Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W-IAP3WN » Manual Viewer

Dell PowerConnect W-IAP3WN Dell Instant 6.2.0.0-3.2.0.0 User Guide - Page 155

Instant Firewall

View all Dell PowerConnect W-IAP3WN manuals

Add to My Manuals
Save this manual to your list of manuals

Page 155 highlights

Chapter 14 Instant Firewall A firewall is a system designed to prevent unauthorized Internet users from accessing a private network connected to the Internet. It defines access rules and monitors all data entering or leaving the network and blocks data that does not satisfy the specified security policies. Dell W-Instant implements a W-Instant Firewall feature that uses a simplified firewall policy language. An administrator can define the firewall policies on an SSID or wireless LAN such as the Guest network or an Employee network. At the end of the authentication process, these policies are uniformly applied to users connected to that network. The W-Instant Firewall gives you the flexibility to limit packets or bandwidth available to a particular class of users. Instant Firewall manages packets according to the first rule the packet matches. 1. In the Networks tab, click the New link. The New WLAN window appears. 2. Navigate to Access tab to specify the access rules for the network. 3. Slide to Network-based using the scroll bar and click New to add a new rule. The New Rule window consists of the following options: l Rule type- Select the rule type (Access control, VLAN assignment) from the drop-down list. NOTE: This release of W-Instant supports configuration of up to 64 access control rules. l Action- Select Allow, Deny, or Destination-NAT from the drop-down list to allow or deny traffic with the specified service type and destination. l Log- Select this check box if you want a log entry to be created when this rule is triggered. Instant firewall supports firewall based logging function. Firewall logs on W-IAP are generated as syslog messages. l Blacklist- Select this check box if you want the client to be blacklisted when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the PEF window. See "Client Blacklisting" on page 255 for more information. l Classify media- Select this check box if you want to prioritize video and voice traffic. When enabled, deep packet inspection is performed on all non-NATed traffic, and the traffic is marked as follows: l Video: Priority 5 (Critical) l Voice: Priority 6 (Internetwork Control) l Disable scanning- Select this check box if you want ARM scanning to be paused when this rule is triggered, to optimize performance. NOTE: This feature only takes effect if ARM scanning is enabled, from the ARM tab of the RF dialog. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.0 | User Guide 155 | Instant Firewall

Section	Page
Contents	3
About This Guide	15
Dell PowerConnect W-Instant Access Point Overview	15
Supported Devices	15
Objective	15
Intended Audience	16
Conventions	16
Contacting Support	16
Initial Configuration	17
Initial Setup	17
Pre-Installation Checklist	17
Connecting a W-IAP	18
Assigning an IP Address to the W-IAP	18
Connecting to a Provisioning Wi-Fi Network	18
Disabling the Provisioning Wi-Fi Network	20
Assigning a Static IP	20
Log in to the Dell W-Series Instant UI	21
Specifying a Country Code	21
W-IAP Cluster	22
Dell W-Instant User Interface	23
Understanding the Dell W-Series Instant UI Layout	23
Banner	24
Search	24
Tabs	24
Networks Tab	24
Access Points Tab	25
Clients Tab	25
Links	26
New Version Available	27
Settings	27
RF	29
PEF	30
WIP	30
VPN	31
Wired	31
Maintenance	32
Support	32
Help	32
Logout	33
Monitoring	33
Info	33
RF Dashboard	34
Usage Trends	35
Spectrum	36
Overview (Device list)	36
Channel Utilization and Monitoring	36
Channel Details	37
Alerts	37
Client Alerts	37
Fault History	38
Active Faults	38
IDS	39
Configuration	39
AirGroup	40
Language	40
Dell PowerConnect W-AirWave Setup	40
Pause/Resume	41
Views	41
Wireless Network	43
Network Types	43
Employee Network	44
Adding an Employee Network	44
Voice Network	53
Adding a Voice Network	53
Guest Network	60
Adding a Guest Network	60
Editing a Network	68
Deleting a Network	68
Number of WLAN SSIDs Supported	68
Enabling the Extended SSID Option	69
VLAN Pooling	69
Managing W-IAPs	71
Preferred Band	71
Auto Join Mode	71
Disabling Auto Join Mode	71
Terminal Access	72
LED Display	72
TFTP Dump Server	72
Extended SSID	73
Deny Inter User Bridging and Deny Local Routing	73
Syslog Server	73
Syslog Facility Levels	74
Adding a W-IAP to the Network	74
Removing a W-IAP from the Network	75
Editing W-IAP Settings	75
Changing W-IAP Name	75
Changing IP Address of the W-IAP	76
Configuring Adaptive Radio Management	78
Configuring Uplink Management VLAN	79
Configuring Wired Bridging on Ethernet 0	79
Migrating to a Dell PowerConnect W-Series Mobility Controller Managed Network	80
Converting a W-IAP to RAP Mode	80
Converting a W-IAP to CAP	83
Converting a W-IAP to Standalone Mode	83
Converting Back to a W-IAP	84
Rebooting the W-IAP	84
Firmware Image Server in Cloud Network	86
Upgrade Using Dell PowerConnect W-AirWave and Image Server	86
Image Management Using Cloud Server	86
Image Management Using Dell PowerConnect W-AirWave	86
Automatic Firmware Image Check and Upgrade	87
Upgrading to New Version	88
Manual	88
Automatic	90
Layer-3 Mobility	91
Overview	91
Configuring a Mobility Domain	92
Home Agent Load Balancing	95
Spectrum Monitor	97
Creating Spectrum Monitors and Hybrid APs	97
Converting W-IAPs into Hybrid W-IAPs	97
Converting a W-IAP to a Spectrum Monitor	98
Spectrum Data	100
Overview - Device List	100
Non Wi-Fi Interferers	101
Channel Metrics	103
Channel Details	104
Spectrum Alerts	105
Time Management	107
NTP Server	107
Configuring an NTP Server	107
Daylight Saving Time	108
Enabling Daylight Saving Time	108
Virtual Controller	109
Master Election Protocol	109
Preference to an IAP with 3G/4G Card	109
Preference to a W-IAP with Non-Default IP	109
Virtual Controller IP Address	110
Specifying Name and IP Address for the Virtual Controller	110
Configuring the DHCP Server	110
Authentication	111
Authentication Methods in Dell W-Instant	111
802.1X Authentication	111
Internal RADIUS Server	112
External RADIUS Server	112
Authentication Terminated on W-IAP	112
Configuring an External RADIUS Server	113
Enabling RADIUS Server Support	115
Authentication Survivability	115
RADIUS Server Authentication with VSA	118
List of Supported VSA	118
Management Authentication Settings	120
Captive Portal	121
Internal Captive Portal	121
Configuring Internal Captive Portal Authentication when Adding a Guest Network	122
Configuring Internal Captive Portal Authentication when Editing a Guest Network	123
Configuring Internal Captive Portal with External RADIUS Server Authenticatio...	124
Customizing a Splash Page	125
Disabling Captive Portal Authentication	126
External Captive Portal	127
Configuring External Captive Portal Authentication when Adding a Guest Network	127
Configuring External Captive Portal Authentication when Editing a Guest Network	129
External Captive Portal Authentication using ClearPass Guest	131
Creating a Web Login page in the ClearPass Guest	131
Configuring the RADIUS Server in Instant	131
WISPr Authentication	132
Configuring WISPr Authentication	132
MAC Authentication	133
Configuring MAC Authentication	134
Walled Garden Access	134
Creating a Walled Garden Access	134
MAC + 802.1X Authentication	136
Configuring MAC + 802.1X Authentication	136
MAC + Captive Portal Authentication	137
Configuring MAC + Captive Portal Authentication	137
Wired Authentication on a W-IAP	138
Certificates	138
Loading Certificates using Dell W-Series Instant UI	139
Loading Certificates using Dell PowerConnect W-AirWave	140
Encryption	143
Encryption Types Supported in Dell W-Instant	143
WEP	143
TKIP	143
AES	143
Encryption Recommendations	143
Understanding WPA and WPA2	144
Recommended Authentication and Encryption Combinations	144
Role Derivation	145
User Roles	145
Creating a New User Role	145
Creating Role Assignment Rules	147
MAC-Address Attribute	147
DHCP Option and DHCP Fingerprinting	148
802.1X-Authentication-Type	148
User VLAN Derivation	149
User VLAN Derivation	149
Vendor Specific Attributes (VSA)	149
VLAN Derivation Rule	150
Configuring VLAN Derivation Rules on a W-IAP	150
User Role	151
Configuring a User Role	151
SSID Profile	152
Configuring VLAN Derivation Rules Using an SSID Profile	153
Instant Firewall	155
Service Options	156
Destination Options	158
Examples for Access Rules	158
Allow TCP Service to a Particular Network	158
Allow POP3 Service to a Particular Server	159
Deny FTP Service except to a Particular Server	160
Deny bootp Service except to a Particular Network	161
Content Filtering	163
Enabling Content Filtering	163
Enterprise Domains	164
OS Fingerprinting	167
Adaptive Radio Management	169
ARM Features	169
Channel or Power Assignment	169
Voice Aware Scanning	169
Load Aware Scanning	169
Band Steering Mode	169
Airtime Fairness Mode	170
Airtime Fairness Modes	170
Access Point Control	171
Customize Valid Channels	171
Min Transmit Power	171
Max Transmit Power	171
Client Aware	171
Scanning	171
Wide Channel Bands	171
Monitoring the Network with ARM	172
ARM Metrics	172
Configuring Administrator Assigned Radio Settings for W-IAP	172
Configuring Radio Profiles in Instant	173
Intrusion Detection System	177
Rogue AP Detection and Classification	177
Wireless Intrusion Protection (WIP)	177
Containment Methods	181
SNMP	183
SNMP Parameters for W-IAP	183
SNMP Traps	185
Ethernet Downlink	187
Ethernet Downlink Overview	187
Ethernet Downlink Profile Parameters	187
Assigning a Profile to the Ethernet Port	190
Hierarchical Deployment	193
Deployment	193
Uplink Configuration	195
Uplink Interface Configuration	195
Ethernet Uplink	195
3G/4G Uplink	196
Types of Modems	196
Provisioning 3G/4G Uplink Manually	198
Provisioning 3G Uplink Automatically	199
Provisioning a 3G/4G Switch Network	199
Wi-Fi Uplink	200
Provisioning Wi-Fi Uplink	200
Provisioning 3G/4G and Wi-Fi Uplink with Factory Setting	200
Uplink Management	201
Enforce Uplink	201
Uplink Preemption	201
Uplink Switchover	201
Uplink Switching Based on VPN Status	201
Uplink Switching Based on Internet Connectivity Status	202
PPPoE	202
Configuring PPPoE	202
Dell PowerConnect W-AirWave Integration and Management	205
Dell PowerConnect W-AirWave Features	205
Image Management	205
W-IAP and Client Monitoring	205
Template-based Configuration	205
Trending Reports	206
Intrusion Detection System	206
Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConne...	206
RF Visualization Support for Dell W-Instant	207
Configuring Dell PowerConnect W-AirWave	207
Creating your Organization String	207
About Shared Key	208
Entering the Organization String and AMP Information into the W-IAP	208
Dell PowerConnect W-AirWave Discovery through DHCP Option	208
Standard DHCP option 60 and 43 on Windows Server 2008	208
Alternate Method for Defining Vendor-Specific DHCP Options	212
AirGroup	215
Introducing AirGroup	215
What is Bonjour and Zero Configuration Networking?	215
WLANs and Bonjour	216
AirGroup Solution	216
AirGroup Features	217
Dell PowerConnect W-ClearPass Policy Manager and ClearPass Guest Features	217
AirGroup Architecture	217
How Does AirGroup Work?	218
Use Case: Higher Education Wireless LAN	219
The AirGroup Solution Components	219
Configuring AirGroup on W-Instant	220
Using the Dell W-Series Instant UI	220
Enabling or Disabling AirGroup	220
Disallow Role	221
Disallow VLAN	222
Configuring AirGroup-CPPM Interface in W-Instant	223
Creating a RADIUS Server	223
Assign a Server to AirGroup	224
Configure CPPM to Enforce Registration	225
Change of Authorization (CoA)	225
AirGroup Monitoring	226
Troubleshooting and Log Messages	226
Monitoring	229
Virtual Controller View	229
Monitoring Link	230
Info	230
RF Dashboard	230
Usage Trends	230
Client Alerts Link	232
IDS Link	232
Network View	232
Info	233
Usage Trends	233
Dell W-Instant Access Point View	235
Info	235
RF Dashboard	235
Overview	236
Client View	243
Info	244
RF Dashboard	244
RF Trends	244
Mobility Trail	247
Alert Types and Management	249
Alert Types	249
Policy Enforcement Firewall	251
Authentication Servers	251
Users for Internal Server	251
Roles	252
Extended Voice and Video Functionalities	253
QoS for Microsoft Office OCS and Apple Facetime	253
Microsoft OCS	254
Apple Facetime	254
Client Blacklisting	255
Types of Client Blacklisting	256
Manual Blacklisting	256
Adding a Client to the Manual Blacklist	256
Dynamic Blacklisting	257
Authentication Failure Blacklisting	257
Session Firewall Based Blacklisting	257
PEF Settings	258
Firewall ALG Configuration	258
Firewall-based Logging	259
VPN Configuration	261
VPN Configuration	261
Fast Failover	262
Routing Profile Configuration	262
DHCP Server Configuration	263
NAT DHCP Configuration	264
Distributed L2 DHCP Configuration	265
Distributed L3 DHCP Configuration	266
Centralized L2 DHCP Configuration	267
User Database	269
Adding a User	269
Editing User Settings	270
Deleting a User	270
Regulatory Domain	271
Country Codes List	271
Controller Configuration for VPN	277
Whitelist DB Configuration	277
VPN Local Pool Configuration	277
W-IAP VPN Profile Configuration	278
Dell PowerConnect W-ClearPass Configuration for AirGroup	279
Dell PowerConnect W-ClearPass Setup	279
Testing	283
Troubleshooting	283
IAP-VPN	285
Licensing Requirements	285
VPN Configuration	286
Creating a W-IAP Whitelist	286
Controller Whitelist DB	286
External Whitelist DB	286
VPN Local Pool Configuration	287
VPN Profile Configuration	287
Radius Proxy for VPN Connected IAPs	287
Viewing Branch Status	288
Example	288
Troubleshooting	289
Viewing Logs	289
Support Commands	289
Abbreviations	295

Match case Limit results 1 per page

Dell PowerConnect W-Series Instant Access Point

6.2.0.0-3.2.0.0

User Guide

155

Instant Firewall

Chapter 14

Instant Firewall

A firewall is a system designed to prevent unauthorized Internet users from accessing a private

network connected to the Internet. It defines access rules and monitors all data entering or leaving

the network and blocks data that does not satisfy the specified security policies.

Dell W-Instant implements a W-Instant Firewall feature that uses a simplified firewall policy

language. An administrator can define the firewall policies on an SSID or wireless LAN such as the

Guest network or an Employee network. At the end of the authentication process, these policies

are uniformly applied to users connected to that network. The W-Instant Firewall gives you the

flexibility to limit packets or bandwidth available to a particular class of users. Instant Firewall

manages packets according to the first rule the packet matches.

In the

Networks

tab, click the

New

link. The

New WLAN

window appears.

Navigate to

Access

tab to specify the access rules for the network.

Slide to

Network-based

using the scroll bar and click

New

to add a new rule.

The New Rule window consists of the following options:

Rule type—

Select the rule type (Access control, VLAN assignment) from the drop-down list.

NOTE: This release of W-Instant supports configuration of up to 64 access control rules.

Action—

Select

Allow

Deny

, or

Destination-NAT

from the drop-down list to allow or deny

traffic with the specified service type and destination.

Log—

Select this check box if you want a log entry to be created when this rule is triggered.

Instant firewall supports firewall based logging function. Firewall logs on W-IAP are generated

as syslog messages.

Blacklist—

Select this check box if you want the client to be blacklisted when this rule is

triggered. The blacklisting lasts for the duration specified as

Auth failure blacklist

time on the

Blacklisting tab of the

PEF

window. See

"Client Blacklisting" on page 255

for more

information.

Classify media

— Select this check box if you want to prioritize video and voice traffic. When

enabled, deep packet inspection is performed on all non-NATed traffic, and the traffic is

marked as follows:

Video: Priority 5 (Critical)

Voice: Priority 6 (Internetwork Control)

Disable scanning

— Select this check box if you want ARM scanning to be paused when this

rule is triggered, to optimize performance.

NOTE: This feature only takes effect if ARM scanning is enabled, from the ARM tab of the RF

dialog.