https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866370#M132503 Thank you for your input.<BR />I will check with my vendor for required quote and see if that reduces our OPEX. Sun, 02 Jun 2019 08:15:56 GMT NDP 2019-06-02T08:15:56Z https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866138#M132501 <P>Need advise /guidance on CDA integration with FTD</P><P>&nbsp;</P><P>We have FTD devices as Internet perimeter Firewalls. As the enterprise network is for Service based company, We expect ramp-up and ramp-down of many projects every week and month. due to this dynamic change in head count, there is always requirement to edit firewall rules or create new rules to meet businness requirements.&nbsp;</P><P>&nbsp;</P><P>LAN network is not 802.1x based. We would like to go with user identity firewall rules instead of IP based rules on these NGFS -FTD boxes. so, We can add DLs as source group in Firewall rules and DL can be managed by project teams only.</P><P>&nbsp;</P><P>was going through couple of Cisco URLs and understood that Context Directory agent can fetch data from MS Active directory and help FTD to perform IP-User mapping.&nbsp;</P><P>&nbsp;</P><P>could someone advise me if this was successful integration. if Yes, I need help on pricing as well for CDA. so, We can explore if that reduces OPEX as well.</P><P>&nbsp;</P><P>thank you in advance</P> Sat, 01 Jun 2019 10:17:22 GMT https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866138#M132501 NDP 2019-06-01T10:17:22Z https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866196#M132502 <P>There are two parts to the answer to your question.</P> <P>1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.</P> <P>2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:</P> <P>CDA is an old and no longer supported product. It is/was free.</P> <P>Cisco Firepower User Agent would be a current alternative. It is also free.</P> <P>The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number&nbsp;R-ISE-PIC-VM-K9= is the VM&lt;-based version and costs US$1250 (list price, not including maintenance).</P> Sat, 01 Jun 2019 14:43:58 GMT https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866196#M132502 Marvin Rhoads 2019-06-01T14:43:58Z https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866370#M132503 Thank you for your input.<BR />I will check with my vendor for required quote and see if that reduces our OPEX. Sun, 02 Jun 2019 08:15:56 GMT https://community.cisco.com/t5/network-security/ftd-and-user-identity-based-rules-cda/m-p/3866370#M132503 NDP 2019-06-02T08:15:56Z