Configuring WLAN Firewall Settings

About this task

A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a Firewall can be thought of as mechanisms allowing and denying data traffic in respect to administrator defined rules. For an overview of Firewalls, see Wireless Firewall.

WLANs use Firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on Layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.

IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC.

Additionally, administrators can filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic.

Keep in mind that IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.

To review access policies, create a new policy or edit the properties of an existing policy:

Procedure

  1. Select Configuration → Wireless LANs → Wireless LANs Policy to display available WLANs.
  2. Click Add to create an additional WLAN, or select an existing WLAN and click Edit to modify the properties of an existing WLAN.
  3. Select Firewall from the Wireless LAN Policy options..
    Click to expand in new window
    WLAN Policy Firewall Screen
    GUID-951510AA-0393-4A93-98A8-AF1A04D5C296-low.png

    The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters, and Client Deny Limits.

  4. Select an existing Inbound IP Firewall Rule and Outbound IP Firewall Rule using the drop-down menu.
    If no rules exist, select the Create icon to display a screen where Firewall rules can be created. Select the Edit icon to modify the configuration of a selected Firewall policy configuration.

    If you are creating a new IP firewall rule, provide a name up to 32 characters.

  5. Click Add.
    Click to expand in new window
    IP Firewall Rules Screen
    GUID-BFEED6EC-70B6-41F1-8FFC-69CDD2D17E26-low.png
  6. IP firewall rule configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update.
    1. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively.
      Click to expand in new window
      IP Firewall Rules Add Criteria Screen
      GUID-93AC0F59-15AB-4BD4-A983-83360B6E546B-low.png
    2. Click the icon in the Description column (top right-hand side of the screen) and select IP filter values as needed to add criteria into the configuration of the IP ACL.
      Click to expand in new window
      IP Firewall Rules Add Criteria Screen
      GUID-986194CD-A12F-4C2C-9205-A4B04AB12A60-low.png
      GUID-DF80143D-231C-4C84-96A8-082497C06EDF-low.png
      Note

      Note

      Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACL‘s column to display a pop-up to adjust that one value.
  7. Define the following IP firewall rule settings as required:
    Precedence Specify or modify a precedence for this IP policy between 1 and 5000. Rules with lower precedence are always applied to packets first. If you modify a precedence to apply a higher integer, it will move down the table to reflect its lower priority.
    Action Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
    Deny Instructs the Firewall to prohibit a packet from proceeding to its destination
    Permit Instructs the Firewall to allow a packet to proceed to its destination
    DNS Name Specify the DNS Name which may be a full domain name, a portion of a domain name or a suffix. This name is used for the DNS Match Type criteria.
    DNS Match Type Specify the DNS matching criteria that the DNS Name can be matched against. This can be configured as an exact match for a DNS domain name, a suffix for the DNS name or a domain that contains a portion of the DNS name. If traffic matches the configured criteria in the DNS Match Type, that rule will be applied to the ACL.
    Source Select the source IP address or network group configuration used as basic matching criteria for this IP ACL rule.
    Destination Determine whether filtered packet destinations for this IP firewall rule do not require any classification (any), are designated as a set of configurations consisting of protocol and port mappings (an alias), set as a numeric IP address (host) or defined as network IP and mask. Selecting alias requires that a destination network group alias be available or created.
    Network Service Alias The service alias is a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $) and include the protocol as relevant. Selecting either tcp or udp displays an additional set of specific TCP/UDP source and destination port options.
    Source Port If you are using either tcp or udp as the protocol, define whether the source port for incoming IP ACL rule application is any, equals, or an administrator defined range. If you are not using tcp or udp, this setting displays as N/A. This is the data local origination port designated by the administrator. Selecting equals invokes a spinner control for setting a single numeric port.

    Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for low and high numeric range settings. A source port cannot be a destination port.
    Destination Port If you are using either tcp or udp as the protocol, define whether the destination port for outgoing IP ACL rule application is any, equals, or an administrator defined range. If you are not using tcp or udp, this setting displays as N/A. This is the data destination virtual port designated by the administrator.

    Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for low and high numeric range settings. A source port cannot be a destination port.
    ICMP Type Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. The Internet Control Message Protocol (ICMP) uses messages identified by numeric type. ICMP messages are used for packet flow control or generated in IP error responses. ICMP errors are directed to the source IP address of the originating packet. Assign an ICMP type from 1-10.
    ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues, for example 0 - Net Unreachable, 1 - Host Unreachable, and 2 - Protocol Unreachable.
    Start VLAN Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter. The Start VLAN represents the virtual LAN beginning numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply.
    End VLAN Select an End VLAN icon within a table row to set (apply) an end VLAN range for this IP ACL filter. The End VLAN represents the virtual LAN end numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply.
    Mark Select an IP Firewall rule‘s Mark checkbox to enable or disable event marking and set the rule‘s 8021p or dscp level (from 0 - 7).
    Log Select an IP Firewall rule‘s Log checkbox to enable or disable event logging for this rule‘s usage.
    Enable Select an IP Firewall rule‘s Enable or Disable icon to determine this rule‘s inclusion with the IP firewall policy.
    Description Lists the administrator assigned description applied to the IP ACL rule. Select a description within the table to modify its character string as filtering changes warrant. Select the icon within the Description table header to launch a Select Columns screen used to add or remove IP ACL criteria from the table.
  8. Select existing inbound and outbound MAC Firewall Rules using the drop-down menu.
    If no rules exist, select Create to display a screen where Firewall rules can be created. MAC firewall rules can also be applied to an EX3500 Ethernet PoE switch connected and utilized by a WiNG managed device.
  9. Select the + Add Row button.
  10. Select the added row to expand it into configurable parameters.
    Click to expand in new window
    MAC Firewall Rules Screen
    GUID-853D01FA-C175-4F31-9902-C24FDC864B59-low.png
  11. Define the following parameters for either the inbound or outbound MAC Firewall Rules for either a WiNG managed device or an EX3500 switch connected to a WiNG managed device:
    Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
    Deny Instructs the Firewall to prohibit a packet from proceeding to its destination
    Permit Instructs the Firewall to allow a packet to proceed to its destination
    VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 - 4094. EX3500 PoE switches utilize a VLAN Mask option (from 0 - 4095) to mask the exposure of the VLAN ID.
    Match 802.1P Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0-7.
    Source and Destination MAC Enter both Source and Destination MAC addresses. The wireless controller uses the source IP address, destination MAC address as basic matching criteria. Provide a subnet mask if using a mask.
    Action The following actions are supported:
    Log Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted.
    Mark Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit.
    Mark, Log Conducts both mark and log functions.
    Traffic Class Sets an ACL traffic classification value for the packets identified by this inbound MAC filter. Traffic classifications are used for QoS purposes. Use the spinner to define a traffic class from 1- 10.
    Ethertype Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp or monitor 8021q. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame. EX3500 PoE switches utilize an Ether Mask option (from 0 - 65535) to mask the exposure of the Ethertype.
    Precedence Use the spinner control to specify a precedence for this MAC Firewall rule between 1-1500. Access policies with lower precedence are always applied first to packets.
    Description Provide an ACL setting description (up to 64 characters) for the rule to help differentiate it from others with similar configurations.
  12. If you are creating a new Association ACL, provide a name specific to its function.
    Avoid naming it after a WLAN it may support. The name cannot exceed 32 characters.
  13. Assign an Application Policy to the WLAN firewall and set the following metadata extraction rules:
    Application Policy Use the drop-down menu to assign an application policy to the WLAN‘s firewall configuration. Applications recognized and classified by the external, third-party DPI engine are applied administrator-defined actions. An application policy defines the rules or actions executed on recognized HTTP, SSL and voice/video applications. For more information, refer to Create an Application Policy.
    Note: Legacy WiNG devices, running WiNG 7.1.2 and later versions of the WiNG 7 OS, use a third-party DPI engine to detect top-level hosting applications along with the services these applications host. Whereas, AP5XX model APs, running WiNG 7.1.2 and later versions of the WiNG 7 OS, use the Purview™ libDPI engine.

    For legacy WiNG deployments specify an application policy to enforce AVC on the WLAN traffic.

    For WiNG AP5xx deployments, specify a Purview application policy to enforce AVC on the WLAN traffic. Refer to the WiNG 7.2.1 CLI reference guide for information on Purview Applicatiopn policy.
    Voice/Video Metadata Select this option to enable the extraction of voice and video metadata flows. When enabled, administrators can track voice and video calls by extracting parameters (packets transferred and lost, jitter, audio codec and application name). Most Enterprise VoIP applications like Facetime, Skype for Business, and VoIP terminals can be monitored for call quality and visualized on the Extreme NSight dashboard (starting with WiNG 5.9.3, Extreme NSight is a separate target) in manner similar to HTTP and SSL. Call quality and metrics can be determined only from calls that are established as unencrypted. This setting is disabled by default.
    HTTP Metadata Select this option to enable the extraction of HTTP flows. When enabled, administrators can track HTTP Websites accessed by both internal and guest clients and visualize HTTP data usage, hits, active time and total clients on the Extreme NSight dashboard. This setting is disabled by default.
    SSL Metadata Select this option to enable the extraction of SSL flows. When enabled, administrators can track SSL Websites accessed by both internal and guest clients and visualize SSL data usage, hits, active time and total clients on the Extreme NSight dashboard. This setting is disabled by default.
    Enable TCP RTT Select this option to enable the extraction of Round Trip Time (RTT) from Transmission Control Protocol (TCP) flows. When enabled, the RTT information from TCP flows detected on the VLAN interface associated with the WLAN is extracted and forwarded to the Extreme NSight appliance by access points. However, this TCP-RTT metadata is viewable only on the Extreme NSight dashboard. This setting is disabled by default.
    Note: Extreme NSight is a licensed feature. For more information on Extreme NSight, please refer to the Extreme NSight™ User Guide, available at https://extremenetworks.com/documentation.
  14. Set the following Trust Parameters:
    ARP Trust Select the check box to enable ARP Trust on this WLAN. ARP packets received on this WLAN are considered trusted, and is used to identify rogue devices within the network. This setting is disabled by default.
    Validate ARP Header Mismatch Select this option to verify the mismatch for source MAC in the ARP and Ethernet headers. By default, mismatch verification is enabled.
    DHCP Trust Select the check box to enable DHCP trust on this WLAN. This setting is disabled by default.
  15. Set the following IPv6 Settings:
    ND Trust Select this option to enable the trust of neighbor discovery requests on an IPv6 supported firewall on this WLAN. This setting is disabled by default.
    Validate ND Header Mismatch Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This setting is enabled by default.
    DHCPv6 Trust Select this option to enable the trust all DHCPv6 responses on this WLAN‘s firewall. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default.
    RA Guard Select this option to enable router advertisements or ICMPv6 redirects on this WLAN‘s firewall. This setting is disabled by default.
  16. Set the following Wireless Client Deny configuration:
    Wireless Client Denied Traffic Threshold If enabled, any associated client that exceeds the thresholds configured for storm traffic is either deauthenticated or blacklisted depending on the selected action. The threshold range is 1-1000000 packets per second. This feature is disabled by default.
    Action If you are enabling a wireless client threshold, use the drop-down menu to determine whether clients are deauthenticated when the threshold is exceeded or blacklisted from connectivity for a user defined interval. Selecting None applies no consequence to an exceeded threshold.
    Blacklist Duration Select the check box and define a setting between 0 - 86,400 seconds. After the blacklist duration has been exceeded, offending clients can reauthenticate once again.
  17. Set a Firewall Session Hold Time in either Seconds (1 - 300) or Minutes (1 - 5).
    This is the hold time for caching user credentials and firewall state information when a client roams. The default setting is 30 seconds.
  18. Click OK when completed to update this WLAN‘s Firewall settings.
    Click Reset to revert the screen to its last saved configuration.

What to do next

Before defining an access control configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
  • IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.
9036512-00 Rev AA