06-01-2019 03:17 AM
Need advise /guidance on CDA integration with FTD
We have FTD devices as Internet perimeter Firewalls. As the enterprise network is for Service based company, We expect ramp-up and ramp-down of many projects every week and month. due to this dynamic change in head count, there is always requirement to edit firewall rules or create new rules to meet businness requirements.
LAN network is not 802.1x based. We would like to go with user identity firewall rules instead of IP based rules on these NGFS -FTD boxes. so, We can add DLs as source group in Firewall rules and DL can be managed by project teams only.
was going through couple of Cisco URLs and understood that Context Directory agent can fetch data from MS Active directory and help FTD to perform IP-User mapping.
could someone advise me if this was successful integration. if Yes, I need help on pricing as well for CDA. so, We can explore if that reduces OPEX as well.
thank you in advance
Solved! Go to Solution.
06-01-2019 07:43 AM
There are two parts to the answer to your question.
1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.
2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:
CDA is an old and no longer supported product. It is/was free.
Cisco Firepower User Agent would be a current alternative. It is also free.
The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number R-ISE-PIC-VM-K9= is the VM<-based version and costs US$1250 (list price, not including maintenance).
06-01-2019 07:43 AM
There are two parts to the answer to your question.
1. You need to pull groups and group membership from AD. You do that via direct integration from Firepower Management Center.
2. You need to map IP addresses to users. We do that via an identity source. External identity sources include:
CDA is an old and no longer supported product. It is/was free.
Cisco Firepower User Agent would be a current alternative. It is also free.
The best and most supportable alternative would be to use ISE PIC (Passive Identity Collector). It is a licensed and paid product. Part number R-ISE-PIC-VM-K9= is the VM<-based version and costs US$1250 (list price, not including maintenance).
06-02-2019 01:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide