Solved: ASA user filtering with external service

Julie_grst · ‎11-03-2020

Hello,

A client of mine is asking me a tricky question. On ASA, is it possible to do some flow filtering based on user groups, with user information located in a Microsoft Graph? In other word, can ASA trigger an API call to an external service to do some user filtering in flow policy?

Thank you advance for your help!

Mohammed al Baqari · ‎11-03-2020

Hi,

Not out of the box to make ASA do this. However, you can write your own
script and make it running on a separate server (or maybe guestshell if you
have IOS-XE). This script can read data from MS Graph and parse it. Then
same data can connect to ASA API to allow rules or create objects, etc.

***** please remember to rate useful posts

View solution in original post

balaji.bandi · ‎11-03-2020

Not sure if the below URL help, we need more example what exactly you looking to filter based domain or content?

what ASA version?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/filter.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Julie_grst · ‎11-04-2020

Hello,

I checked the URL you sent, but I didn't find anything related to my issue. Actually we want to filter traffic based on users and groups, with user information located in a Microsoft Graph.

I don't know their ASA version, for now it's only a theoretical question

Thank you for your answer!

Mohammed al Baqari · ‎11-03-2020

Hi,

Not out of the box to make ASA do this. However, you can write your own
script and make it running on a separate server (or maybe guestshell if you
have IOS-XE). This script can read data from MS Graph and parse it. Then
same data can connect to ASA API to allow rules or create objects, etc.

***** please remember to rate useful posts

Julie_grst · ‎11-04-2020

Hello Mohammed,

Thank you very much for your answer, that's exactly the kind of thing we were looking for