Wireless Access

The user-guide document advises not to enable the following global firewall options unless instructed by an Aruba representative. 

Prohibit RST Replay Attack

Disable FTP Server

Session Idle Timeout

Please advise, how these options impacts the network. 

Regards,

TAC or your Aruba SE might be able to answer this question  as the answer depends on your environment.

Agree with the other point, in terms of you needing an official response. However...

I could guess what the other 2 do, but the one I have played with historically is the session idle timeout.

In the old days before we had beter ways of doing things, I used to adapt this setting coupled with DOS prevention in the VAP (which ignores disconnects) to help things like iPhones on captive portals be a bit more practical (i.e. no constant re-logins to the CP). BUT, I want to stress you shouldn't fool around with this without understanding the consequences. Whilst I tested this just fine and tweaked the timers, you can overload a controller by doing it wrong!

Thank you for repies. I have already raised a ticket with the TAC, waiting to see the TAC suggestion. 

I experimented the Disable ftp server. Normally i am able to ftp to the controller ip-address from the cmd prompt in my PC. but i am not able to login with any username & password.

But, with the "Disable ftp server" tick marked, I am not able to ftp at all, to the controller, it doesnt give a prompt to login. 

i was checking on some latest version 5.0 code. I believed the AP would not able to download image by ftp from the controller with the "Disable ftp server" turned on. On the AP, at apboot prompt, did "clear os" "purge" and "factory_reset" But the AP was able to download the image by ftp. I was watching the show datapath session table <AP IP>, saw the port 21, but i didnt see the ftp-data port 20 there. 

still not clear about the purpose of "Disable ftp server" in the global firewall of the controller. 

Disabling FTP server stops access points from upgrading via FTP.  They will do it via TFTP instead.  This takes much longer than FTP, so this option should not be enabled in practice.

Prohibit RST Replay attack forces the controller firewall to ensure that there is a two way conversation before sending traffic to hosts.  This can delay traffic processing.

Some options have a purpose but only to a few people and they should not be changed, at all.  These are two of those options.  

Thank you CJ, Because  "Prohibit RST Replay Attack" is turned on. a client sending too many TCP RST, will the client get blacklist.

References:

http://en.wikipedia.org/wiki/TCP_reset_attack

http://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent

---

@yogenpartha wrote:

Thank you CJ, Because  "Prohibit RST Replay Attack" is turned on. a client sending too many TCP RST, will the client get blacklist.

 

References:

http://en.wikipedia.org/wiki/TCP_reset_attack

http://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent

---

No, just turn it off, though.  There is no reason to have it on.

As per internal security audit, customer wants to enable these settings and wants to understand how its going to impact their normal users.