We are starting to deploy UserID based policies across our enterprise.
I'd like to know what is the best practice when dealing with rule policies that cross multiple zones/firewalls that are in different locations?
Does the user portion of the rule only need to be as close to the client then go to network rules in between the firewalls and resource or can userID go through the entire network path from client/user to resource?
Currently user-id information is only locally known on each firewall where the connections to AD are configured. And the firewalls do not communicate with each other.
Thus any firewall along the path of a client communication using user-id will need to have the appropriate rules and AD connections in place to enforce policy.
Depending on how the traffic goes and how many firewalls you cross, you might be able to organize the most specific rules at either a central point or at a point closest to the users. Then apply more general policies at the other points in the path.
But the basic premise is that the traffic will be evaluated based on local PAN knowledge at each firewall crossing. So you need ot consider what that PAN knows about user-id when setting up the rule base.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!