You are here: Home > Device Configuration and Network Management > Aruba Gateways > Configuring Firewall Policies and ACLs

Configuring Firewall Policies and ACLs

To secure your branch, you must configure a policy with a set of ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. and apply these policies to user roles or user-facing VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interfaces.

For an SD Branch setup, the general recommendation is to set the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance.-facing ports as trusted and LANLocal Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server.-facing ports as untrusted. Although WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance.-facing ports are trusted, Aruba recommends that you apply a restrictive firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy to the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. interfaces.

As LANLocal Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server.-facing ports are untrusted, it is very important to secure your branch by applying a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile to the VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. configured for the LANLocal Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. interfaces. When a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. policy is applied, SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Gateways assign the user roles based on the role preferences configured in a AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile.

Firewall Policies for SD Branch

The SD Branch solution supports identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. network. You can configure firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies on Branch Gateways to define user access to network, set priority queue for Quality of Service (QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.), and assign bandwidth contracts.

A firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy identifies specific characteristics about a data packet and performs one of the following actions: The action can be one of the following types:

FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.-type action such as permitting or denying the packets.

Administrative action such as logging the packets.

QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. action such as setting 802.1p bits or placing the packet in a priority queue.

Types of ACLs

Aruba Central allows you to configure the following types of ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. on Branch Gateways.

Standard ACLs—Permit or deny any traffic based on the source IP address of the packet. Standard ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 1–99 and 1300–1399. Standard ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. use a bit-wise mask to specify the portion of the source IP address to be matched.

Extended ACLs—Permit or deny any traffic based on source or destination IP address, source or destination port number, or IP protocol. Extended ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be named or numbered, with valid numbers in the range 100–199 and 2000–2699.

MAC ACLs—Filter the traffic on a specific source MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses. MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 700–799 and 1200–1299.

Ethertype ACLs—Filter the traffic based on the Ethertype field in the frame header. Ethertype ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 200–299.These ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be used to permit IPs while blocking other non-IP protocols, such as IPX or AppleTalk.

Session ACLs—Restrict all services from specific hosts and subnets. Rules with this ACL are applied to all traffic on the Branch Gateway regardless of the ingress port or VLAN.

Route ACLs—Forward all packets to a device defined by an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, a next hop list, a tunnel or a tunnel group.

/*]]>*/