Home > GUI > Configuration > User Profile Security Settings
Logo

User Profile Security Settings

User Profile Security Settings

View, add, and modify user profile security settings. View and add URL filtering rules for XR600P routers.

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Configure > Network Policies > policy_name > Wireless Networks > SSID_name  > Add Default User Profile > Security

or

Configure > Common Objects > Policy > User Profiles > user_profile_name > Security

or

Configure > Network Policies > policy_name > Router Settings > Additional Router Services > Additional User Profile

About User Profile IP or MAC Firewall Security

In a wireless and routing deployment, an XR600P router can act as a firewall for all the traffic flowing in and out of the network behind it. In a wireless-only deployment, APs can act as firewalls, allowing some types of traffic and denying other types. An AP firewall can function either at the MAC layer (Layer 2), basing its permissions and denials on source and destination MAC addresses, or at the IP layer (Layer 3), basing its functions on source and destination IP addresses and services.

If you apply both types of policies to a user profile, the AP first checks traffic against the MAC firewall policy. If there is a MAC firewall policy set for either direction (from-access or to-access) with a rule that matches the traffic and whose action is "deny" or if there are no matching MAC firewall policy rules and the default MAC firewall policy action is "deny", then the AP drops that traffic. If the traffic passes the MAC firewall policy check, then the AP checks the traffic against the IP firewall policy following a similar process. If the traffic also passes the IP policy check, then the AP forwards it.

To view the existing user profiles, see User Profiles.

Configure User Profile Security Settings

Create or select a user profile as described in User Profile Settings and continue with one of the following procedures to create and IP or MAC firewall policies.

Create an IP Firewall Policy

IP firewalls let you choose to redirect a user device to an external web site. You can add one firewall rule at a time, or set up firewall rules that have basic network services such as DHCP and DNS included by default. Use the following steps to configure an IP firewall:

  1. In the Additional User Profile window, set the Enable Additional User Profile toggle to ONand select the user profile for this firewall policy.

  1. In the User Profile window, in the Security tab, turn Firewall Rules ON.

  1. Select IP Firewall and complete the following steps:

Enter a name for the IP firewall.

Select whether this firewall rule is for Inbound Traffic or Outbound Traffic.

Select whether this firewall rule is used to Permit or Deny traffic. Permit enables the device to allow traffic to traverse the firewall. Deny prevents the device from allowing traffic inside the firewall.

  1. Select Add. In the New Firewall Rule dialog box, select or to add or select one or more network services or applications, and then select Add Service.

You can select several network services and applications to which you want this firewall rule to apply, or you can choose to apply it to all services and applications (Any).Network Services: Select the check box for the network services that you want to apply to this user profile. Because the list of services is long, you can quickly find the one you are looking for by entering it in the Filter search field.

Applications: Select the check box next to the applications that you want to apply to this user profile. There are more than 1000 applications in the list, with more being added all the time.

You can filter the list to make the applications easier to find, either by application category (such as email) or individual applications by entering the name of the application or category you are looking for and selecting Search. If you searched for an application category, the search returns all applications that apply to that category. If you searched for an individual application, such as Facebook, the search returns that application only.

Repeat this step until all the required network services and applications appear in the New Firewall Rule Service box.

  1. Enter or select a Source IP and a Destination IP.

The Source IP is the address from which traffic originates. Select a source IP address, hostname, network, or Any from the drop-down list, or select New to add a new IP address, hostname, or network. You can use IPv4 and IPv6 address. When you select multiple sources, destinations, or services, ExtremeCloud IQ creates a separate rule for each one. Keep this in mind when configuring rules as there is a limit of 80 rules per policy.

The Destination IP is the address to which traffic is sent. Select a destination IP address, hostname, network, or Any from the drop-down list, or select New to add a new IP address, hostname, or network. If wireless clients receive network settings dynamically, be careful not to block DHCP and DNS services to the local DHCP and DNS servers. This happens when the action setting is set to Deny. To configure a DNS server to support IPv6, both the source IP and the destination IP must support IPv6.

Select the rule Action that the device performs when it receives traffic matching the three-part tuple of source address-destination address-service: Permit, Deny, Drop traffic between stations, or NAT.

Permit: The device allows traffic to traverse its firewall.

Deny: The device blocks traffic from traversing its firewall.

Drop traffic between stations: Drop traffic between stations if they are both associated with one or more members of the same hive. This setting applies to all types of user traffic—unicast, broadcast, and multicast—that the device receives on an interface in access mode. The access interface can be a wireless interface hosting an SSID or an Ethernet interface in either bridge-access mode or bridge-802.1Q mode.

NAT (Network Address Translation): Translate the source IP address of a packet permitted to traverse the firewall to that of the mgt0 interface on the device. One possible time to apply NAT is when you are using one of the VPN split-tunnel options (see the GRE and VPN Tunnels section in "User Profile Settings") and you want the device VPN client to forward traffic locally to a subnet that is not directly connected to the mgt0 interface. Because the split tunnel option only enables a device to perform NAT when forwarding traffic to its immediate local subnet, you must add more firewall policy rules to apply NAT to traffic destined for other local subnets.

  1. Select the required Logging: Off, Session Initiation, Session Termination, or Dropped Packets.

Off: Disables logging for packets and sessions that match the IP firewall policy rule.

Session Initiation: Log session details when a session is created after passing an IP firewall policy lookup.

Session Termination: Log session details when a session matching an IP firewall policy is terminated.

Dropped Packets: Log packets that the device drops because the firewall policy rule denies them.

Both: Log session details after initiating and terminating each session.

  1. Select Save Firewall Rule. To add another rule, select Add, and repeat the previous steps. Use the up and down arrows in the Order column of the rules table to set the order in which the firewall applies the rules.

  1. Select Save User Profile.

Create a MAC Firewall Policy

  1. In the Additional User Profile window, turn Enable Additional User Profile ON. Then select the user profile for this firewall policy.
  2. In the User Profile window, in the Security tab, turn Firewall Rules On.
  3. Select MAC Firewall and complete the following steps.
  4. Enter a name for the MAC firewall.
  5. Select whether this firewall rule is for Inbound Traffic or Outbound Traffic.
  6. Select whether this firewall rule is used to Permit or Deny to either allow traffic through the firewall or block it.
  7. Select Add.
  8. Select or add the Source MAC: This is the MAC address from which traffic originates. Select to select a source MAC address or Any from the drop-down list, or select to add a new MAC address or MAC OUI (organizationally unique identifier, described in MAC Objects and MAC OUIs).
  9. Select or add the Destination MAC: This is the MAC address to which traffic is sent. Select to choose a destination MAC address or Any from the drop-down list, or select to add a new MAC address or MAC OUI.
  10. Select or add the Action (Permit or Deny) the device takes when it receives traffic matching the three-part tuple of source address-destination address-service. The action is to either allow traffic through the firewall or block it.
  11. Select or add the required Logging: Off or Dropped Packets. Off disables logging altogether. Dropped Packets logs only packets that are dropped because the firewall policy rule denies them.
  12. Select Save. To add another rule, select Add, and repeat the previous steps.
  13. In the MAC Firewall Rules window, use the up and down arrows in the Order column in the rules table to set the order in which the firewall applies the MAC firewall rules.
  14. Select Save User Profile.

Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.