Configure The User Identity Monitor - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 8
ASA and Cisco Cloud Web Security
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object dmz_network eq
443
hostname(config)# access-list SCANSAFE_HTTPS extended permit tcp any4 any4 eq 443
hostname(config)# class-map cws_class1
hostname(config-cmap)# match access-list SCANSAFE_HTTP
hostname(config)# class-map cws_class2
hostname(config-cmap)# match access-list SCANSAFE_HTTPS
hostname(config)# policy-map cws_policy
hostname(config-pmap)# class cws_class1
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap1 fail-open
hostname(config-pmap)# class cws_class2
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap2 fail-open
hostname(config)# service-policy cws_policy inside
Configure the User Identity Monitor
When you use identity firewall, the ASA only downloads user identity information from the AD server
for users and groups included in active ACLs. The ACL must be used in a feature such as an access rule,
AAA rule, service policy rule, or other feature to be considered active.
For example, although you can configure your Cloud Web Security service policy rule to use an ACL
with users and groups, thus activating any relevant groups, it is not required. You could use an ACL based
entirely on IP addresses.
Because Cloud Web Security can base its ScanCenter policy on user identity, you might need to
download groups that are not part of an active ACL to get full identity firewall coverage for all your
users. The user identity monitor lets you download group information directly from the AD agent.
The ASA can only monitor a maximum of 512 groups, including those configured for the user identity
Note
monitor and those monitored through active ACLs.
Procedure
Identify the groups that you want to use in ScanCenter policies that are not already used in active ACLs.
Step 1
If necessary, create local user group objects.
Download the group information from the AD agent.
Step 2
user-identity monitor {user-group [domain-name\\]group-name |
object-group-user object-group-name}
hostname(config)# user-identity monitor user-group CISCO\\Engineering
Where:
•
•
user-group—Specifies a group name defined in the AD server.
object-group-user—The name of a local object created by the object-group user command. This
group can include multiple groups.
Configure Cisco Cloud Web Security
Cisco ASA Series Firewall CLI Configuration Guide
8-13
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
