13-23
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 3 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Access Rules—Select Firewall > Access Rules and see Configuring Access Rules, page 16-7.
Inspection Rules—Select Firewall > Inspection Rules and see Configuring Inspection Rules,
page 17-5.
Policies that use extended ACL policy objects—Several firewall policies use extended ACL policy
objects to define traffic matching criteria instead of incorporating a rule table directly in the policy.
You can configure extended ACL policy objects to include FQDN objects or user specifications (see
Creating Extended Access Control List Objects, page 6-50). You can then use these identity-based
extended ACL objects in the following policies:
Botnet Traffic Filter Rules—Select Firewall > Botnet Traffic Filter Rules and see Enabling
Traffic Classification and Actions for the Botnet Traffic Filter, page 19-6. You can use
identity-based ACLs as traffic classification for Enable and Drop rules.
IPS, QoS, and Connection Rules (service policy rules)—Select Platform > Service Policy
Rules > IPS, QoS, and Connection Rules and see IPS, QoS, and Connection Rules Page,
page 56-5.
Traffic match criteria in this policy is based on extended ACL policy objects that are
incorporated into traffic flow policy objects. You must select one of the options for specifying
an ACL in the traffic flow object to incorporate identity-based traffic classification. You can use
identity-based ACLs for all service types. For more information, see Configuring Traffic Flow
Objects, page 56-16.
One of the services available in this policy, User Statistics, is specifically designed to collect
accounting information for identity-based firewall users. See Collecting User Statistics,
page 13-25.
VPN filter in remote access group policies—The VPN filter ACL is applied to VPN traffic. You
can configure a VPN filter on the Connection Settings page in an ASA Group Policy object,
which you use in a remote access connection policy. See ASA Group Policies Connection
Settings, page 33-22 and Filtering VPN Traffic with Identity-Based Rules, page13-26.
Policies That Do Not Allow Identity-Based Rules or Objects
There are several types of policy where you can specify network/host objects or extended ACL objects,
but where the policy does not allow FQDN network/host objects or ACLs that use those objects or
identity user group objects. Following are some examples where you cannot use these types of objects:
Routing policies, including route maps.
Network address translation (NAT).
WCCP (web cache control protocol).
Crypto maps in VPN configurations.
Dynamic access policies in remote access VPN configurations.
Configuring Cut-Through Proxy
When you use identity-aware firewall policies, user-to-IP address mappings are obtained from various
facilities, primarily from the AD agent in the network. Although mappings are updated regularly, there
can occur instances where a firewall rule blocks a legitimate user because the user-to-IP address mapping
is not synchronized.