Is there any way, or has anyone had any luck coming up with a working solution with the current verison of FTD for dynamic access policies on VPN Anyconnect clients using FTD firewalls? Can you use a DACL with ISE or a Radius server? Can you use LDAP group membership to determine which ACL will apply to you? FTD is being sold as a drop in ASA replacement but as a field engineer who implements these I am not seeing a workable workaround for this that can keep a single URL and determine access list by user name as you could with at DAP. If anyone has a suggestion for a method to work around this using FTD it would be appreciated. Its a critical function of remote acess. Thanks!
... View more
I am assisting with managing a Prime Infrastructure 3.2 deployment. It has more than 2000 devices under its umbrella. All the basic stuff such as config archive, image management, and health monitoring is working fine.
What I would like to be able to do is drill down and see detailed statistics of interface utilization over time?
I see the performance dashboard and interface utilization but it seems to not give any useful data. I have messed with traffic statistics data retention times under system admin, and tried to set a dashlet to view detailed utilization stats, but it seems to always return blank info on ports i know are busy. What I would like to be able to do is set up a custom view that shows me a specific interface, or group of them - detailed TX/RX utilization on a port for a day, a week, a month etc, such as free MRTG would do.
I would also like to do the same thing with Netflow data showing detailed app statistic, conversation info, the things that Netflow reports on (not just 'Top N apps, etc- DETAILS PER LINK!!!!)
Is Prime the wrong tool to use to get this data? Should I tell them to get Solar Winds, PRTG, StatSeeker, Scrutnizer, etc all that sort of stuff? Is this something Prime is even useful for? It seems extremely obtuse the way you have to get any useful info from Prime. Am i just using it wrong? If you read the docs it says that stuff is there. The "dashlets" show some stuff but its tedious to drill down to specific ports thru the GUI and then not see any useful data when you finally get there. Please dont just say "RTFM' because i have been. If you can give me some advice, suggestions, etc beyond 'look at this URL'. . Please help me decide whether i should even keep using this or recommend another/best network management/monitoring platform to get the info I want to see.
... View more
Is it possible to install a self-signed certificate from an ISE PSN Node to a client PC running Anyconnect so things like VPN, NAM, and most importantly ISE Posture Assessment module will trust it without clicking 'Connect Anyway'. ? I have tried to install the ceritficate in the local store from the ISE Admin GUI but its still prompting for trust. Is there a surefire way to install and automatically trust the self-signed certificate from ISE PSN Nodes to local PCs os they dont need to click 'Connect Anyway' every time their client connects to the LAN and is checked for posture complaince? I understand already we can buy a signed certificate but this is a Proof-of-Concept deployment and the certs arent going to be avaiable for a while. For testing with end-users we'd like to not require them to click 'Connect Anyway' 3 times everytime they connect to the LAN Thanks!
... View more
I have a client with ASA multicontext firewall running with Firepower 6.1 in it. They have limited bandwidth for Firepower on it with multiple 10 gig lines so they are restricting which traffic gets redirected to Sourcefire Module for fiiltering. They are trying to keep those ACLs as simple as possible, and are seeing results they arent totally happy with. Question is:
If you redirect specific traffic to the sourcefire based on an ACL associated with a service-policy per-interface, do those ACLs need to be bidirectional? What they are seeing for example is Inside-DMZ not getting redirected but the return traffic from DMZ-Inside on the same TCP session is getting redirected. Is that redirection bidirectional per-interface? Do they need an ACL that would say
permit Inside to Servers
permit Servers to Inside
on the same ACL if that policy was a class-map SFR for service-policy on the interface Inside?
Right now they just have "inside to Servers" and are still seeing redirects from "Servers to Inside", reportedly on same interface. I know its easy to test but wanted to ask the forum if that is the correct config method to use bidirection ACL on a specific interface policy for redirection to SFR module?
... View more