Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

171

172

173

174

175

176

177

178

179

180

Aruba Instant 6.4.0.2-4.1 | User Guide Roles and Policies | 177

Chapter 12

Roles and Policies

This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.

l Firewall Policies on page 177

l Content Filtering on page 187

l Configuring User Roles on page 191

l Configuring Derivation Rules on page 193

Firewall Policies

Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding,

and network performance policies for wired and wireless networks. Using Instant firewall, you can enforce network

access policies that define access to the network, areas of the network that users may access, and the performance

thresholds of various applications.

Instant supports a role-based stateful firewall. Instant firewall recognizes flows in a network and keeps track of the

state of sessions. Instant firewall manages packets according to the first rule that matches packet. The firewall logs

on the IAPs are generated as syslog messages.

Access Control List Rules

You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You can

also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you

can block or allow access based on the service or application, source or destination IP addresses.

You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can

create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network

traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches

the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address

through the firewall.

The IAP clients are associated with user roles, which determine the client’s network privileges and the frequency at

which clients re-authenticate.

Instant supports the following types of ACLs:

l ACLs that permit or deny traffic based on the source IP address of the packet.

l ACLs that permit or deny traffic based on source or destination IP address, source or destination port number.

l ACLs that permit or deny traffic based on network services, application, application categories, web categories,

and security ratings.

You can configure up to 128 access control entries in an ACL for a user role.

For more information on configuring firewall rules, see:

l Configuring AccessRules for Network Services on page 178.

l Configuring Network Address Translation Rules on page 180

l Configuring Inbound Firewall Rules on page 184

l Configuring Access Rules for Application and Application Categories on page 247