• How to Enable Application Firewall on Arista Access Points

 
 
Print Friendly, PDF & Email

Introduction

Arista Access Points include an Application Firewall feature, which allows you to define firewall rules at application level/Layer 7.

This feature can be useful in corporate environments where the requirement is to either allow or block certain applications.

The applications that the Arista APs are able to recognize can be broadly classified into the following categories.

  • Messaging
  • Proxy
  • File Transfer
  • Networking
  • Web Services
  • Remote Access
  • VPN and Tunneling
  • Database
  • Network Monitoring
  • Collaboration
  • Games
  • Streaming Media
  • Streaming Media- Messaging
  • Mail
  • Social Networking

Prerequisites

  • Administrative access to CloudVision WiFi (CVW) / Wireless Manager (WM).
  • Application Visibility should be enabled on the SSID.

Solution

Enable Application Firewall via CVW

  • Navigate to Configure > WiFi > SSID > Access Control
  • Enable Application Firewall Rules and Click on the ‘+’ to add a rule.
  • Select the Category. All the applications categorized will be listed under the Application Name.
  • Select the applications and set the Action as Allow or Block.
  • You may configure multiple rules for different categories of applications.

Enable Application Firewall via WM

  • Navigate to Configuration > Device Configuration > SSID Profiles > Select SSID.
  • Scroll to the Firewall section and enable Application Firewall.
  • Click on Add Rule and Select the Category. All the applications categorized will be listed under the Application Name.
  • Select the applications and set the Action as Allow or Block.

Validate/Verify

To validate if the applied rules have taken effect, on CVW, navigate to Monitor > WiFi > Application Visibility and verify if the traffic counters are incrementing for the applications being blocked.

To verify this on WM, navigate to Monitoring > Applications and verify if the traffic counters are incrementing for the applications being blocked.

Notes:

  • The Default Rule is common for both Layer 3-4 Firewall Rules & Application Firewall Rules and will be applied in case a match is not found in any of these rules.
  • After applying the firewall rules, application classification takes a few minutes (~5) until the firewall starts blocking the traffic. During this classification, the traffic will pass through the AP and also show up on the Application Visibility tab.

Troubleshooting

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: