|| To gain insight
into user behavior, you need to configure an identity policy to ensure that the
user associated with a connection is identified.
By enabling the
identity policy, you can collect information about who is using the network,
and what resources they are using. This information is available in the User
monitoring dashboard. User information is also available for connection events
shown in Event Viewer.
authenticated only when they use a web browser for HTTP connections.
If a user fails
to authenticate, the user is not prevented from making web connections. This
just means that you do not have user identity information for the connections.
If you want, you can create an access control rule to drop traffic for Failed
Policies in the main menu, then click
identity policy is initially disabled. The identity policy uses your Active
Directory server to authenticate users and associate them with the IP address
of the workstation they are using. Subsequently, the system will identify
traffic for that IP address as being the user's traffic.
Enable Identity Policy.
action opens the Identity Policy Configuration dialog box.
- Click in
Realm Server to open the drop-down list, then select
Create New Identity Realm.
already created your realm server object, simply select it and skip the steps
for configuring the server.
- Fill in
the following fields, then click
Name—A name for the directory realm.
Type—The type of directory server. Active Directory
is the only supported type, and you cannot change this field.
Directory Password—The distinguished username and
password for a user with appropriate rights to the user information you want to
retrieve. For example, email@example.com.
system generates ldap-login-dn and ldap-login-password from this information.
For example, Administrator@example.com is translated as
cn=adminisntrator,cn=users,dc=example,dc=com. Note that cn=users is always part
of this translation, so you must configure the user you specify here under the
common name “users” folder. If you do not specify a user account with
administrator privileges that is defined under the users folder, the system
cannot log into the directory server and download user information.
Base DN—The directory tree for searching or querying
user and group information, that is, the common parent for users and groups.
For example, dc=example,dc=com. For information on finding the base DN, see
Determining the Directory Base DN.
AD Primary Domain— The fully qualified Active
Directory domain name that the device should join. For example, example.com.
Hostname/IP Address—The hostname or IP address of
the directory server. If you use an encrypted connection to the server, you
must enter the fully-qualified domain name, not the IP address.
Port—The port number used for communications with
the server. The default is 389. Use port 636 if you select LDAPS as the
Encryption—To use an encrypted connection for
downloading user and group information, select the desired method,
LDAPS. The default is
None, which means that user and group information is
downloaded in clear text.
STARTTLS negotiates the encryption method, and uses
the strongest method supported by the directory server. Use port 389. This
option is not supported if you use the realm for remote access VPN.
LDAPS requires LDAP over SSL. Use port 636.
Trusted CA Certificate—If you select an encryption
method, upload a Certificate Authority (CA) certificate to enable a trusted
connection between the system and the directory server. If you are using a
certificate to authenticate, the name of the server in the certificate must
match the server Hostname / IP Address. For example, if you use 10.10.10.250 as
the IP address but ad.example.com in the certificate, the connection fails.
example, the following image shows how to create an unencrypted connection for
the ad.example.com server. The primary domain is example.com, and the directory
username is Administrator@ad.example.com. All user and group information is
under the Distinguished Name (DN) ou=user,dc=example,dc=com.
- In the
Identity Policy Configuration dialog box,
Realm Server list, select the realm server you just
- In the
Identity Policy Configuration dialog box, configure the Active Authentication
captive portal settings.
identity rule requires active authentication for a user, the user is redirected
to the captive portal port on the interface through which they are connected
and then they are prompted to authenticate.
Server Certificate—Select the internal certificate
to present to users during active authentication. You can select the predefined
self-signed DefaultInternalCertificate, or you can click
Create New Internal Certificate and upload a
certificate that your browsers already trust.
will have to accept the certificate if you do not upload a certificate that
their browsers already trust.
Port—The captive portal port. The default is 885
(TCP). If you configure a different port, it must be in the range 1025-65535.
Identity Policy Configuration dialog box should now look like the following.
create a rule to require active authentication.
- Click the
Create Identity Rule button, or the
- Fill in
the identity rule properties.
you want to require everyone to authenticate, you could use the following
Name—Anything you choose, for example,
User Authentication—Active should
already be selected; keep it.
HTTP Negotiate. This allows the browser and
directory server to negotiate the strongest authentication protocol, in order,
NTLM, then HTTP basic.
the HTTP Basic, HTTP Response Page, and NTLM authentication methods, the user
is redirected to the captive portal using the IP address of the interface.
However, for HTTP Negotiate, the user is redirected using the fully-qualified
firewall-hostname.AD-domain-name. If you want to
use HTTP Negotiate, you must also update your DNS server to map this name to
the IP addresses of all inside interfaces where you are requiring active
authentication. Otherwise, the redirection cannot complete, and users cannot
authenticate. If you cannot, or do not want to, update the DNS server,
select one of the other authentication methods.
Source/Destination—Leave all fields to default to
constrain the policy as you see fit to a more limited set of traffic. However,
active authentication will only be attempted for HTTP traffic, so it does not
matter that non-HTTP traffic matches the source/destination criteria. For more
details about identity policy properties, see
Configure Identity Rules.
OK to add the rule.
look in the upper right of the window, you can see that the
Deploy icon button now has a dot, which indicates
that there are undeployed changes. Making changes in the user interface is not
sufficient for getting the changes configured on the device, you must deploy
changes. Thus, you can make a set of related changes before you deploy them, so
that you do not face the potential problems of having a partially-configured
set of changes running on the device. You will deploy changes later in this
action on the Inside_Outside_Rule access control rule to
Inside_Outside_Rule access rule is created as a trust rule. However, trusted
traffic is not inspected, so the system cannot learn about some of the
characteristics of trusted traffic, such as application, when the traffic
matching criteria does not include application or other conditions besides
zone, IP address, and port. If you change the rule to allow rather than trust
traffic, the system fully inspects the traffic.
models.) Also consider changing the Inside_Inside_Rule from Trust to Allow.
This rule covers traffic going between the inside interfaces.
Access Control on the
- Hover over
Actions cell on the right side of the
Inside_Outside_Rule row to expose the edit and delete icons, and click the edit
to open the rule.
Allow for the
OK to save the change.