Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

What is the best practice firewall policy for WiNG devices and how to apply it?

« Go Back

Information

 
TitleWhat is the best practice firewall policy for WiNG devices and how to apply it?
Objective
To apply and use the best practice firewall policy setting on WiNG devices.
Environment
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG v5.X Software
Procedure
  1. Copy the following best practices firewall policy settings:
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
  1. Login to the AP or controller via SSH (Secure Shell) or console port (baud rate 19200 or 115200) and run the following commands: (Please replace policy name with your own if other than "default")
>en
#config t
#firewall-policy default
  1. Right click on the command line to automatically load the firewall policy settings copied in step 1: 
#(right click here to load policy settings)
#no ip dos smurf
#no ip dos twinge
#no ip dos invalid-protocol
#no ip dos router-advt
#no ip dos router-solicit
#no ip dos option-route
#no ip dos ascend
#no ip dos chargen
#no ip dos fraggle
#no ip dos snork
#no ip dos ftp-bounce
#no ip dos tcp-intercept
#no ip dos broadcast-multicast-icmp
#no ip dos land
#no ip dos tcp-xmas-scan
#no ip dos tcp-null-scan
#no ip dos winnuke
#no ip dos tcp-fin-scan
#no ip dos udp-short-hdr
#no ip dos tcp-post-syn
#no ip dos tcphdrfrag
#no ip dos ip-ttl-zero
#no ip dos ipspoof
#no ip dos tcp-bad-sequence
#no ip dos tcp-sequence-past-window
#no ip-mac conflict
#no ip-mac routing conflict
#dhcp-offer-convert
#no stateful-packet-inspection-l2            
  1. Save and check your config:
#com wr
#show context

Alternative method:
  1. Copy the startup-config onto your computer
  2. Open the text file
  3. Scroll down to the firewall policy and replace the existing settings with the ones listed in step one
  4. Reload the startup-config file
  5. Reboot the device. 
The firewall policy in the startup-config should look like this:
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
!
Additional notes
Please contact our technical support team if further assistance is required. 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255