 12:06 PM
    Edited by mvanoverbeek Jan 15, 2025 09:03 AM

    When testing at home, I created a policy to block the Netflix app category and applied it to the role assigned to my Wi-Fi SSID. This successfully blocked Netflix both in the app and in the Safari browser on my Mac. However, on my Windows PC using Chrome or Edge, I was still able to access Netflix via the browser.›

    It seems the effectiveness of the block depends on how the browser handles the traffic. To address this, you might need to identify Netflix's CDN addresses and block those as well.

    Additionally, ensure that a role-assignment (AAA profile) is applied to the VLAN associated with the device. Without this, the policy may not take effect for all connected clients.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------

    Original Message


  • 7.  RE: Web and Application filtering Question

    Posted Jan 10, 2025 02:04 PM

    Thank you Marcel, let me test this a little further, that AAA profile you mentioned is something I had not applied yet. I am going to take a look at that. 



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------

    Original Message


  • 8.  RE: Web and Application filtering Question

    Posted Jan 15, 2025 09:01 AM

    Hi Marcel,

    Thanks again for explaining, I think I understand it now

    In it's simplest form this worked for me:

    • You create a role in the AP group (either the SSID or some other role)
    • For "Access" use Role based or unrestricted for the SSID
    • You enforce the Role in the gateway group at device/group level

    The only last thing I want to figure out if how to use the filtering at the VLAN level instead of the role so it applies to all SSIDs that traverse the gateway.



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------

    Original Message


  • 9.  RE: Web and Application filtering Question

    Posted Jan 15, 2025 11:28 AM

    Hi Martijn.

    Marcel already shown this in his snapshot. You can assign role on vlan and will be applied to all traffic over this vlan.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------

    Original Message


  • 10.  RE: Web and Application filtering Question

    Posted Jan 15, 2025 11:33 AM

    I guess i misinterpreted that, thank you

     

    Martijn van Overbeek
    Architect
    Work 443-333-5809
    Mobile 984-528-1279
    Email mvanoverbeek@blueally.com

     




    Original Message


  • 11.  RE: Web and Application filtering Question

    Posted Jan 16, 2025 12:40 PM

    Argh, I think I applied everything correctly but my rules do not work, below some screenshots, is there any command I can run on the device to figure out why my policy doesn't work? Below what I configured..

    Sidenote: I noticed that the gateway CLI had some sticky stuff that is not visible anymore in Aruba Central group or device level.

    I created a new role called NewRole

    I assigned a NewPolicy denying some categories (gambling, shopping, games)

    At the gateway level, I created a AAA profile as below
    I assigned the profile to VLAN 25
    Here's a snapshot of the web category, marking this site as gambling
    On the box it looks like this..
    ip access-list session global-sacl 
    !
    ip access-list session apprf-newrole-sacl
    !
    ip access-list session allowall 
        any any any permit 
        ipv6 any any any permit 
    !
    ip access-list session newrole 
        any any any permit 
    !
    ip access-list session newpolicy 
        any any web-cc-category "gambling" deny 
        any any web-cc-category "shopping" deny 
        any any web-cc-category "games" deny 
    !
    user-role NewRole 
        access-list session global-sacl 
        access-list session apprf-newrole-sacl 
        access-list session newpolicy 
        access-list session allowall 
        access-list session newrole 
    !
    aaa profile "vlan25-200overlake" 
        initial-role "NewRole" 
        mac-default-role "NewRole" 
        dot1x-default-role "NewRole" 
    !
    vlan 25 
    wired aaa-profile "vlan25-200overlake" 
    !
    interface gigabitethernet 0/0/0
        description "Data"
        trusted
        trusted vlan 25,254
        no poe
        ip access-group vlan 25 session "wirelessgw"
        ip access-group vlan 254 session "wirelessgw"
        jumbo
        switchport mode trunk
        switchport access vlan 4094
        switchport trunk native vlan 254
        switchport trunk allowed vlan 25,254
        lacp group 0 mode active
        lldp transmit
        lldp receive
        lldp med
    !
    interface gigabitethernet 0/0/1
        description "data"
        trusted
        trusted vlan 1-4094
        no poe
        switchport mode access
        switchport trunk allowed vlan 1-4094
        lacp group 0 mode active
        lldp transmit
        lldp receive
        lldp med
    !
    interface gigabitethernet 0/0/2
        no poe
        switchport mode access
        switchport access vlan 1
        switchport trunk allowed vlan 1-4094
    !
    interface gigabitethernet 0/0/3
        no poe
        switchport mode access
        switchport access vlan 1
        switchport trunk allowed vlan 1-4094
    !
    interface port-channel 0
        trusted
        trusted vlan 25,254
        ip access-group session "web-test"
        switchport mode trunk
        switchport trunk native vlan 254
        switchport trunk allowed vlan 25,254
    !


    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------

    Original Message


Related Content