Identity Source: Remote Access VPN

The following topics discuss how to perform user awareness and user control with Remote Access VPN:

Remote access VPN identity sources

A remote access VPN identity source authenticates a user before establishing secure remote connection to the network. It requires the user to provide credentials through a client to verify the identity.

Identity source configuration

Secure Client is the only client supported on endpoint devices for remote VPN connectivity to Firewall Threat Defense devices.

When you set up a secure VPN gateway as discussed in Create a New Remote Access VPN Policy, you can set up an identity policy for those users and associate the identity policy with an access control policy, provided your users are in an Active Directory repository.


Note

If you use remote access VPN with User Identity and RADIUS as the identity source, you must configure the realm (Objects > Object Management > AAA Server > RADIUS Server Group).

The login information provided by a remote user is validated by an LDAP or AD realm or a RADIUS server group. These entities are integrated with the Secure Firewall Threat Defense secure gateway.


Note

If users authenticate with remote access VPN using Active Directory as the authentication source, users must log in using their username; the format domain\username or username@domain fails. (Active Directory refers to this username as the logon name or sometimes as sAMAccountName.) For more information, see User Naming Attributes on MSDN.

If you use RADIUS to authenticate, users can log in with any of the preceding formats.

Once authenticated through a VPN connection, the remote user takes on a VPN identity. This VPN identity is used by identity policies on the Secure Firewall Threat Defense secure gateway to recognize and filter network traffic belonging to that remote user.

Identity policies are associated with access control policies, which determine who has access to network resources. It is in this way that a remote user blocked or allowed to access your network resources.

Configure RA VPN for user control

Configure RA VPN for user control to manage remote access VPN connections and apply identity-based policies to control user access and traffic filtering.

Remote access VPN user control allows you to implement identity-based policies that manage and monitor VPN user connections, providing enhanced security and access control for your network environment.

Before you begin

Follow these steps to configure RA VPN for user control:

Procedure

Step 1

Log in to the Firewall Management Center.

Step 2

Click Devices > VPN > Remote Access.

Step 3

See Create a New Remote Access VPN Policy.

What to do next

Troubleshooting guidelines for remote access VPN identity source

For other related troubleshooting information, see Troubleshoot realms and user downloads and Troubleshoot user control.

If you experience issues with Remote Access VPN, check the connection between your Firewall Management Center and a managed device. If the connection fails, all Remote Access VPN logins reported by the device cannot be identified during the downtime, unless the users were previously seen and downloaded to the Firewall Management Center.

The unidentified users are logged as Unknown users on the Firewall Management Center. After the downtime, the Unknown users are reidentified and processed according to the rules in your identity policy.

The host name of the managed device must be less than 15 characters for Kerberos authentication to succeed.

Active FTP sessions are displayed as the Unknown user in events. This is normal because, in active FTP, the server (not the client) initiates the connection and the FTP server should not have an associated user name. For more information about active FTP, see RFC 95

Not Observing Correct Settings for VPN Statistics

This task ensures that managed devices receive the correct health policy settings after modifying VPN statistics configurations.

This task discusses steps you must take after either enabling or disabling the VPN Statistics setting in a health policy. Failure to perform this task means managed devices have a health policy with incorrect settings.

Procedure

Step 1

Log in to the Secure Firewall Management Center if you haven't already done so.

Step 2

Click System (system gear icon) > Health > Policy.

Step 3

Under Firewall Threat Defense Health Policies, click Edit (edit icon) next to a policy to edit.

The VPN statistics settings in the health policy configuration interface display various metrics and options for monitoring VPN performance and health. The image illustrates the layout and key features of the settings page.

Step 4

On the Health Modules tab page, scroll down to locate VPN Statistics.

Step 5

Verify the VPN statistics setting is correct or change it if necessary.

Step 6

If you changed the setting, click Save, then click Cancel to return to the health policy.

Step 7

Under Firewall Threat Defense Health Policies, click Deploy health policy (deploy icon) to apply the policy.

Step 8

In the Policy Assignments & Deploy dialog box, move the devices to which to deploy the health policy to the Selected Devices field.

Deploy health policies to the Selected Devices list. Use the arrow buttons to move devices between Available and Selected Devices lists.

Step 9

Click Apply.

A message is displayed when the health policy is deployed.

Step 10

After the health policy has finished deploying, click Policies > Access Control heading > Access Control to edit an access control policy.

Step 11

Click Edit (edit icon) next to a policy to edit.

Step 12

Make a minor change to the policy, such as changing its name.

Step 13

Save the access control policy.

Step 14

Deploy configuration changes; see Deploy Configuration Changes..

History for RA VPN

This reference provides the version history and introduction details for Remote Access VPN (RA VPN) feature support across Firewall Management Center and Firewall Threat Defense versions.

Feature

Minimum Firewall Management Center

Minimum Firewall Threat Defense

Details

Remote Access VPN

6.2.1

Any

Feature introduced. RA VPN allows individual users to connect to a private business network from a remote location using a laptop or desktop computer connected to the internet, or an Android or Apple iOS mobile device. Remote users transfer data securely and confidentially using encryption techniques crucial for data being transferred over shared mediums and the Internet.