13-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 3 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies

Configuring the Firewall to Provide Identity-Aware Services

To provide identity-aware firewall services to your network, you need to configure several policies to
enable the firewall to process user-based or fully-qualified domain name (FQDN)-based rules. The ASA
depends on other servers in your network to provide the user, user group, and FQDN name resolution
services required to implement your identity-aware policies.
The required configuration depends on which aspects of identity awareness that you will use:
User, user group resolution—To use identity user group objects in your firewall rules, you must
configure several objects and policies to identify the Active Directory servers that will supply user
and user group information.
FQDN resolution—To use FQDN network/host objects in your firewall rules, you must configure
DNS servers to resolve FQDNs to IP addresses.
This procedure explains the overall process for implementing identity-aware policies.
Before You Begin
Your network must meet the requirements explained in Requirements for Identity-Aware Firewall
Policies, page 13-3. The following procedure assumes that you are already using Active Directory (AD),
that you have installed and configured the AD agents, and that these services are working correctly.
Step 1 Enable AD user and user group resolution.
a. Create the policy objects needed to identify the AD servers and agents and configure the NetBIOS
domain for the server groups. For detailed information, see Identifying Active Directory Servers and
Agents, page 13-8.
b. If you want non-default settings, change the identity options. Use these options to enable the
NetBIOS logout probe and to configure various timers and error handling. For detailed information,
see Configuring Identity Options, page 13-15.
c. If you want to create user groups defined on the ASA (in addition to AD-defined user groups), create
the required identity user group policy objects. See Creating Identity User Group Objects,
page 13-19.
Step 2 Enable FQDN network/host object resolution.
a. Configure DNS servers in the DefaultDNS group. DNS is required to resolve FQDNs to IP
addresses. For information on configuring DNS, see DNS Page, page51-13.
b. Create FQDN network/host objects as described in Creating Networks/Hosts Objects, page 6-76.
Step 3 Configure firewall rules to use FQDN objects, usernames, user group names, or identity user group
objects. See Configuring Identity-Based Firewall Rules, page 13-21.
Step 4 Monitor the identity firewall system. See Monitoring Identity Firewall Policies, page 13-27.
Configuring Identity-Aware Firewall Policies
Identity awareness is integrated into several existing firewall rules; there is no unique identity-aware
firewall policy. The topics in this section explain the various procedures for integrating identity
awareness into firewall policies.