firewall

Allows three-way session when performing destination NAT. This option should be enabled when the managed device is not the default gateway for wireless clients and the default gateway is behind the managed device. This option is typically used for captive portal configuration.

Default: Disabled

Aggregated Medium Access Control Service Data Units (AMSDU) packets are dropped if this option is enabled.

Default: Disabled

Enables app performance monitoring. This parameter is used to measure the time taken for an application to respond.

Sets rates which, if exceeded, can indicate a denial of service attack.

• arp: Monitor/police ARP attack (non Gratuitous ARP).

  Default: 100

• cp: Monitor/police control processor attack.

• grat-arp: Monitor/police Gratuitous ARP attack.

  Default: 50

• ping: Monitor ping attack.

• session: Monitor IP session attack.

• tcp-syn: Monitor TCP SYN attack.

Range: 1-16384 is the number of requests per 30 seconds.

Applies bw contracts to local subnet broadcast traffic.

Configures bandwidth contract traffic rate limits, in packets per second, to prevent denial of service attacks.

Enable route or route-cache specific IP tracing in datapath.

Disable route or route-cache debugging in datapath

Specify IPv4 route or route-cache address.

Specify IPv6 route or route-cache address.

Prevents the forwarding of Layer2 traffic between wired or wireless users. You can configure user role policies that prevent Layer3 traffic between users or networks but this does not block Layer2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX from being forwarded. If enabled, traffic (all non-IP traffic) to untrusted port or tunnel is also blocked.

Default: Disabled

Denies downstream traffic between users in a wireless network (untrusted users) by disallowing layer2 and layer3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

Default: Disabled

Drops IP packets with DF bit set when packet length is greater than GRE tunnel MTU and an ICMP error message is sent.

Default: Disabled

Drops IP packets with DF bit set when packet length is greater than GRE tunnel MTU and an ICMP error message is not sent.

Default: disabled

Drops IP packets with DF bit set when packet length is greater than IPsec tunnel MTU and an ICMP error message is sent.

Default: Enabled

Drops IP packets when packet length is greater than GRE tunnel MTU and an ICMP error message is sent.

Default: Disabled

Drops IP packets when packet length is greater than GRE tunnel MTU and an ICMP error message is not sent.

Default: Disabled

Disallows forwarding of IP frames with source routing with the source routing options set.

Default: Disabled

Enables DHCP performance monitoring. This parameter is used to measure the time taken for a DHCP exchange.

Default: Disabled

Disables the FTP server on the managed device. Enabling this option prevents FTP transfers.

Enabling this option could cause APs to not boot up. You should not enable this option unless instructed to do so by an HPE Aruba Networking representative.

Default: disabled

Disables the TFTP server.

Enables DPI.

Default: Disabled

When enabled, all IP fragments are dropped. You should not enable this option unless instructed to do so by an HPE Aruba Networking representative.

Default: Disabled

Drops IPv4 packets when the IPv4 packet header lenght is greater than 20 bytes. Applicable to controllers only.

Default: Disabled

Enables any local and remote IPv4 packets within the options.

Default: Enabled

Enables bridging when the managed device is in factory default.

Default: Disabled

Enables fragmenting inner IP frames when packet length is greater than GRE tunnel MTU.

Default: Disabled

Enables logging of every packet if logging is enabled for the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an HPE Aruba Networking representative, as doing so may create unnecessary overhead on the managed device.

Default: Disabled

Enables port packet logging. If enabled, the dropped frames are logged.

Default: Disabled

Enables stateful ICMP processing. This parameter create sessions for ICMP errors and denies unidirectional replies.

Default: Disabled

Prevents data from passing between two clients until the three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

Default: Disabled

Enforces the TCP sequence numbers for all packets.

Default: Disabled

Creates a unique state for each PPTP tunnel. Do not enable this option unless instructed to do so by a technical support representative.

Default: Disabled

Immediately free buffers on managed device. Do not enable this option unless instructed to do so by a technical support representative.

Default: Disabled

Enables IP reputation / geolocation classification.

This parameter marks management frames.

Enables jumbo frames processing.

Default: Disabled

Adds only IP addresses, which belong to a local subnet, to the user-table.

Default: Disabled

Logs received ICMP errors. You should not enable this option unless instructed to do so by a customer support representative.

Default: Disabled

Configures multicast random drop paramaters.

Default: Disabled

Inverse mark probability instance.

Range: 1-255

Configures minimum threshold.

Range: 1-99

Configures maximum threshold.

Range: 1-99

Reduce flooding of IPv4 Gratuitous ARPs/IPv6 Duplicate Address Detection frames onto wireless clients.

Default: Enabled

Enable check for DHCP client hardware address against the packet source MAC address. This command checks the frame's source-MAC against the DHCPv4 client hardware address and drops the packet if it does not match. Enabling this feature prevents a client from submitting multiple DHCP requests with different hardware addresses, thereby preventing DHCP pool depletion.

Default: Disabled

Detects and prohibits arp spoofing. When this option is enabled, possible arp spoofing attacks are logged and an SNMP trap is sent.

Default: Disabled

Detects IP spoofing (where an intruder sends messages using the IP address of a trusted client). When this option is enabled, source and destination IP and MAC addresses are checked; possible IP spoofing attacks are logged and an SNMP trap is sent.

Default: Enabled in IPv4, disabled in IPv6

Detects ARP spoofing, when an intruder sends ARP using the IP and MAC addresses of a known user. When this option is enabled, additional check for the user route cache entry is performed. If the route cache entry is not found or if found, but the route cache entry MAC does not match with the sender MAC in ARP frame, then, the frame is marked as spoof. The IP spoofing attacks are logged and an SNMP trap is sent. If the Prohibit IP Spoofing option is enabled, the controller denies all the traffic from the client using an IP address that is used by another client that has an entry in the user table. This option does not allow multiple MAC addresses to use the same IP address.

Default: Disabled

This option prohibits route-cache update on user add.

Default: Disabled

Closes a TCP connection in both directions if a TCP RST is received from either direction. You should not enable this option unless instructed to do so by an HPE Aruba Networking representative.

Default: Disabled

Time, in seconds, that a non-TCP session can be idle before it is removed from the session table. You should not modify this option unless instructed to do so by an HPE Aruba Networking representative.

Range: 16-300

Default: 16

Enables counter CPU to perform encryption. Applicable to 7200 Series controllers only

Default: Disabled

Enable session tunnel-based forwarding.

NOTE: Best practices is to enable this parameter only during maintenance window or off-peak production hours. On the M3, this parameter only enables tunnel-based forwarding, as session-based forwarding does not apply to this platform.

Enables multicast optimization and provides excellent streaming quality regardless of the amount of VLANs or IP IGMP groups that are used.

Default: Disabled

Triggers datapath crash on stall detection. Applies to the to 7200 Series managed device only.

Default: Enabled

If enabled, detects spoof in datapath.

Default: Disabled

Prioritizes the RTP traffic based on the DSCP value set by the end user device.

NOTE: On enabling, all UCC based ALGs will be disabled.

Default: Disabled

If traffic to or from the user is inconsistent with the associated QoS policy for voice, the traffic is reclassified to best effort and data path counters incremented.

This parameter requires the PEFNG license.

Default: Disabled

Enables web content classification for all HTTP traffic. Once enabled, AOS enforces ACLs and bandwidth policies associated with web content categories or reputation levels.

NOTE: On enabling web-cc, the web-cc feature usage information will be sent to HPE Aruba Networking at every 7 days interval.

Default: Disabled

Issue this command to allow the managed device to drop any packets that do not match any web content category or reputation levels in the managed device's internal web content cache.

Default: Disabled