Can't deny application services access

  • 1
  • Question
  • Updated 5 years ago
  • Answered
QoS Policies: HMOL will only let me permit application services I add to Classifier Maps, not deny them, how do I fix this, or am I in the wrong place to try to restrict applications?
Photo of Nathan Russell

Nathan Russell

  • 1 Post
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So I believe the QoS policies are to shape (prioritize) the traffic. I typically blocked services and applications via the Firewall policy in the User Profiles.

I can't explain why you can deny network services, but not application services however.

(From the help file)
Action: Choose Permit to pass the traffic through devices. Choose Deny to block it.

The permit and deny actions in a QoS policy enable devices to enforce a simple stateless firewall policy that inspects packets individually, not within the context of an ongoing session. For example, a stateless firewall configured with a policy that permits outgoing requests does not associate the corresponding incoming responses as being related to the permitted outgoing requests. You must configure a separate policy permitting the return traffic. On the other hand, a stateful firewall maintains a table internally so that it can associate related outgoing and incoming traffic as part of the same session. A stateful firewall with a policy permitting outgoing traffic also permits the corresponding incoming traffic.

Because the firewall policy that you can configure for user profiles or on an Aerohive router is stateful and provides more complete coverage, a good strategy is to choose Permit here within the context of the classifier map and set your firewall policy rules at the user profile level or network (router) level.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I have checked the classifier maps until 6.1r1 and it definitely allows you to permit or deny traffic but, since QoS is about prioritising traffic not denying it, I would not use classifier maps to deny traffic.

The place to deny traffic is in your firewall settings although there is an issue with the firewall that using classifier maps may resolve. When you create a firewall policy you will see that you cannot have more than 64 rules in a policy. To get around this you may be able to use the classifier maps to deny traffic types that you want denied for ALL users and utilise the firewall policies to just deny traffic specific to that user profile. If your firewall policies are not reaching 64 rules then I would just use the firewall policies to permit/deny traffic and the classifier map for prioritisation.

The online help describes the feature as:

The permit and deny actions in a QoS policy enable devices to enforce a simple stateless firewall policy that inspects packets individually, not within the context of an ongoing session. For example, a stateless firewall configured with a policy that permits outgoing requests does not associate the corresponding incoming responses as being related to the permitted outgoing requests. You must configure a separate policy permitting the return traffic. On the other hand, a stateful firewall maintains a table internally so that it can associate related outgoing and incoming traffic as part of the same session. A stateful firewall with a policy permitting outgoing traffic also permits the corresponding incoming traffic.

Because the firewall policy that you can configure for user profiles or on an Aerohive router is stateful and provides more complete coverage, a good strategy is to choose Permit here within the context of the classifier map and set your firewall policy rules at the user profile level or network (router) level.


This is a feature I would definitely test in a lab before rolling it out to a production network.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I may be wrong about this, but I believe the "deny" option in the classifier map is a really old legacy feature that pre-dates Aerohive's stateful firewall policies. All subsequent enhancements to firewalling capabilities, including Layer 7/Application
traffic control are built upon the stateful firewall engine.

Aerohive did not deprecate the deny feature in classifier maps, but I don't expect it would block application traffic.