Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eric_Speake
Contributor

Indentity awareness for users with credentials

Jump to solution

In our retail stores we have users that need access to specific sites that we allow with a source of any. On that blade we have not enabled identity awareness. We have some users that need access to sites used by an HR group we have. To allow just that group on the one rule I have to enable identity awareness. Will that affect the other rules that have any as he source. These rules are on the application layer of the policy.

Thanks,

Eric Speake

1 Solution

Accepted Solutions
Dor_Marcovitch
Advisor

Whebn using ia with rules think about the access roles as any other object you can put on the source of the rule.

As long as you wont block any one they wont be blocked.

The access role is onlty there to translate user identity data from multiple source into "ip" addresses. 

Remember that the fw is still a fw so when a packet goes by it does not know it it's user x or user y .. It relies on logs it collects from domain controller for example to understand that user x logs into a machine that has the ip 1.1.1.1 and when it tries to match a packet with ip that has a user mapped to it he will check the access roles also

View solution in original post

2 Replies
Gaurav_Pandya
Advisor

Hi Eric,

There will not be any impact but make sure that specific rules should be on top.

0 Kudos
Dor_Marcovitch
Advisor

Whebn using ia with rules think about the access roles as any other object you can put on the source of the rule.

As long as you wont block any one they wont be blocked.

The access role is onlty there to translate user identity data from multiple source into "ip" addresses. 

Remember that the fw is still a fw so when a packet goes by it does not know it it's user x or user y .. It relies on logs it collects from domain controller for example to understand that user x logs into a machine that has the ip 1.1.1.1 and when it tries to match a packet with ip that has a user mapped to it he will check the access roles also

View solution in original post