How to filter Web traffic for WLAN clients using Web Category?

Aruba Employee
Aruba Employee

Introduction- Web Category or Web URL filtering is the ability to classify and enforce policies on web based traffic i.e all browser based URLs http, https traffic accessed by users on the network. This feature is introduced in Instant 4.1 and is supported on all the IAPs. When a client request any Web traffic, IAP does a lookup in BrightCloud and get the Web Category and Web Reputation information about the sessions. Once the sessions are classified based on the firewall policy IAP allows or denies the session.

Feature Notes- 

  • Wireless Clients can now be restricted from accessing illegal or non authorized websites with out denying http or https traffic.
  • Selected Web categories can be chosen to protect end users from security and legal ramifications from visiting various web sites.

Environment- This article applies to Instant AP deployment running 4.1 and above.

Network Topology- rtaImage (11).png


Configuration Steps- Create a new SSID of your choice.

rtaImage (12).png


Select VLAN type as required.

rtaImage (13).png


Security can be configured as per requirement.

rtaImage (14).png


Select Network based option and choose Web Category as shown below.
From the list of different web categories choose the classification as required.

rtaImage (15).png

Once configured, add any deny at the bottom to deny every other request.

rtaImage (16).png

Verification- To verify SSID config "show running-config"

rtaImage (17).png

To verify access rules "show access-rule <rule name>"

rtaImage (18).png

To verify client role after it gets connected "show clients"


rtaImage (19).png

To verify if acl is being hit "show datapath acl <acl number>"

rtaImage (20).png

When clients tries to access any unauthorized Web sites he would be notified on the browser that service to requested web page is denied.

rtaImage (21).png



  • Ensure port 80 is allowed on the firewall as IAP will lookup BrightCloud to classify Web traffic.
  • Make sure client is in the right role using below command

rtaImage (22).png

  • From datapath acl verify if acl is being hit as shown below.

rtaImage (23).png


Version history
Revision #:
1 of 1
Last update:
‎04-05-2015 03:45 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: