- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-07-2016 04:17 AM
Hello!
Could you please expalin what's the default traffic policy when new authentication agent/AD DC info is unavailable for some reason.
Does the user-based rules get automatically turned off or someting?
Does the traffic which gets under user-based firewall rules get passed or dropped?
11-07-2016 04:56 AM - edited 11-07-2016 05:12 AM
No policies are not changing dynamically. It will use a cache, think it is 45 minutes then your policy wouldn't match and traffic will hit a default deny rule.
11-07-2016 04:56 AM - edited 11-07-2016 05:12 AM
No policies are not changing dynamically. It will use a cache, think it is 45 minutes then your policy wouldn't match and traffic will hit a default deny rule.
11-07-2016 05:26 AM
And what if some villain uses valid user IP to match cache value? 🙂
Is there some alert that authentication cache may be outdated?
11-07-2016 06:02 AM
He wouldn't be able to put a single packet on network cause of duplicate IP address 🙂
User-ID works on IP to user mapping table. This table is populated either through AD queries, reading AD logs, GP authentication or captive portals. Command "show user ip-user-mapping all" in CLI shows this table. This table is used when mapping users to IP addresses.
Each entry has a sort of time-to-live atribute called timeout. Losing connectivity with AD won't change this table. But eventually AD entries in this table will timeout and users won't be 'recognised' again. Which means rules with user restrictions won't match any more for these users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!