User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

381

382

383

384

385

386

387

388

389

390

383 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide

firewall configuration. This per-user role configuration from WebUI or Dashboard is placed in the Role Default

Session ACL.

A new role session ACL named apprf-“role-name”-sacl has been added. This session, by default, is in position

two for every user role configured on the controller.

The string "apprf" is added to the beginning and "sacl" to the end of a role’s name to form a controllerunique

name for role default session ACL. This session ACL is in position two of the given user role after the global

session ACL and takes the next higher priority after global policy rules.

The predefined role session ACL has the following properties:

l It cannot be deleted through the WebUI or CLI. It it is only deleted automatically when the corresponding

role is deleted.

l It always remains at position 2 in every role and its position cannot be modified.

l It contains only application rules.

l It can be modified using the WebUI, CLI, or dashboard on a master controller, however any modification

results in the regeneration of ACE’s for that role.

l It cannot be applied to any other role.

Session ACL Examples

The following CLI configuration shows how pre-classification and post-classification occurs during

enforcement.

Any any app skype permit

Any any deny

Each application has an implicit set of ports that are used for communication. In phase 1, if an application ACE

entry is hit, the traffic matching this application’s implicit port is allowed (as governed by the application ACE).

The DPI engine can monitor the exchange on these ports and determine the application. Once the application

is determined, phase 2 occurs when an evaluation is done to determine the final outcome for the session.

The following CLIconfiguration example is a user role with both the global and role session ACLs:

User-role employee

ip access-list session global-sacl

ip access-list session apprf-employee-sacl

ip access-list session control

any any app gmail-chat permit

any any app youtube permit

any any any deny

This example shows a DPI rule along with a L3/L4 rule with forwarding action in the same ACL.

ip access-list session AppRules

any any app Facebook permit tos 45

any any app YouTube deny

any any appcategory peer-to-peer deny

any any tcp 23 permit

network 40.1.0.0/16 any tcp 80 permit tos 60

network 20.1.0.0/16 any tcp 80 src-nat

ip access-list session NetRules

network 80.0.0.0/24 any tcp 80 deny

network 60.0.0.0/24 any tcp 80 dual-nat pool <pool1>

network 10.0.0.0/24 any tcp 80 dst-nat

user-role Role1

session-acl AppRules

session-acl NetRules