ArubaOS and Controllers

Occasional Contributor I

Network > Ports Firewall Policy Help


I'm working on locking down a deployed Aruba that has some open ports. Being the gateway, we can't just go blocking the ports that people might need, so we need to set up a firewall for the controller, while allowing all other traffic through.

I think this should be done through the Network > Ports section, but I'm at a bit of a stumbling block with the terminology.

So, for Firewall Policy, there are three options, In, Out, and Session. What is the difference between the two? What affect does it have on the policies that I apply to it?

My initial thinking is that In is for traffic heading to the controller (not the network behind it), Out is leaving the controller (from the network behind it), and Session is for actual client traffic, as it'll allow traffic to go in both ways.

In our case, I want to set up a policy and apply it to "In", which closes all ports we don't need, with a whitelist for maintaining remote access.

Am I on the ball?

Thanks for any help you can offer.
Guru Elite

Knowledge Base

I think you need knowledgebase answer ID 63, " What is the minimum firewall configuration to allow my AP to connect to the controller?" and Ansewr ID 678, entitled "What network ports must be configured on the firewall to allow other types of traffic in the Aruba network?"

For firewall policies on a port, you need a "session" ACL. A session ACL on a port of the Aruba Controller will allow any traffic OUT of the controller and will accept any traffic that returns that is part of that conversation. The session ACL specifies which traffic that is NOT initiated by the Aruba controler that is allowed to flow from the outside in. A good example of this is connecting an Aruba Controller to a Cable Modem :

The only thing you need to allow from the outside is DHCP. Everything else is initiated by the controller:

ip access-list session dhcp-only
any any svc-dhcp permit
any any any deny
interface fastethernet 1/0
ip access-group dhcp-only session

If of course, your firewall is between your access points, your authentication servers, etc it is more involved. Your session ACL needs to permit any traffic that would NOT be initiated by the controller.

For a complete lockdown, you need to model your session ACL having a source of ANY device that will initiate traffic and a destination of one of the controller's management ports. You also need to lock down the protocols based on the two articles mentioned above. In every lockdown, "show datapath session table" command is your friend in that you always have to determine if you are blocking something inadvertently.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Occasional Contributor I

Re: Network > Ports Firewall Policy Help

Thanks for the reply!

After looking into the links, I'm not sure if that's exactly what I'm looking for. Stick with me here:

So, a Session ACL will only allow traffic to enter the Aruba from the outside when it is the return traffic of an outbound session. So, anything that needs to initiate a connection from the outside will be blocked.

What about the "In" and "Out" drop down boxes in the same area? Do they merely correspond to the same kind of ACL, or are they "Special" in some way? What, exactly, are they for?

Finally, in the second Answer ID you provided, it mentions all the Aruba-related traffic and their ports. If someone from the inside tries to initiate a connection to the outside, it will be permitted because of the DHCP-only session ACL, correct?

And of course, to accept a connection from the outside, I will have to specify an ACL that will explicitly accept that connection on that port. Would I use a session ACL for that?

Sorry for 100 questions, really want to make sure I have a firm understanding of the powers at work here : )

Oh, one more thing. I'm really just trying to block some open ports from a port scan. Is there another way, such as disabling the services directly, like FTP?

Thanks again for your time!
Search Airheads
Showing results for 
Search instead for 
Did you mean: