Solved: Cisco FTD : URL filtering based on MS AD groups

Franck Network · ‎12-30-2022

Hi,

I need to set up an URL filtering policy based on AD groups. Most users will have URL restrisction while a specific AD group will have full access.

I have 2 cisco FTD managed by an FMC.

Is it possible to set up this rules without ISE ? Is it still possible to use TS agent user ?

I can already retrieve users and AD groups from the server...

Thanks for your help.

Franck

Rob Ingram · ‎12-30-2022

Hi @Franck Network the firepower user agent has been depreciated since version FMC 6.7.

You'd need to use ISE/ISE-PIC to send the IP/user bindings to the FMC.

View solution in original post

Rob Ingram · ‎12-30-2022

Hi @Franck Network the firepower user agent has been depreciated since version FMC 6.7.

You'd need to use ISE/ISE-PIC to send the IP/user bindings to the FMC.

Franck Network · ‎01-02-2023

Thanks Rob !

Very heavy solution ! For 2 FTD, I need 2 more devices (FMC, ISE).

Regards,

FJ

Rob Ingram · ‎01-02-2023

@Franck Network if you don't already have ISE, then consider ISE-PIC which is similar to User Agent in that it also uses WMI to gather login events from AD. ISE-PIC costs less than ISE, with limited features but provides the functionality you require.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215887-firepower-user-identity-migrating-from.html