Help
Wireless Controller
Dedicated Wi-Fi control and management for high density and mobility
nmichael
Staff
Staff

Created on ‎03-14-2016 07:31 AM

Article Id 194348

Meru Technical Note - How are the QOS/Firewall rules processed

Description

How are the QOS/Firewall rules processed?  How to verify them?


Scope

KB ARTICLE TYPE: Troubleshooting, configuration

RELATED PRODUCTS: - MC1500, MC1550, MC3000, MC3200, MC4100, MC4200

RELATED SOFTWARE VERSIONS: 5.x

KEYWORDS: QoS, firewall, rules


Solution
On the Meru controller, the QoS rules are processed on the order they are they are created and is not based on the numeric rule ID.

While rule lookup is performed, the protocol match is performed first (Hence it becomes very crucial to always have the match box checked against the protocol field) and then the source, source port, destination, destination port are matched based on the match check box.

The rule lookup is stopped as soon as it hits the first rule that matches the source and destination fields after the protocol match is performed.

For example:

In the above illustration, we have 3 QOS rules between the subnets 172.16.10.x and 172.18.166.y for ICMP and TCP protocols.

The ping from 172.18.x.x is a success as it hits the rule 13 which is the only rule with ICMP match.

However, for the TCP traffic, we have two rules 9 – drops all the TCP traffic from 172.18.x.x to 172.16.x.x and rule 15 – a specific rule to all HTTPS traffic between two hosts which are in the same subnet as rule 15.

But when we try to initiate HTTPS traffic from 172.18.166.12 client, it gets dropped by the rule 9 as this rule comes first and the destination is a host from the subnet mentioned in the rule. Once the match is found, no further lookup is performed and all TCP traffic between the subnets is dropped.

To same can be verified from the firewall logs on the controller:

default# show syslog-file firewall

6       info     ALR       05/23/2013 06:33:26       Network Traffic, Flow of Traffic MAC: 00:1f:3c:d1:36:8c->MAC: 00:90:0b:1b:02:69 src_ip:172.18.166.12->dst_ip:172.16.10.60:[dst_port:443], rule id: 9, action: Drop. AP MAC Address : 00:0c:e6:0a:54:73

 

7       info     ALR       05/23/2013 06:49:38       Network Traffic, Flow of Traffic MAC: 00:1f:3c:d1:36:8c->MAC: 00:90:0b:1b:02:69 src_ip:172.18.166.12->dst_ip:172.16.10.60:[dst_port:0], rule id: 13, action: Forward. AP MAC Address : 00:0c:e6:0a:54:73

 

In order to get the HTTPS traffic working between the subnets, the rules for TCP have to be reordered as below:

 

default# show syslog-file firewall

17       info     ALR      05/23/2013 07:55:03       Network Traffic, Flow of Traffic MAC: 00:1f:3c:d1:36:8c->MAC: 00:90:0b:1b:02:69 src_ip:172.18.166.12->dst_ip:172.16.10.60:[dst_port:443], rule id: 15, action: Forward. AP MAC Address : 00:0c:e6:0a:64:ad

NOTE: If proper match check boxes are not selected, the results are ambiguous.


Labels:
1123
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.