Filter
Top Products
Field Description
Source (required) Source of the traffic, which can be one of the following:
l any: Acts as a wildcard and applies to any source address.
l user: This refers to traffic from the wireless client.
l host: This refers to traffic from a specific host. When this option is chosen, you must configure
the IP address of the host.
l network: This refers to a traffic that has a source IP from a subnet of IP addresses. When this
option is chosen, you must configure the IP address and network mask of the subnet.
l alias: This refers to using an alias for a host or network. You configure the alias by navigating to
the Configuration > Advanced Services > Stateful Firewall > Destination page.
Destination
(required)
Destination of the traffic, which can be configured in the same manner as Source.
Service
(required)
Type of traffic, which can be one of the following:
l any: This option specifies that this rule applies to any type of traffic.
l tcp: Using this option, you configure a range of TCP port(s) to match for the rule to be applied.
l udp: Using this option, you configure a range of UDP port(s) to match for the rule to be applied.
l service: Using this option, you use one of the pre-defined services (common protocols such as
HTTPS, HTTP, and others) as the protocol to match for the rule to be applied. You can also
specify a network service that you configure by navigating to the Configuration > Advanced
Services > Stateful Firewall > Network Services page.
l protocol: Using this option, you specify a different layer 4 protocol (other than TCP/UDP) by
configuring the IP protocol value.
Action (required) The action that you want the controller to perform on a packet that matches the specified criteria.
This can be one of the following:
l permit: Permits traffic matching this rule.
l drop: Drops packets matching this rule without any notification.
l reject: Drops the packet and sends an ICMP notification to the traffic source.
l src-nat: Performs network address translation (NAT) on packets matching the rule. When this
option is selected, you need to select a NAT pool. (If this pool is not configured, you configure a
NAT pool by navigating to the Configuration > Advanced > Security > Advanced > NAT Pools).
Source IP changes to the outgoing interface IP address (implied NAT pool) or from the pool
configured (manual NAT pool). This action functions in tunnel/decrypt-tunnel forwarding mode.
l dst-nat: This option redirects traffic to the configured IP address and destination port. An
example of this option is to redirect all HTTP packets to the captive portal port on the Dell
controller as used in the pre-defined policy called “captiveportal”. This action functions in
tunnel/decrypt-tunnel forwarding mode. User should configure the NAT pool in the controller.
l dual-nat: This option performs both source and destination NAT on packets matching the rule.
Forward packets from source network to destination; re-mark them with destination IP of the
target network. This action functions in tunnel/decrypt-tunnel forwarding mode. User should
configure the NAT pool in the controller.
l redirect to tunnel: This option redirects traffic into a GRE tunnel. This option is used primarily to
redirect all guest traffic into a GRE tunnel to a DMZ router/switch.
l redirect to ESI group: This option redirects traffic to the specified ESI server group. You also
specify the direction of traffic to be redirected: forward, reverse, or both directions.
l route: Specify the next hop to which packets are routed, which can be one of the following:
l
dst-nat: Destination IP changes to the IP configured from the NAT pool. This action func-
tions in bridge/split-tunnel forwarding mode. User should configure the NAT pool in the con-
troller.
l
src-nat:Source IP changes to RAP’s external IP. This action functions in bridge/split-tunnel
forwarding mode and uses implied NAT pool.
Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a
data packet on a policy that is meant only to be used for voice calls.
Table 80:
Firewall Policy Rule Parameters
DellPowerConnectW-SeriesArubaOS6.2 | User Guide Rolesand Policies | 298