Reset Search
 

 

Article

How to apply the best practices firewall policy to WiNG APs and controllers from CLI?

« Go Back

Information

 
TitleHow to apply the best practices firewall policy to WiNG APs and controllers from CLI?
Objective
To apply and use the best practice firewall policy setting on WiNG devices.
Environment
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG v5.X Software
Procedure
  1. Copy the following best practices firewall policy settings:
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
  1. Log into the AP or controller via SSH (Secure Shell) or console port (baud rate 19200 or 115200) and run the following commands: 
>en
#config t
#firewall-policy <firewall-policy-name>                (if no new policy was created, the policy name would be: default)
  1. Right click on the command line to automatically load the firewall policy settings copied in step 1: 
#(right click here to load policy settings. Those will be automatically executed)
#no ip dos smurf
#no ip dos twinge
#no ip dos invalid-protocol
#no ip dos router-advt
#no ip dos router-solicit
#no ip dos option-route
#no ip dos ascend
#no ip dos chargen
#no ip dos fraggle
#no ip dos snork
#no ip dos ftp-bounce
#no ip dos tcp-intercept
#no ip dos broadcast-multicast-icmp
#no ip dos land
#no ip dos tcp-xmas-scan
#no ip dos tcp-null-scan
#no ip dos winnuke
#no ip dos tcp-fin-scan
#no ip dos udp-short-hdr
#no ip dos tcp-post-syn
#no ip dos tcphdrfrag
#no ip dos ip-ttl-zero
#no ip dos ipspoof
#no ip dos tcp-bad-sequence
#no ip dos tcp-sequence-past-window
#no ip-mac conflict
#no ip-mac routing conflict
#dhcp-offer-convert
#no stateful-packet-inspection-l2            
  1. Save and check your config:
#com wr
#show context
#show run

Alternative method:
  1. SSH and log into the device. Copy the startup-config to your computer
>en
#copy startup-config tftp://<tftp-server-IP-address>/startup-config
  1. Open the text file
  2. Scroll down to the firewall policy and replace the existing settings with the ones listed in step 1
  3. Copy the startup-config file back into device
>en
#copy tftp://<tftp-server-ip-address>/startup-config startup-config
  1. Reboot the device. DO NOT save the running config if prompted to
  2. The firewall policy in the startup-config should look like this:
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
!
Additional notes
Please contact our Global Technical Assistance Center (GTAC) if further assistance is required.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255