03-17-2023 11:22 AM
Can someone explain the difference between the User Traffic Profile & Firewall Profile and why there are overlapping ACLs and Rate Limiting?
I have been troubleshooting an issue for my WLAN where a user-role-mapping was causing clients to be dropped into a traffic policy but because they also were being dropped into a firewall policy it was incredibly difficult to troubleshoot due to disparate ACLs. It seems like the two policies are mostly redundant as they work in the same manner but are both required to be selected when configuring a user role policy.
03-19-2023 10:21 PM
A User traffic profile (UTP) can be created to block or limit user traffic based on a number of factors including Source and Destination IP address, Port, Protocol, etc. Additionally a UTP can be created to shape traffic according to configurable application control policy.
User Traffic profile include below features
- Firewall rule
- Rate limiting
- Application Visibility and control
- URL filtering.
L3 Access Control only include L3 rules for access control on the SSID, it can be mapped on the SSID under firewall Option.
Change made under L3 access control will not have any impact in User Traffic Profile.
However best way is to create L3 firewall profile under firewall option from the SSID and it will update the L3 access control and other rate limiting, application policy, url filtering, device policy can be applied all together.
Note: The ACL rule in the UTP profile, only upstream rules are supported.
However, on the Firewall L3 ACL, both direction rules (Inbound, Outbound and Dual) can be applied.
03-19-2023 10:27 PM
Hi @garrett_collier
There are some more limitations for the UTP Role policies, below are the details for your reference.
Limitations Applying Role Policies to Users:
User Traffic Profiles are configured with various policies such as rate limiting so when a profile is applied to a WLAN, the policies in the profile are applied to all the UEs in the WLAN. The policies can also be applied to a user role in a WLAN, but not all the polices defined in the profile are applied to the role.
If a role-based VLAN policy is defined in the profile, it cannot be applied to the WLAN if its authenticated based on a L7 method (WebAuth or Hotspot/WISPr). This is because when a VLAN is applied on a per-role basis for a L7 authentication method, the user receives an IP address via DHCP before the UE is authenticated - this happens at layer 3 or 4, and you cannot authenticate the UE and assign a role to it till layer 7 is reached. This results in a mismatch between the VLAN IDs set within the roles, and could possibly lead to service disruptions.