Security

If I have 30 different user roles, is there a simple way do a rule that would block traffic between all the roles, but allow traffic out from the controller?

I could do this manually but with 30 roles it's 900 rules to every pair of user roles :)

I tried to do alias:user -> alias:user block rule, but that blocked everything. If I select "user" as a source there's no option to select "User Role" for destination, that would've narrowed the rules to 30

EDIT:

You will need to upgrade to ArubaOS 8.5.0.3 for this one, where it is fixed:

Have you already tried "firewall deny-inter-user-traffic":   https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/1cli-commands/firewall.htm?Highlight=firewall%20deny-inter-user-traffic

I'm running 8.4.0.4 currently. Would this block traffic between different user roles, in a dynamic segmentation case also? I have few roles created for example cameras, hvac, printers, sensors etc and those don't have any reason to talk to each other

Edit: but of course there probably will be exceptions, so it'd be nice to have policies that could do that. And then add those exceptions before the deny rules

If that is what you need, you need to do role to role denies, then.  That is fixed in ArubaOS 8.5.0.3

EDIT:  Yes it should work with dynamic segmentation.

Ah of course, now that I actually updated to 8.5.0.4 and started playing with this I remembered that I'm doing L2 VLANs from controller to firewall... so there's no need to do blocking rules from role1 to role2 as it goes to firewall anyways :)

I did user-role: iot -> user-role: iot deny, and this seems to be working as expected. Now I can block everything between two IoT devices but allow them access other networks, if the firewall permits. Works well with dynamic segmentation too.