Hello,

I've a ASA 5555X with FirePower services running 5.4.0.3 version, and FireSight Management Center 5.4.1. Aso, I have installed the SourceFire Agent 2.3 in a Windows 2008 R2 Server.

In the FireSight there are identity rules configured to allow the traffic to some sites from users that belongs to some group of Active Diectory. We have problems to match the correct identity rule when the sending user belongs to a child group of the AD group configured in the rule. Instead of that, if I move the user to the parent group (the group configured in the identity rule of Firesight), the traffic from the user matches the rule correctly.

In the FireSight User Guide, it appears the following:

User and Group Access Control Parameters

To perform user control, specify the groups you want to use as criteria in access control rules.

Including a group automatically includes all of that group’s members, including members of any

sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly

include the sub-group. You can also exclude groups and individual users. Excluding a group

excludes all the members of that group, even if the users are members of an included group.

As I understand from the documentation, when I configure an identity access rule and include a group of Active Directory in this rule, all the users that belongs to a sub-group of the AD Group configured in the rule are inlcuded, and the traffic from an user that belongs to the sub-group must match the rule.

Do you think this is correct ?  And maybe this behaviour could be some bug of FireSight or similar ?

Thanks

Regards

Juan