User-ID based policies exclusion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID based policies exclusion

L3 Networker

Hi

 

I want to enable user-id features in all security policies. But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?

Also on which security rules, I should not enable user-ID?

1 accepted solution

Accepted Solutions

@faizankhurshid exactly, towards your domain controllers you shouldn't enforce User-ID. In addition printservers, profileshares and other mapped network drives are also critical connections. It is possible to enable user-ID there but you have to make sure that the User-IDs are almost instantly present on the firewalls because otherwise it takes a lot longer for the users to log in as windows receives the information on what to do with the group policies and then it tries to to this. And if the connection is not possible pretty fast then windows tries again and again and again - so in this case it could take a lot longer for the users to log in. So to enable there make sure that the log-read frequency of the domain conteoller logs is set to 1 second (the lowest possible value).

View solution in original post

5 REPLIES 5

L6 Presenter

@faizankhurshid wrote:

...But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?


 

Can you clarify this?

 

 

For this:

 

"Also on which security rules, I should not enable user-ID?"

 

There's really no scenario where you wouldn't want it.  It's always good to have that additional bit of granularity of access control. 

 

That said there might be scenarios where process are executing the network access and thus no "logged in" user is actually executing the traffic.  This would be a scenario where user-id controls will not work.

@Brandon_Wertz Thanks

 

For This "But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?"

 

What I mean is,  lets say users are in trust zone and domain controller are in server zone.  I need to make policy to allow users to communicate with DC then this policy I should not use user-ID?

@faizankhurshid,

That would be one example; as if the machine has reached user-id age-out and you are restricting access to the domain controllers as 'known-users' for example, this would start denying the traffic. 

@BPry  So users to DC policies, I should not enable user-id?

@faizankhurshid exactly, towards your domain controllers you shouldn't enforce User-ID. In addition printservers, profileshares and other mapped network drives are also critical connections. It is possible to enable user-ID there but you have to make sure that the User-IDs are almost instantly present on the firewalls because otherwise it takes a lot longer for the users to log in as windows receives the information on what to do with the group policies and then it tries to to this. And if the connection is not possible pretty fast then windows tries again and again and again - so in this case it could take a lot longer for the users to log in. So to enable there make sure that the log-read frequency of the domain conteoller logs is set to 1 second (the lowest possible value).

  • 1 accepted solution
  • 2548 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!