Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Roles and Policies |
182
Chapter 14
Roles and Policies
This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.
l
l
l
Configuring User Roles on page 199
l
Configuring Derivation Rules on page 201
l
Using Advanced Expressions in Role and VLAN Derivation Rules on page 207
Firewall Policies
Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic
forwarding, and network performance policies for wired and wireless networks. Using Instant firewall, you can
enforce network access policies that define access to the network, areas of the network that users may access,
and the performance thresholds of various applications.
Instant supports a role-based stateful firewall. Instant firewall recognizes flows in a network and keeps track of
the state of sessions. Instant firewall manages packets according to the first rule that matches the packet. The
firewall logs on the IAPs are generated as syslog messages.
Access Control List Rules
You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You
can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom
rules, you can block or allow access based on the service or application, source or destination IP addresses.
You can create access rules to allow or block data packets that match the criteria defined in an access rule. You
can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the
inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the
network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block
outbound traffic to an IP address through the firewall.
The IAP clients are associated with user roles, that determine the client’s network privileges and the frequency
at which clients re-authenticate.
Instant supports the following types of ACLs:
l
ACLs that permit or deny traffic based on the source IP address of the packet.
l
ACLs that permit or deny traffic based on the source or destination IP address, and the source or
destination port number.
l
ACLs that permit or deny traffic based on network services, application, application categories, web
categories, and security ratings.
You can configure up to 128 access control entries in an ACL for a user role.
The maximum configurable universal role is 4096.
Configuring ACL Rules for Network Services
This section describes the procedure for configuring ACLs to control access to network services.