Firewall and ACL Rules

The Aruba Central (on-premises) firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the Aruba Central (on-premises) firewall, you can enforce network access policies that define access to the network, areas of the network that users may access, and the performance thresholds of various applications.

Aruba Central (on-premises) supports a role-based stateful firewall. Aruba Central (on-premises) firewall recognizes flows in a network and keeps track of the state of sessions. The Aruba Central (on-premises) firewall manages packets according to the first rule that matches packet. The firewall logs on the Instant Access Points (IAPs) are generated as syslog messages. The Aruba Central (on-premises) firewall also supports the Application Layer Gateway (ALGApplication Layer Gateway. ALG is a security component that manages application layer protocols such as SIP, FTP and so on. ) functions such as SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. , Vocera, Alcatel NOENew Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise., and Cisco Skinny protocols.

ACL Rules

You can use Access Control List (ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.) rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses.

You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall.

The IAP clients are associated with user roles, which determine the client’s network privileges and the frequency at which clients re-authenticate. Aruba Central (on-premises) supports the following types of ACLs:

• ACLs that permit or deny traffic based on the source IP address of the packet.
• ACLs that permit or deny traffic based on source or destination IP address, or source or destination port number.

Configuring Network Address Translation Rules

Network Address Translation (NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space.

Aruba Central (on-premises) supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device.