Wireless Access

All,

We are thinking of moving some of our border firewall rules that apply to all the wireless user to our 9 M3 controllers.

I wanted to know if anybody else has done this? We feel that this will lighten the load on our Border firewall and distribute the load.

My understanding is that the firewall is statefull for a user profile, as well as on the interfaces to the controllers, but wanted to confirm this.

.

Do you have PEFNG licenses in your controllers? In that case you can easily create session-based ACL's and bind them to user-roles. Then make sure your users are dropped into the correct user-role.

It can be practical to apply firewall policies on the controller, especially if you need good throughput to for example your internal network but want to restrict access to certain resources over the WiFi. If your existing firewall can not support this kind of traffic it's a good idea todo it on the controller.

However, if you want to prevent having to maintain ACL's and logs in two places (the controller + firewall) this might not be a good idea.

Thank you for the information..We do have the PEFNG licenses on all the controllers. What we are finding is the Border firewall is showing its age. This option will lighten the load for it and enable us to get another year out of it before we upgrade. Would you happen to know how many packets per second can the firewall handle? That was one of our concerns. We get our share of  DDoS attacks and wanted to make sure the Controllers don't go belly up.

Shouldn't be an issue as this is quite common using Aruba wireless, the controller have a separate processor for the firewall thus no issue on performance on the M3s. Remember must have PEFNG licenses.

Thank you for the confirmation Normal Guy. I did a search on Airheads and didn't find anybody asking this question. I guess it's just the norm for people to use it as an alternative to putting everything on the Border firewall.

Specs for the Aruba 6000 M3 card:

Active firewall sessions: 524,300
Firewall throughput: 20 Gbps

---

@davidbr wrote:

All,

We are thinking of moving some of our border firewall rules that apply to all the wireless user to our 9 M3 controllers.

I wanted to know if anybody else has done this? We feel that this will lighten the load on our Border firewall and distribute the load.

My understanding is that the firewall is statefull for a user profile, as well as on the interfaces to the controllers, but wanted to confirm this.

.

 

---

Davidbr,

If you have wired clients at your sites, they need border firewall protection and that should be an essential part of the "belt and suspenders" approach to security.  The Aruba built-in firewall allows you to layer additional protection that will cover your clients when they get placed onto the wired network.  With that being said, a border firewall guarantees that all of your clients, regardless of their type of connection have a minimum level of protection.  You can use the Aruba firewall to layer on top of this and to give different users different protection, but at minimum you should be using an effective border firewall.

Cjoseph,

The Border firewall isn't going away, we just want to lighten the load of it until we upgrade it. We are basically moving around 40 lines in the ACL that are pretty much static from the border to the controllers. Most of our user traffic is of course from/to wireless users. 

Doing this will enable us to tighten the border firewall up more and not put even more damand on it than it already has.