Collect User Statistics; Examples For The Identity Firewall - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 5
Identity Firewall
Collect User Statistics
To activate the collection of user statistics by the Modular Policy Framework and match lookup actions
for the Identify Firewall, perform the following steps:
Procedure
Step 1
Activate the collection of user statistics by the Modular Policy Framework and matches lookup actions
for the Identify Firewall.
user-statistics [accounting | scanning]
Example:
hostname(config)# class-map c-identity-example-1
hostname(config-cmap)# match access-list identity-example-1
hostname(config-cmap)# exit
hostname(config)# policy-map p-identity-example-1
hostname(config-pmap)# class c-identity-example-1
hostname(config-pmap)# user-statistics accounting
hostname(config-pmap)# exit
hostname(config)# service-policy p-identity-example-1 interface outside
The accounting keyword specifies that the ASA collect the sent packet count, sent drop count, and
received packet count. The scanning keyword specifies that the ASA collect only the sent drop count.
When you configure a policy map to collect user statistics, the ASA collects detailed statistics for
selected users. When you specify the user-statistics command without the accounting or scanning
keywords, the ASA collects both accounting and scanning statistics.
Examples for the Identity Firewall
This section provides examples for the Identity Firewall.
•
•
•
AAA Rule and Access Rule Example 1
This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA.
In this example, the following conditions apply:
•
•
•
•
•
AAA Rule and Access Rule Example 1, page 5-19
AAA Rule and Access Rule Example 2, page 5-20
VPN Filter Example, page 5-20
The ASA IP address is 172.1.1.118.
The Active Directory domain controller has the IP address 71.1.2.93.
The end-user client has the IP address 172.1.1.118 and uses HTTPS to log in through a web portal.
The user is authenticated by the Active Directory domain controller via LDAP.
The ASA uses the inside interface to connect to the Active Directory domain controller on the
corporate network.
Examples for the Identity Firewall
Cisco ASA Series Firewall CLI Configuration Guide
5-19
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
