CHAP TER
13-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
13
Managing Identity-Aware Firewall Policies
Identity-aware firewall policies allow you to control traffic based on user identity or a host’s
fully-qualified domain name. For example, you can selectively allow a specific type of traffic for one
user group while disallowing it for another user group, instead of allowing or disallowing all of that
traffic. With fully-qualified domain names, you could disallow HTTP access to a specific server while
allowing HTTP traffic to all other servers.
Identity awareness is integrated into several existing firewall rules; there is no unique identity-aware
firewall policy. This chapter explains identity-aware firewall policies and how to implement them in the
various policies that support identity awareness.
This chapter contains the following topics:
Overview of Identity-Aware Firewall Policies, page 13-1
Configuring Identity-Aware Firewall Policies, page 13-7
Monitoring Identity Firewall Policies, page 13-27

Overview of Identity-Aware Firewall Policies

In traditional firewall policies, decisions are made based on source and destination IP addresses, ports,
and services. The Identity Firewall in the ASA provides more granular control based on either or both
of the following:
User identity—You can configure access rules and security policies based on user names and user
group names rather than through source IP addresses alone. The ASA applies the security policies
based on an association of IP addresses to Windows Active Directory login information and reports
events based on the mapped user names instead of network IP addresses.
The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external
Active Directory (AD) agent that provides the actual identity mapping. The ASA uses Windows
Active Directory as the source to retrieve the current user identity information for specific IP
addresses and allows transparent authentication for Active Directory users. For information on
setting up and configuring the AD agent, see Installation and Setup Guide for the Active Directory
Agent on Cisco.com at
http://www.cisco.com/en/US/products/ps6120/prod_installation_guides_list.html.
FQDN network objects—You can use a host’s fully-qualified domain name (FQDN) in a rule instead
of its IP address. Thus, if the host’s address changes (for example, because it acquires the address
through DHCP), the rule will still apply.