01-17-2020 08:41 AM - edited 02-21-2020 09:50 AM
Hello,
Solved! Go to Solution.
01-20-2020 05:36 PM
Hi,
Can you test by removing the user group from policy ? How this test user is connected, through domain-PC with wired Network or wireless from Domain-PC/other device ?
I suspect User AD agent is not getting authentication logs for this user. I find usually it happens when user is not using domain-PC and wired-network with readability to AD. If policy 7 works without user then this might be the case. Can you update the policy without the user and test with user using domain-provided PC with wired network ?
01-19-2020 06:31 PM
Hi,
Can you please share snapshot from your access control policy ?
01-20-2020 09:10 AM
01-20-2020 01:54 PM
Hi,
You have configured policy 8 & 9 for URL Blocking. For Policy 8, i can see you define source-network. Everything else looks fine but can you confirm user belongs to source network defined in the snapshot ?
For Policy 9, i dont think it is going to work unless you configure SSL decryption.
01-20-2020 02:36 PM
if i could get Policy 7 working i would be happy. I am a member of the telecomms group in active directory and my IP is in the 10.230.1.64 range. But it is not blocking me when i try to login to a server on the 192.168.12.0 network. Its not showing anything in the logs. I am not too sure what i am missing from my setup
01-20-2020 05:36 PM
Hi,
Can you test by removing the user group from policy ? How this test user is connected, through domain-PC with wired Network or wireless from Domain-PC/other device ?
I suspect User AD agent is not getting authentication logs for this user. I find usually it happens when user is not using domain-PC and wired-network with readability to AD. If policy 7 works without user then this might be the case. Can you update the policy without the user and test with user using domain-provided PC with wired network ?
01-21-2020 10:04 AM
Hi,
the user group is from the policy and its connected through a domain-PC with wired Network
for now i am happy that the FTD can block access to http and tcp/3389 if required (i tested it ok)
i just need to get the AD Realm bit working with the correct downloaded users/groups and retest
i'll leave https traffic for now - i wont be using SSL encryption for another 3-6 months
thanks for you advice
Much appreciated
01-21-2020 12:18 PM
Glad to hear that it worked out for you. Good luck for rest of the tests. Reach out to community if you face further issue :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: