https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911970#M1031294 <P>Have you deployed the Sourcefire User Agent and is it successfully discovering user-IP mapping and is that information reflected in your "Users" tab of the FirePOWER Manager?</P> Sat, 16 Apr 2016 13:07:06 GMT Marvin Rhoads 2016-04-16T13:07:06Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911965#M1031272 <P>Dears</P> <P>&nbsp;</P> <P>when i select users while creating a new policies I get the attached error.</P> <P>i have some queries for the access control policies</P> <P></P> <P>Rule 1: action: block , ,zone: inside to outside,,&nbsp; source :any destination: any url : high risk url&nbsp;&nbsp;</P> <P><SPAN style="color: #ff0000;">Result</SPAN> will be block for all users for high risk url</P> <P></P> <P>Rule 2:&nbsp; action allow,, zone: inside to outside, source : any destination: any ,, user : ADMINS url : all-allow ,,, application filter: allow all</P> <P><SPAN style="color: #ff0000;">Result</SPAN>:&nbsp; will be user Admin will be allowed all url but block bittorent application</P> <P></P> <P>Rule 3:&nbsp; action allow,, zone: inside to outside, source : any destination: any ,, user : USER-ALL url : specific url category application filter: bittorrent block</P> <P><SPAN style="color: #ff0000;">Result:</SPAN>&nbsp; will be user&nbsp; will be restricted to specific url and bittorent will be block</P> <P></P> <P>Thanks</P> Tue, 12 Mar 2019 12:58:22 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911965#M1031272 clark white 2019-03-12T12:58:22Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911966#M1031278 <P>So do you have an identity policy?</P> <P>Have you linked to your domain and are you getting user identity mapping via Sourcefire User Agent or ISE?</P> Wed, 13 Apr 2016 01:49:57 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911966#M1031278 Marvin Rhoads 2016-04-13T01:49:57Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911967#M1031281 <P>Dear Marvin,</P> <P>can you help me for access policies whether my thinking are correct???&nbsp; for identity policies i will come to you what is my exact query.</P> <P>thanks</P> Wed, 13 Apr 2016 17:08:39 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911967#M1031281 clark white 2016-04-13T17:08:39Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911968#M1031287 <P>Clark,</P> <P>The logic you present for your access control policy seems good.</P> Thu, 14 Apr 2016 01:05:42 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911968#M1031287 Marvin Rhoads 2016-04-14T01:05:42Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911969#M1031288 <P>Dear Marvin,</P> <P>I have created a identity policy with a rule in which I have a passive authentication&nbsp;and a realm which I configured but still I get&nbsp;the same&nbsp;" exclamation mark on the user while creating&nbsp;the access policies,</P> <P></P> <P>For&nbsp; below access control policies the internet was very slow for every webpage when I disable URL filtering allowing to all the browsing was fast,</P> <P>Rule 1: action: block , ,zone: inside to outside,,&nbsp; source :any destination: any url : high risk url&nbsp;&nbsp;</P> <P><SPAN style="color: #ff0000;">Result</SPAN> will be block for all users for high risk url</P> <P>Thanks</P> Sat, 16 Apr 2016 11:54:08 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911969#M1031288 clark white 2016-04-16T11:54:08Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911970#M1031294 <P>Have you deployed the Sourcefire User Agent and is it successfully discovering user-IP mapping and is that information reflected in your "Users" tab of the FirePOWER Manager?</P> Sat, 16 Apr 2016 13:07:06 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911970#M1031294 Marvin Rhoads 2016-04-16T13:07:06Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911971#M1031298 <P>Dear Marvin,</P> <P>the realm issue solved by changing the Base DN path once I changed the path the users were able to download.</P> <P>But for the Access Control policies, can u give a base idea how the access control policies are build ?? I want to keep Intrusion policy as a default becz I am controlling everything from firewall ijust wanted a malware, application, url , security intelligence, file filtering to be configured.</P> <P>Please correct me if I am wrong. Rule 3 will never match ,,, users will not match this rule becz this rule has to be splitted by 2 different rules&nbsp;application filter rule for all user &nbsp;and url filter separate rule for all user.</P> <P>Rule 3:&nbsp; action allow,, zone: inside to outside, source : any destination: any ,, user : USER-ALL url : specific url category application filter: bittorrent block</P> <P><SPAN style="color: #ff0000;">Result:</SPAN>&nbsp; no match and traffic will be send to default intrusion policy rule.</P> <P>Thanks</P> Mon, 18 Apr 2016 19:14:53 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911971#M1031298 clark white 2016-04-18T19:14:53Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911972#M1031304 <P>I din't really think of them as a whole set.</P> <P>You're right - you need to order them most specific to least specific and consider that the first match will end the rule processing.</P> Mon, 18 Apr 2016 19:51:43 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911972#M1031304 Marvin Rhoads 2016-04-18T19:51:43Z https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911973#M1031309 <P>Dear Marvin,</P> <P>I am confuse little to create access policies,below are my thought to create a policies by order ,so please correct me if i am doing wrong.</P> <OL> <LI>zone: inside to outside&nbsp; users: all ,,application: bittorrent&nbsp; block:all</LI> <LI>zone: inside to outside&nbsp; users: HOD ,,application: all&nbsp; allow :all</LI> <LI>zone: inside to outside&nbsp; users: managers &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; permit: all</LI> <LI>zone: inside to outside&nbsp; users: head of dep&nbsp;&nbsp;&nbsp; permit : youtube and other good website.</LI> <LI>zone: inside to outside&nbsp; users: all ,,application: instant mesagging,etc etc&nbsp; block:all</LI> <LI>zone: inside to outside&nbsp; users: all &nbsp;&nbsp; block : pornography,abortion,gambling</LI> <LI>zone: inside to outside&nbsp; users: all&nbsp;&nbsp;&nbsp; permit: categories ( which are not blocked in rule 4)</LI> <LI>zone: inside to other zones&nbsp; Network: source&nbsp; Internal Network &nbsp; destination other private networks for other companies on firewall users: any&nbsp; port: any &nbsp; block: permit</LI> <LI>zone: inside to outside&nbsp; Network: Internal Network&nbsp; users: non corporate users&nbsp;&nbsp; port: any &nbsp; block: all</LI> <LI>Default action: Intrusion policy.</LI> </OL> <P></P> <P>Thanks</P> <P></P> Mon, 25 Apr 2016 04:20:12 GMT https://community.cisco.com/t5/network-security/users-in-access-control-policies/m-p/2911973#M1031309 clark white 2016-04-25T04:20:12Z