Previously, the Secure Firewall Management Center collected information about users exclusively from the configured identity source, such as Microsoft Active Directory, the passive identity agent, Cisco Identity Services Engine (Cisco ISE), and so on. This information generally included user name, group, and IP address.

The dynamic firewall enables you to add user risk scores from Cisco Identity Intelligence to identity source-provided information so you can set policies based on always-current user posture and risk. We enable you to pair user identity with intelligence and use that information in reporting and access control policies.

To use the dynamic firewall, you must:

• Have an Identity Intelligence tenant

  See Duo Identity Security with Cisco Identity Intelligence.

• Enable the Dynamic Attributes Connector

• Set up an identity source:

  • Cisco Identity Services Engine (Cisco ISE)

  • pxGrid Cloud

    pxGrid Cloud combines identity and posture in the same feed

    More information: What is pxGrid?

  In addition to providing authentication information, Cisco ISE and pxGrid Cloud can provide the following:

  • SGT Exchange Protocol over TCP (SXP) binding and directory session information if desired. For more information, see the Cisco Identity Services Engine Administrator Guide

  • Posture and mobile device management compliance. For more information, see Compliance.

• Set up an identity realm:

  • Create an LDAP Realm or an Active Directory Realm and Realm Directory

  • Create an Azure AD (SAML) Realm for Passive Authentication

The identity source provides authentication information (login, logout) as well as posture. The identity source can also provide SXP binding and session directory information if desired.

The identity realm provides user, group, and IP address information.