User's Manual
Field Description
Source
(required)
Source of the traffic, which can be one of the following:
l any: Acts as a wildcard and applies to any source address.
l user: This refers to traffic from the wireless client.
l host: This refers to traffic from a specific host. When this option is chosen, you must
configure the IP address of the host.
l network: This refers to a traffic that has a source IP from a subnet of IP addresses.
When this option is chosen, you must configure the IP address and network mask of
the subnet.
l alias: This refers to using an alias for a host or network. You configure the alias by
navigating to the Configuration > Advanced Services > Stateful Firewall >
Destination page.
Destination
(required)
Destination of the traffic, which can be configured in the same manner as Source.
Service
(required)
Type of traffic, which can be one of the following:
l any: This option specifies that this rule applies to any type of traffic.
l tcp: Using this option, you configure a range of TCP port(s) to match for the rule to
be applied.
l udp: Using this option, you configure a range of UDP port(s) to match for the rule to
be applied.
l service: Using this option, you use one of the pre-defined services (common
protocols such as HTTPS, HTTP, and others) as the protocol to match for the rule to
be applied. You can also specify a network service that you configure by navigating
to the Configuration > Advanced Services > Stateful Firewall > Network
Services page.
l protocol: Using this option, you specify a different layer 4 protocol (other than
TCP/UDP) by configuring the IP protocol value.
Action
(required)
The action that you want the controller to perform on a packet that matches the
specified criteria. This can be one of the following:
l permit: Permits traffic matching this rule.
l drop: Drops packets matching this rule without any notification.
l reject: Drops the packet and sends an ICMP notification to the traffic source.
l src-nat: Performs network address translation (NAT) on packets matching the rule.
When this option is selected, you need to select a NAT pool. (If this pool is not
configured, you configure a NAT pool by navigating to the Configuration >
Advanced > Security > Advanced > NAT Pools). Source IP changes to the
outgoing interface IP address (implied NAT pool) or from the pool configured
(manual NAT pool). This action functions in tunnel/decrypt-tunnel forwarding mode.
l dst-nat: This option redirects traffic to the configured IP address and destination
port. An example of this option is to redirect all HTTP packets to the captive portal
port on the Dell controller as used in the pre-defined policy called “captiveportal”.
This action functions in tunnel/decrypt-tunnel forwarding mode. User should
configure the NAT pool in the controller.
l dual-nat: This option performs both source and destination NAT on packets
matching the rule. Forward packets from source network to destination; re-mark
them with destination IP of the target network. This action functions in
tunnel/decrypt-tunnel forwarding mode. User should configure the NAT pool in the
controller.
l redirect to tunnel: This option redirects traffic into a GRE tunnel. This option is used
primarily to redirect all guest traffic into a GRE tunnel to a DMZ router/switch.
l redirect to ESI group: This option redirects traffic to the specified ESI server group.
You also specify the direction of traffic to be redirected: forward, reverse, or both
directions.
l route: Specify the next hop to which packets are routed, which can be one of the
following:
Table 61: Firewall Policy Rule Parameters
Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 366