Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
0
Helpful
2
Replies

FTD and User identity based rules _CDA

Go to solution
NDP
Level 1
Level 1

‎06-01-2019 03:17 AM

Need advise /guidance on CDA integration with FTD

 

We have FTD devices as Internet perimeter Firewalls. As the enterprise network is for Service based company, We expect ramp-up and ramp-down of many projects every week and month. due to this dynamic change in head count, there is always requirement to edit firewall rules or create new rules to meet businness requirements. 

 

LAN network is not 802.1x based. We would like to go with user identity firewall rules instead of IP based rules on these NGFS -FTD boxes. so, We can add DLs as source group in Firewall rules and DL can be managed by project teams only.

 

was going through couple of Cisco URLs and understood that Context Directory agent can fetch data from MS Active directory and help FTD to perform IP-User mapping. 

 

could someone advise me if this was successful integration. if Yes, I need help on pricing as well for CDA. so, We can explore if that reduces OPEX as well.

 

thank you in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-01-2019 07:43 AM

There are two parts to the answer to your question.

1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.

2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:

CDA is an old and no longer supported product. It is/was free.

Cisco Firepower User Agent would be a current alternative. It is also free.

The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number R-ISE-PIC-VM-K9= is the VM<-based version and costs US$1250 (list price, not including maintenance).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-01-2019 07:43 AM

There are two parts to the answer to your question.

1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.

2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:

CDA is an old and no longer supported product. It is/was free.

Cisco Firepower User Agent would be a current alternative. It is also free.

The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number R-ISE-PIC-VM-K9= is the VM<-based version and costs US$1250 (list price, not including maintenance).

0 Helpful

Go to solution
NDP
Level 1
Level 1
In response to Marvin Rhoads

‎06-02-2019 01:15 AM

Thank you for your input.
I will check with my vendor for required quote and see if that reduces our OPEX.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card