Users Guide

Table Of Contents
459 | Roles and Policies Dell Networking W-Series ArubaOS 6.4.x| User Guide
In phase1, if the session ACL lookup results in an L3/L4 ACE entry request, the traffic pertaining to the session
is guided by this L3/L4 ACE entry. However, if the session ACL lookup results in an application/application
category specific ACE entry, the enforcement is postponed until phase 2. Once the application is determined,
the session ACL is re-applied with "application/application category" information to determine the final action
on the traffic.
Global Session ACL
The Global Session ACL is used to configure ACL rules that span across or are common to all roles. They are
applied to all roles. The "global-sacl" rules take precedence over any other ACLs that may be in the user role.
A new session ACL has been added named "global-sacl." This session, by default, is in position one for every
user role configured on the controller. The global-sacl session ACL has the following properties:
l It cannot be deleted.
l It always remains at position one in every role and its position cannot be modified.
l It contains only application rules.
l It can be modified in the WebUI, CLI, and dashboard on a master controller.
l Any modifications to it resulst in the regeneration of ACE’s of all roles.
Role Default Session ACL
You can configure role-specific application configuration using the WebUI and dashboard. For example, you
can deny the facebook application on the guest role using the CLI or dashboard without having to change the
firewall configuration. This per-user role configuration from WebUI or Dashboard is placed in the Role Default
Session ACL.
A new role session ACL named apprf-“role-name”-sacl has been added. This session, by default, is in position
two for every user role configured on the controller.
The string "apprf" is added to the beginning and "sacl" to the end of a role’s name to form a controllerunique
name for role default session ACL. This session ACL is in position two of the given user role after the global
session ACL and takes the next higher priority after global policy rules.
The predefined role session ACL has the following properties:
l It cannot be deleted through the WebUI or CLI. It it is only deleted automatically when the corresponding
role is deleted.
l It always remains at position 2 in every role and its position cannot be modified.
l It contains only application rules.
l It can be modified using the WebUI, CLI, or dashboard on a master controller, however any modification
results in the regeneration of ACE’s for that role.
l It cannot be applied to any other role.
Each application has an implicit set of ports that are used for communication. In phase 1, if an application ACE
entry is hit, the traffic matching this application’s implicit port is allowed (as governed by the application ACE).
The DPI engine can monitor the exchange on these ports and determine the application. Once the application
is determined, phase 2 occurs when an evaluation is done to determine the final outcome for the session.
Example
This example shows a DPI rule along with a L3/L4 rule with forwarding action in the same ACL. Both
ACLpolicies can be applied to a single user role.
ACL Policy "AppRules", Policy Type: Session
l Rule 1
n source: any