Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Firewall/NAT-ed Client Visibility?

This thread has been viewed 0 times

  • 1.  Firewall/NAT-ed Client Visibility?

    Posted Mar 13, 2017 12:10 PM

    Hello. We have about 10 APs running in Instant/Virtual Controller mode. I am getting a security alert from our IDS device that the Virtual Controller is trying to access a known malware sinkhole. Obviously this is coming from a wireless client connected to our Aruba infrastructure.

     

    Is there a way to view (in the Virtual Controller logs or elsehwere) what device is trying to access that specific IP address?

     

    Thanks!



  • 2.  RE: Firewall/NAT-ed Client Visibility?

    EMPLOYEE
    Posted Mar 13, 2017 12:13 PM

    Any client on a Virtual-Controller Assigned VLAN will nat its traffic out of the Virtual Controller.  Unfortunately, you will have to run the "show datapath session table <ip addres>" command on the VC while the client is doing this otherwise the session listing will go away when the client is finished..



  • 3.  RE: Firewall/NAT-ed Client Visibility?

    Posted Mar 13, 2017 12:19 PM

    Thanks for the reply.

     

    Is there any way to collect these events via a Syslog receiver we have for the Virtual Controller? An "outbound" firewall rule that could be triggered/recorded when a wireless client tries to access a specific IP?



  • 4.  RE: Firewall/NAT-ed Client Visibility?

    MVP EXPERT
    Posted Mar 14, 2017 03:44 AM

    The Instant allows you to configure a firewall rule which is set to "log". When this rule is matched it will log it to a syslog server of your choice (providing a syslog is configured).

     

    firewall.jpeg



  • 5.  RE: Firewall/NAT-ed Client Visibility?
    Best Answer

    Posted Mar 14, 2017 04:14 AM

    Please try the following steps.

     

    1. Add an explicit ACL for traffic going to the that particular server & enable blacklist on the ACL (as shown in screenshot).

     

    2. Please enable blacklisting under the Security profile on the SSID

     

    SSID-->Security--Blacklist

     

    Now in case any user is trying to send traffic to that server , it should get

    dynamically blacklisted.

     

    The user mac address can be checked from the monitoring page (Alert) as seen in the screenshot.

     

    The blacklist time can be changed as well as seen in screenshot

     

    System--Show advanced--Blacklisting

     

     

    We also have an option to log the acl & hits can be seen under security logs.

     

    As indicated from the post, the client is not allowed to access that URL, so its better to blacklist it .

     

     



  • 6.  RE: Firewall/NAT-ed Client Visibility?

    Posted Mar 14, 2017 11:11 AM

    Good stuff, thanks for your guidance. I'll try these options you've given me and post an update when I get some time. Thanks again.



  • 7.  RE: Firewall/NAT-ed Client Visibility?

    Posted Mar 14, 2017 12:00 PM
      |   view attached

    Would the System>Monitoring levels shown in the attached screenshot be sufficient to register these block/blacklist events in syslog?



  • 8.  RE: Firewall/NAT-ed Client Visibility?

    Posted Mar 15, 2017 02:22 AM

    We can see the information by keeping the parameters set to warning levels.