Cisco Cisco Firepower Management Center 4000
14-21
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
The list updates to display your entry. See
for more information.
Step 7
Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see
.
Adding User Conditions
License:
Control
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
You can configure access control rules to match traffic for users and user groups retrieved from a
Microsoft Active Directory Server.
Microsoft Active Directory Server.
Before you can write access control rules with user conditions, you must configure a connection between
the Defense Center and at least one of your organization’s Microsoft Active Directory servers. This
configuration, called an authentication object, contains connection settings and authentication filter
settings for the server. It also specifies the users and groups you can use in user conditions. For more
information, see
the Defense Center and at least one of your organization’s Microsoft Active Directory servers. This
configuration, called an authentication object, contains connection settings and authentication filter
settings for the server. It also specifies the users and groups you can use in user conditions. For more
information, see
In addition, you must install User Agents. The agents monitor users when they authenticate against
Active Directory credentials, and send records of those logins to the Defense Center. These records
associate users with IP addresses, which is what allows access control rules with user conditions to
trigger. For more information, see
Active Directory credentials, and send records of those logins to the Defense Center. These records
associate users with IP addresses, which is what allows access control rules with user conditions to
trigger. For more information, see
Keep in mind that if you specify a group in an access control rule, that automatically includes all of the
group’s members, including members of any sub-groups, with the exception of individually excluded
users and members of excluded sub-groups.
group’s members, including members of any sub-groups, with the exception of individually excluded
users and members of excluded sub-groups.
Before the system can handle traffic (and generate associated events) using an access control rule with
a user group condition, at least one user from that group must be detected in your network traffic. This
initial connection is handled by the access control policy default action, not the access control rule it
matches.
a user group condition, at least one user from that group must be detected in your network traffic. This
initial connection is handled by the access control policy default action, not the access control rule it
matches.
Caution
If you configure user awareness parameters that include a very large number of user groups, or if you
have a very large number of users mapped to hosts on your network, the system may drop user mappings
based on groups, due to memory limitations. As a result, access control rules based on user groups may
not fire as expected.
have a very large number of users mapped to hosts on your network, the system may drop user mappings
based on groups, due to memory limitations. As a result, access control rules based on user groups may
not fire as expected.
The following procedure explains how to add user conditions while adding or editing an access control
rule. See
rule. See
information.
To add user conditions to an access control rule:
Access:
Admin/Access Admin/Network Admin
Step 1
Select the
Users
tab on the rule Edit page.
The Users page appears.