Configuring Firewall Parameters for Inbound Traffic

Instant Access Points (IAPs) support an enhanced inbound firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. for the traffic that flows into the network through the uplink ports of an IAP.

To configure the firewall rules, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Security tab.

   The Security page is displayed.

6. Click the Wireless IDS/IPS accordion.
7. Click Firewall Settings.
8. In the Access Rule section, click the + icon.

   The Inbound Firewall page is displayed.

9. In the Inbound Firewall page, enter the following information:

   Table 1: Inbound Firewall Rule Configuration Parameters

   Parameter	Description
   Service	Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: Any—Access is allowed or denied to all services. Custom—Customize the access based on available options such as TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., and other options. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.
   Action	Select any of following actions: Select Allow to allow user access based on the access rule. Select Deny to deny user access based on the access rule. Select Destination-NAT to allow making changes to the destination IP address and the port. Select Source-NAT to allow making changes to the source IP address. The destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. and source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. actions apply only to the network services rules.
   Source	Select any of the following options: From all sources—Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. From a particular host—Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host. From a network—Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.
   Destination	Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements. To all destinations—Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. To a particular server—Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server. Except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. To a network—Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network. Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. To a Domain name—Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box. To AP IP—Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. To AP Network—Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. To conductor IP—Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
   Log	Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging function. Firewall logs on the Instant APs are generated as security logs.
   Denylist	Select the Denylist check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified in the Auth failure denylist time on the Denylisting tab of the Security window.
   Classify Media	Select the Classify Media check box to classify and tag media on HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic as voice and video packets.
   Disable scanning	Select Disable scanning check box to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered. The selection of Disable scanning applies only if ARM scanning is enabled.
   DSCP TAG	Select the DSCP TAG check box to specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.
   802.1p priority	Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.

10. Click Ok.
11. Click Save Settings.

Configuring Restricted Access to Corporate Network

You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of conductor IAP, including clients connected to a member IAP.

To configure restricted corporate access, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Security tab.

   The Security page is displayed.

6. Click the Wireless IDS/IPS accordion.
7. Click Firewall Settings.
8. To restrict corporate access, turn on the Restrict Corporate Access toggle switch.
9. Click Save Settings.