You can lock down the control plane with firewall cp.
For the interface lockdown, check the hardening guide starting page 18.
If you don't have lab equipment to test prior to deployment, I would work with your Aruba partner or Aruba Support to prepare this change.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Feb 08, 2023 06:57 AM
From: kindavid23
Subject: Block Vulnerable Ports on Aruba 7030 Controller
Hello Herman,
Thanks for your great contribution.
Can you share a document on how to create lock down a port?
Eg if I want to lock down FTP, SNMP etc.
Regards,
David
Original Message:
Sent: 2/6/2023 5:22:00 AM
From: Herman Robers
Subject: RE: Block Vulnerable Ports on Aruba 7030 Controller
Check this hardening guide the open port & common false positives section. As you can see, these ports are open for a reason. Then under WAN interface protection you can see how to create an interface acl in case you really want to lock down ports that are not in use.
As you can seriously break things by locking down too many ports, make sure that you involve your Aruba Partner and or Aruba Support to provide you guidance.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 01, 2023 11:55 AM
From: kindavid23
Subject: Block Vulnerable Ports on Aruba 7030 Controller
An ASV scan on my aruba 7030 box showed the following ports to be open yet vulnerable. I seek assistance on how to block these ports on the aruba wireless controller. Thanks and will be counting on your support.
ftp | 21 | TCP | File Transfer [Control] |
http | 8080 | TCP | HTTP Alternate (see port 80) |
http | 32000 | TCP | Mercur mail server access by http |
http | 80 | TCP | World Wide Web HTTP |
http | 8088 | TCP | unknown |
http over ssl | 443 | TCP | http protocol over TLS/SSL |
http over ssl | 4343 | TCP | UNICALL |
http over ssl | 8082 | TCP | Sun Microsystems NetBeans (Forte) |
http over ssl | 8081 | TCP | unknown |
isakmp | 500 | UDP | isakmp |
named udp | 53 | UDP | Domain Name Server |
pptp | 1723 | TCP | pptp |
snmp | 161 | UDP | SNMP |
ssh | 22 | TCP | SSH Remote Login Protocol |
tftp | 69 | UDP | Trivial File Transfer |
unknown | 9199 | TCP | unknown |
unknown | 17 | TCP | Quote of the Day |
Thank you