User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

381

382

383

384

385

386

387

388

389

390

To disable global DPI:

(host)(config)# no firewall dpi

You must reboot (reload) the controller after you disable DPI for global classification to be disabled.

Show Command Output

The show datapath session output now includes:

l A new parameter, show datapath session dpi, displays application ID, application name, and the

following ACL/ACE index information for a given session:

n AclVersion: This is used to store the current version number of the ACL that is used at session creation

time and is used for troubleshooting purposes.

n PktsDpi: The number of packets sent to the DPI engine for a given session.

n AceIdx: The Index of the Access List entry (in a given ACL) that triggered a match during session creation.

n DpiTIdx: This is an index to the DPI engine Tbl and is only used for troubleshooting purposes.

l A new flag, A - Application Firewall Inspect, indicates that a flow is being subjected to DPI.

Configuring Policies for AppRF 2.0

Access control lists now contain new application and application category options that let you permit or deny

an application or application category on a given role. See the Dashboard Monitoring AppRF topic for details

about configuring policies from the Dashboard.

How ACL Works with AppRF

A session entry proceeds through two phases: the application detection phase (phase1) and the post-

application detection phase (phase 2). A session ACL is applied in phase1 and in phase 2.

In phase1, if the session ACL lookup results in an L3/L4 ACE entry request, the traffic pertaining to the session

is guided by this L3/L4 ACE entry. However, if the session ACL lookup results in an application/application

category specific ACE entry, the enforcement is postponed until phase 2. Once the application is determined,

the session ACL is re-applied with "application/application category" information to determine the final action

on the traffic.

Global Session ACL

The Global Session ACL is used to configure ACL rules that span across or are common to all roles. They are

applied to all roles. The "global-sacl" rules take precedence over any other ACLs that may be in the user role.

A new session ACL has been added named "global-sacl." This session, by default, is in position one for every

user role configured on the controller. The global-sacl session ACL has the following properties:

l It cannot be deleted.

l It always remains at position one in every role and its position cannot be modified.

l It contains only application rules.

l It can be modified in the WebUI, CLI, and dashboard on a master controller.

l Any modifications to it resulst in the regeneration of ACE’s of all roles.

Role Default Session ACL

You can configure role-specific application configuration using the WebUI and dashboard. For example, you

can deny the facebook application on the guest role using the CLI or dashboard without having to change the

Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 382