05-17-2018 03:06 AM
Hi
I want to enable user-id features in all security policies. But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?
Also on which security rules, I should not enable user-ID?
05-17-2018 12:30 PM
@faizankhurshid exactly, towards your domain controllers you shouldn't enforce User-ID. In addition printservers, profileshares and other mapped network drives are also critical connections. It is possible to enable user-ID there but you have to make sure that the User-IDs are almost instantly present on the firewalls because otherwise it takes a lot longer for the users to log in as windows receives the information on what to do with the group policies and then it tries to to this. And if the connection is not possible pretty fast then windows tries again and again and again - so in this case it could take a lot longer for the users to log in. So to enable there make sure that the log-read frequency of the domain conteoller logs is set to 1 second (the lowest possible value).
05-17-2018 08:32 AM
@faizankhurshid wrote:...But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?
Can you clarify this?
For this:
"Also on which security rules, I should not enable user-ID?"
There's really no scenario where you wouldn't want it. It's always good to have that additional bit of granularity of access control.
That said there might be scenarios where process are executing the network access and thus no "logged in" user is actually executing the traffic. This would be a scenario where user-id controls will not work.
05-17-2018 08:51 AM
@Brandon_Wertz Thanks
For This "But I have a question, from users to Domain controller, I should not use user-id feature? as firewall does not know about user-ip mapping untill users are login to domain controller?"
What I mean is, lets say users are in trust zone and domain controller are in server zone. I need to make policy to allow users to communicate with DC then this policy I should not use user-ID?
05-17-2018 09:43 AM
That would be one example; as if the machine has reached user-id age-out and you are restricting access to the domain controllers as 'known-users' for example, this would start denying the traffic.
05-17-2018 11:34 AM - edited 05-17-2018 11:35 AM
@BPry So users to DC policies, I should not enable user-id?
05-17-2018 12:30 PM
@faizankhurshid exactly, towards your domain controllers you shouldn't enforce User-ID. In addition printservers, profileshares and other mapped network drives are also critical connections. It is possible to enable user-ID there but you have to make sure that the User-IDs are almost instantly present on the firewalls because otherwise it takes a lot longer for the users to log in as windows receives the information on what to do with the group policies and then it tries to to this. And if the connection is not possible pretty fast then windows tries again and again and again - so in this case it could take a lot longer for the users to log in. So to enable there make sure that the log-read frequency of the domain conteoller logs is set to 1 second (the lowest possible value).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
