Controllerless Networks

Occasional Contributor II

Firewall/NAT-ed Client Visibility?

Hello. We have about 10 APs running in Instant/Virtual Controller mode. I am getting a security alert from our IDS device that the Virtual Controller is trying to access a known malware sinkhole. Obviously this is coming from a wireless client connected to our Aruba infrastructure.


Is there a way to view (in the Virtual Controller logs or elsehwere) what device is trying to access that specific IP address?



Guru Elite

Re: Firewall/NAT-ed Client Visibility?

Any client on a Virtual-Controller Assigned VLAN will nat its traffic out of the Virtual Controller.  Unfortunately, you will have to run the "show datapath session table <ip addres>" command on the VC while the client is doing this otherwise the session listing will go away when the client is finished..

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Firewall/NAT-ed Client Visibility?

Thanks for the reply.


Is there any way to collect these events via a Syslog receiver we have for the Virtual Controller? An "outbound" firewall rule that could be triggered/recorded when a wireless client tries to access a specific IP?

MVP Guru

Re: Firewall/NAT-ed Client Visibility?

The Instant allows you to configure a firewall rule which is set to "log". When this rule is matched it will log it to a syslog server of your choice (providing a syslog is configured).



If my post addresses your query, give kudos:)
MVP Expert

Re: Firewall/NAT-ed Client Visibility?

Please try the following steps.


1. Add an explicit ACL for traffic going to the that particular server & enable blacklist on the ACL (as shown in screenshot).


2. Please enable blacklisting under the Security profile on the SSID




Now in case any user is trying to send traffic to that server , it should get

dynamically blacklisted.


The user mac address can be checked from the monitoring page (Alert) as seen in the screenshot.


The blacklist time can be changed as well as seen in screenshot


System--Show advanced--Blacklisting



We also have an option to log the acl & hits can be seen under security logs.


As indicated from the post, the client is not allowed to access that URL, so its better to blacklist it .



Occasional Contributor II

Re: Firewall/NAT-ed Client Visibility?

Good stuff, thanks for your guidance. I'll try these options you've given me and post an update when I get some time. Thanks again.

Occasional Contributor II

Re: Firewall/NAT-ed Client Visibility?

Would the System>Monitoring levels shown in the attached screenshot be sufficient to register these block/blacklist events in syslog?

MVP Expert

Re: Firewall/NAT-ed Client Visibility?

We can see the information by keeping the parameters set to warning levels.

Search Airheads
Showing results for 
Search instead for 
Did you mean: