Understanding Communication Between IDP Series and IC Series Appliances
Figure 1 illustrates the communication between IDP Series and IC Series appliances.
Figure 1: Communication Among User-Role-Based Policy Components
We assume you have configured communication between the IC Series appliance and NSM and between the IC Series appliance and the IDP Series appliance. The IC Series sends user role information to the NSM via the IC Series — NSM connection.
When an endpoint client authenticates to the network through the IC Series appliance, the IC Series appliance assigns a role to the authenticated user and sends session information to the IDP appliance. Session information includes IP address, username, and the roles to which the user is assigned:
If the user IP address changes, user role changes, or the session is deleted, the IC Series appliance sends updates, and the IDP Series appliance updates its session table.
You use NSM to configure policy rules that match user roles and then push the policy from NSM to the IDP appliance.
When the user traffic traverses a network segment where the IDP Series appliance is deployed, the IDP system inspects the session to see if there is a match. The IDP system looks up the IP address in the session table to see if the IP address is a match for any role. If any role matches, the IDP system uses the role and other matching criteria to attempt to match user-role-based rules. If no user-role-based rule matches, the IDP system attempts to match the IP address-based rules.
If you have enabled logging, the IDP Series appliance sends logs to both the IC Series appliance and NSM.
