Configuring ACLs for Deep Packet Inspection

Branch Gateways support AppRF, HPE Aruba Networking's custom-built layer 7 firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. capability. It consists of an onboard Deep Packet Inspection (DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. ) service that allows creating firewall policies based on the types of application and application categories.

You can configure ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to restrict user access to an application or application category. You can also define traffic-shaping policies such as bandwidth control and QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. per application for client roles. For example, you can block bandwidth-monopolizing applications on a guest role within an enterprise.

Creating ACLs for Application Access Control

To create ACL rules for Deep Packet Inspection on Branch Gateways, complete the following procedure:

  1. To configure a Branch Gateway group or a Branch Gateway, complete either one of these steps:

    • To select a gateway group:

      1. In the Classic Central app, set the filter to a group that contains at least one Branch Gateway.

        The dashboard context for a group is displayed.

      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.

      3. Click Config.

        The configuration page is displayed for the selected group.

    • To select a gateway:

      1. In the Classic Central app, set the filter to Global or a group that contains at least one Branch Gateway.

      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.

      3. Click a gateway under Device Name.

        The dashboard context for the gateway is displayed.

      4. Under Manage, click Device.

        The gateway device configuration page is displayed.

  2. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration.
  3. Click Security > Policies.
  4. Click the icon in the Policies table to create a new policy.

    5. The Add policy pop-up window is displayed.

  5. From the Policy type drop-down list, select the type of policy. For example: Session, Ethertype, MAC, Route, Extended, or Standard.
  6. Enter the policy name in the Policy name field.
  7. Click Save.
  8. From the list of policies, select the policy you just created.

    9. The Policy > <policy name> Rules table is displayed.

  9. Click the icon on the Policy > <policy name> Rules table.

    10. The <policy name> > New forwarding Rule table is displayed.

  10. Select one of the following options from the Service/app drop-down list.
    • Application—To allow or deny access to a specific application.
    • App Category—To allow or deny access to a specific application category.
  11. Select an application from the Application drop-down list.
  12. Specify an action.
  13. Click Save Settings.

Configuration Example

This example shows a DPI rule along with a layer 3 or layer 4 rule with forwarding action in the same ACL. Both ACL policies can be applied to a single user role.

The following animation shows you how to configure ACLs for Deep Packet Inspection.