Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
2
Replies

Identity rules not matched with FireSight 5.4

jmilena
Level 1
Level 1

‎06-02-2016 12:58 AM - edited ‎03-10-2019 11:49 PM

Hello,
I've a ASA 5555X with FirePower services running 5.4.0.3 version, and FireSight Management Center 5.4.1. Aso, I have installed the SourceFire Agent 2.3 in a Windows 2008 R2 Server.
In the FireSight there are identity rules configured to allow the traffic to some sites from users that belongs to some group of Active Diectory. We have problems to match the correct identity rule when the sending user belongs to a child group of the AD group configured in the rule. Instead of that, if I move the user to the parent group (the group configured in the identity rule of Firesight), the traffic from the user matches the rule correctly.
In the FireSight User Guide, it appears the following:

User and Group Access Control Parameters

To perform user control, specify the groups you want to use as criteria in access control rules.

Including a group automatically includes all of that group’s members, including members of any

sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly

include the sub-group. You can also exclude groups and individual users. Excluding a group

excludes all the members of that group, even if the users are members of an included group.

As I understand from the documentation, when I configure an identity access rule and include a group of Active Directory in this rule, all the users that belongs to a sub-group of the AD Group configured in the rule are inlcuded, and the traffic from an user that belongs to the sub-group must match the rule.

Do you think this is correct ?  And maybe this behaviour could be some bug of FireSight or similar ?

Thanks

Regards

Juan

Labels:
0 Helpful
2 Replies 2

alberx
Level 1
Level 1

‎06-02-2016 02:45 AM

I understand the same as you if I only read the first frase of the documentation: To perform user control, specify the groups you want to use as criteria in access control rules. Including a group automatically includes all of that group’s members, including members of any sub-groups. But reading the second one I would prefer to include the sub-groups to the rule: However, if you want to use the sub-group in access control rules, you must explicitly include the sub-group.
0 Helpful

jpederson1
Level 1
Level 1

‎06-06-2016 12:42 PM

How far does your groups go?  Our go from CN - OU - OU - OU - DC,DC.  If I am getting what you are saying wouldn't ours be 3 groups deep?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents