Add Client Role Firewall Rules

About this task

A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules.

IP-based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC.

Additionally, administrators can filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to packet traffic.

To apply firewall rules to a wireless client role:

Procedure

Select the Firewall Rules tab to set Firewall rules to IP, IPv6, and MAC traffic originating from clients associated with this role.

Wireless Client Roles - Add/Edit - Roles - Firewall Rules Tab
Set the Vlan ID (from 1 - 4094) for the virtual LAN used by clients matching the IP or MAC inbound and outbound rules of this policy.
Use the Application Policy drop-down menu to select the appropriate Application policy to use with this firewall rule.
An application policy defines the rules or actions executed on recognized HTTP (e.g., Facebook), enterprise (e.g., Webex), and peer-to-peer (e.g., gaming) applications or application-categories traffic.
Legacy WiNG devices use a third-party DPI engine to detect top-level hosting applications along with the services these applications host. Whereas, WiNG AP5xx model APs, running on WiNG 7.1.2 and later versions of the WiNG 7 OS, use Purview™ libDPI engine to enforce AVC.

For legacy, 802.11ac APs specify an Application policy to enforce AVC. For information, see Create an Application Policy and Create an Application Group.

For 802.11ax, AP5xx APs, running WiNG 7.1.2 and later versions of WiNG 7 OS, specify an Purview application policy to enforce AVC. For more information, refer to the WiNG 7.2.1 CLI reference guide.
Specify an IPv6 Inbound or IPv6 Outbound firewall rule by selecting a rule from the drop-down menu and use the spinner control to assign the rule precedence.
Rules with lower precedence are always applied first to packets. Select the + Add Row button or Delete icon as needed to add or remove IPv6 firewall rules. If no IPv6 Inbound or Outbound firewall ACL exist create the IPv6 firewall ACL and use here.
Specify an IP Inbound or IP Outbound firewall rule by selecting a rule from the drop-down menu and use the spinner control to assign the rule Precedence.
Rules with lower precedence are always applied first to packets. Select the + Add Row button or Delete icon as needed to add or remove IP firewall rules. If no IP Inbound or Outbound firewall ACL exist create the IP firewall ACL and use here.
Specify an MAC Inbound or MAC Outbound firewall rule by selecting a rule from the drop-down menu and use the spinner control to assign the rule Precedence.
Rules with lower precedence are always applied first to packets. Select the + Add Row button or Delete icon as needed to add or remove MAC firewall rules. If no MAC Inbound or Outbound firewall ACL exist create the MAC firewall ACL and use here.
Select OK to save the Firewall Rules updates.
Select Reset to revert to the last saved configuration.