User Profile Firewall settings not applying

  • 1
  • Question
  • Updated 2 years ago
Hi All,

I cloned the Default "Guest-Internet-access-only" policy, and changed a couple of settings as below. The facebook deny is there to test the firewall is being applied to my SSID.

On the user profile itself, I have the following set;

Whilst the default action is set to Deny, I cannot access the Internet on my Guest SSID. 

If I change it to permit I can access the Internet, but I can also get to Facebook, so I suspect that this means that the SSID has not applied the Firewall policy at all seeing as it's ignoring my explicit deny to Facebook.

Background Info;
  • The AP itself is connected via a trunk port that is trunking 2 VLAN's. One for Management (10), one for a guest SSID (20). Neither of these are the Native VLAN (1).
  • VLAN 10 has a Layer 3 Interface on my core switch, and from the AP I can ping the VLAN interface on the core.
  • VLAN 20 does not have a Layer 3 interface at all. Ultimately, its default gateway is on an Interface on my firewall so I can use a different Internet connection for the Guest SSID and have my Guest network in a completely different zone. (I will have a Prod SSID later that uses our main Internet connection from a different zone)
  • The AP is set as a DHCP server handing addresses to VLAN 20 (guest SSID), and I successfully get an address.
  • I have ensured that I can access the Internet from a wired connection in VLAN 20 and this works fine.
  • CWP is enabled on the Guest SSID as user acceptance policy, and I successfully see it when joining the network initially.

  1. Am I missing something here?
  2. Am I correct in assuming that the Firewall is never being applied given I can still hit Facebok?
  3. Am I correct in thinking that if you set the default action to Deny, and your SSID knows nothing about the Firewall, then you can't access anything, let alone the Internet.
  4. Would it also be safe to say that if you set the Default action to Permit, then it ignores the firewall regardless, so you should never have the Default action set to permit.

I thought all that was required was to trunk the necessary VLAN's to the AP, set the same VLAN's up on the AP and then apply the firewall policy to the User Profile associated with the SSID, but I can't seem to get the firewall to do anything.

Any help would be greatly appreciated.

Photo of Stephen Venville

Stephen Venville

  • 4 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Stephen Venville

Stephen Venville

  • 4 Posts
  • 0 Reply Likes
OK, so after a bit more testing, I believe I am getting the firewall policy as I cannot ping between devices on the guest SSID when I set the from policy, and I can if I remove it.

However, I still cannot block Facebook, or youtube etc. 

Has anyone had any issues blocking sites on a From policy, or would I be best moving these things to a To policy. Seems most examples of blocking such things is added to a from policy as far as I've seen.