Hello, I'm having problems with Aruba AP connection through a FW.
I got my APs in the inside zone, and the controller is in a DMZ. Previously I had a security rule that allowed aruba-papi and syslog app and the AP connected to the controller without any problems. But After I updated the firewall to 7.1 (now 7.1.19) the rule has not been working anymore (The controller cannot see any APs connected. In the traffic log I noticed that the firewall sees the tunnels as "insufficient-data" app instead of "aruba-papi"
I've tried adding "gre" app also but it didn't helped.
The only thing that works now is an any app and any service rule.
Has anyone had a similar problem?
Generally for something like this I would actually utilize a custom application signature instead of relying on the built-in application IDs. If you don't have the experience to build a custom app-id then I would use an application-override policy. This prevents updates of any type from killing controller access.
As a side note, I wouldn't use an app/service any policy for something like this. At the very least the application would be set the any and then the service would be set to a particular port, even when the firewall records insufficient-data this policy would allow the connection. As you've described the situation it sounds like you are allowing the APs full access to the controller regardless of application and port which is generally ill-advised and unnecessary.
I've tried using services instead of apps, but the connection between the APs and the controller it's also a gre tunel.
Aruba says the following about placing a firewall between the AP and the controller:
Between an AP and the controller:
|||PAPI (UDP port 8211). If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)|
|||PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.|
|||FTP (TCP port 21).|
|||TFTP (UDP port 69) all APs, if there is no local image on the AP (for example, a new AP) the AP will use TFTP to retrieve the initial image.|
|||SYSLOG (UDP port 514).|
|||PAPI (UDP port 8211).|
|||GRE (protocol 47).|
Do you know how to permit gre without using app?
GRE should be identified correctly yes? There are some instances where you need to create multiple rules to get everything to work properly, this may be one of them.
You effectively have two options:
1) Build a custom application to identify the PAPI traffic, or use an application-override policy to specify this traffic as aruba-papi again. Then your policy as built would work perfectly fine.
2) Create multiple policies to allow all the required pieces. You could have one for all the traffic properly identified by app-id ( assuming FTP TFTP SYSLOG GRE) and then create a seperate policy that explicitly allows 8211/UDP for the PAPI traffic.
One allows a cleaner security rulebase while adding an entry in the application-override rulebase; the other simply adds an additional entry directly to the security rulebase.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!