What is required for Application Recognition to work when the APs are behind a firewall?

Summary

This article explains what network changes are required for application visibility to work when the APs are behind a firewall.

Question

What changes are required on the firewall for application visibility feature to work when the APs are behind it?

Customer Environment

Ruckus controller managed wireless network.

Root Cause

Firewall has FTP and other ports blocked which can cause application visibility feature to fail. Having ALG (Application Layer Gateway) feature enabled can also cause this.

Resolution

Application visibility feature will let admin see what applications and websites are mostly used on the wireless network. It will also let the admin see who is using them. This feature needs to be enabled at the SSID level.

Once enabled, APs will send the client traffic details to the controller for every 5 minutes. The controller will accumulate this information from all APs and present it in a pie-chart format.

APs use the FTP port to send this data to the controller. So the Admin has to open TCP port 21 and ports above 1024 as mentioned in the controller's user guide.

Some firewalls also have Application Layer Gateway (ALG) feature enabled which lets them monitor the traffic and dynamically open/close the corresponding ports as required. This has the potential to block the AP traffic corresponding to the application recognition. If your firewall has this feature enabled by default, please disable it.

Article Number:
000004963

Updated:
August 17, 2020 10:01 AM (almost 5 years ago)

Tags:
Configuration, ZoneDirector

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close