Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Integrated User Firewall on NFX Devices

 

In a typical scenario for the integrated user firewall feature, domain users want to access the Internet through an NFX device. The device reads and analyzes the event log of the domain controllers configured in the domain. Thus, the device detects domain users on an Active Directory domain controller. Active Directory domain generates an authentication table as the Active Directory authentication source for the integrated user firewall. The device uses this information to enforce the policy to achieve user-based or group-based access control.

Note

When a new user is created in Active Directory (AD), the user is added to the global security group Primary Group which is by default Domain Users. The Primary Group is less specific than other groups created in AD because all users belong to it. Also, it can become very large.

You cannot use the Primary Group, whether by its default name of Domain Users or any other name, if you changed it, in integrated user firewall configurations.

To establish a Windows Active Directory domain and to configure another security policy:

  1. Configure the LDAP base distinguished name.
  2. Configure a domain name, the username and password of the domain, and the name and IP address of the domain controller in the domain.
  3. Configure a second policy to enable a specific user.
    Note

    When you specify a source identity in a policies statement, prepend the domain name and a backslash to the group name or username. Enclose the combination in quotation marks.

  4. Set the Active Directory authentication table as the authentication source for integrated user firewall information retrieval and specify the sequence in which user information tables are checked.
    Note

    You must set the Active Directory authentication table as the authentication source for integrated user firewall information retrieval and specify the sequence in which user information tables are checked using the command set security user-identification authentication-source active-directory-authentication-table priority value.

    The default value of this option is 125. The default priority for all the authentication sources is as follows:

    • Local authentication: 100

    • Integrated user firewall: 125

    • User role firewall: 150

    The field priority specifies the sources for the Active Directory authentication table. The value set determines the sequence for searching among various supported authentication tables to retrieve a user role. Note that these are the only currently supported values. You can enter any value from 0 through 65,535. The default priority of the Active Directory authentication table is 125. This means that even if you do not specify a priority value, the Active Directory authentication table will be searched starting at sequence of value 125 (integrated user firewall).

    For more details, see Active Directory Authentication Tables and active-directory-authentication-table.

To verify that the configuration is working properly:

  1. Verify that at least one domain controller is configured and connected by entering the show services user-identification active-directory-access domain-controller status command.

  2. Verify that the LDAP server is providing user-to-group mapping information by entering the show services user-identification active-directory-access user-group-mapping status command..

  3. Verify the authentication table entries by entering the show services user-identification active-directory-access active-directory-authentication-table all command. The IP addresses, usernames, and groups are displayed for each domain.

  4. Verifying IP-to-user mapping by entering the show services user-identification active-directory-access statistics ip-user-mapping command. The counts of the queries and failed queries are displayed.

  5. Verify that IP probes are occurring by entering the show services user-identification active-directory-access statistics ip-user-probe command.

  6. Verify that user-to-group mappings are being queried by entering the show services user-identification active-directory-access statistics user-group-mapping command.