topic Re: ASDM access-list in Network Security

ASDM access-list

adamgibs7 — Fri, 21 Feb 2020 15:44:53 GMT

Dears,

I have been seeing the user option in ASDM gui as per the attached , how I can utilize that, for example it will act as a source and destination with a particular user grant him access or else block him, do we have any single sign on option like fortigate so that users are authenticated while windows login.

thanks

Re: ASDM access-list

Rob Ingram — Wed, 09 May 2018 14:39:49 GMT

Hi,

I think this is exactly what you are looking for, this uses the ASA AD Agent, however I don't think the AD agent is supported any longer. You could achieve the same result by integrating with ISE, sending trustsec tags from ISE to ASA using SXP and then create a rule from source TrustSec SGT.

HTH

Re: ASDM access-list

adamgibs7 — Fri, 11 May 2018 07:30:54 GMT

Dear RJI

thanks for the reply,

If anybody don't have ISE then will it work with CDA.??

Thanks

Re: ASDM access-list

Florin Barhala — Fri, 11 May 2018 08:15:34 GMT

As mentioned CDA is phased out. Would you really aim to work with an obsolete software that basically controls your network access and your business flow?
Do you already have it bought (CDA)?

How many users you have behind this firewall: 100+, 500+?

Re: ASDM access-list

adamgibs7 — Fri, 11 May 2018 12:41:31 GMT

from the links provided what I understand is AD user agent is different than the context directory Agent, and context directory agent are still supported please correct me if I m wrong.

Re: ASDM access-list

adamgibs7 — Tue, 15 May 2018 19:20:29 GMT

Dears

Any update experts, the thoughts are correct ??? the CDA is just updated in 2017

Re: ASDM access-list

Rob Ingram — Tue, 15 May 2018 19:38:24 GMT

Hi,

I can't find much information regarding this, but I did find this post which indicates CDA is dead and potentially ISE PIC will replace it. So CDA might not officially be EOL but it may well be soon.

Re: ASDM access-list

adamgibs7 — Sat, 19 May 2018 14:16:44 GMT

thanks for the reply,

so what I understand is ISE-PIC is different software than a cisco ISE ??

As instructed the replacement is trust sec does ISE supports trust sec with fortigate devices if they are been deployed as a datacenter firewalls.

thanks

Re: ASDM access-list

adamgibs7 — Tue, 22 May 2018 19:29:35 GMT

Dears,

please correct me if im wrong. also please answer the below query.

thanks

Re: ASDM access-list

Rob Ingram — Tue, 22 May 2018 21:28:37 GMT

This document describes the difference between ISE and ISE-PIC, it's basically a cut down version of ISE. Refer to the document as it clearly list what functionality is or is not supported in PIC.

No I do not believe you can use pxgrid with fortinet.

Re: ASDM access-list

adamgibs7 — Wed, 23 May 2018 19:42:25 GMT

thanks RJI, +5 to you.

fortigate firewall has FSSO in build on the OS of the fortigate, we don't have to install a ISE-PIC stuff, cisco has made very complicate things for the very simple feature, In fortigate when we create a access-list we see the object group, services, and users as well. it is very simple to configure access policies with users in fortigate firewall.

Thanks