Showing results for 
Search instead for 
Did you mean: 

Firepower 6.3.x Passive Identity policy load on nodes and best practice

Hi Everyone,


I tested successfully in a Lab to have Passive Identity information shared via PxGrid between ISE 2.6 and FMC 6.3.


What I would like to know is the following


1) load that Identity policy can have on a Firepower node (for both ASA+FirePOWER and FTD) and if fine tuning of rules in Identity policy is a must to avoid an impact on the nodes and FMC

2) While configuring a realm on FMC, is there any difference if all security groups are added rather than just adding the ones that will be used for any access rule? is the impact going to be on the FMC or on the Firepower nodes?

3) In case of limiting the number of groups downloaded from the realm configuration, is that going to impact the "visibility" of the passive authentication or just the option to use the SGs in access rules? (practically, if I don't have a SG imported in the realm configuration, can I still see in FMC when a user from that SG is making traffic or that user will not be detected ?)


Any other suggestion are welcome in case anyone already implemented a scenario like this.


Thanks Everyone