Print Download PDF Send Feedback

Previous

Next

Introduction to Identity Awareness

In This Section:

Access Role Objects

Identity Sources

Comparison of Acquisition Sources

Deployment

Identity Awareness Default Ports

Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and computer identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps users and computer identities. This lets you enforce access and audit data based on identity.

Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and non-Active Directory based networks, as well as for employees and guest users.

Identity Awareness uses the Source and Destination IP addresses of network traffic to identity users and computers. You can use these elements as matching criteria in the Source and Destination fields of your policy rules:

Identity Awareness lets you define policy rules for specified users, who send traffic from specified computers or from any computer. Likewise, you can create policy rules for any user on specified computers.

You can see the logs based on user and computer name, and not just IP addresses, in the SmartConsole > Logs & Monitor > Logs tab. You can see events in the Logs & Monitor Access Control views.

Identity Awareness gets identities from the configured identity sources. You must enable these identity sources in the Identity Awareness Gateway object > Identity Awareness page, and install the Access Policy:

Identity Source

Description

Browser-Based Authentication

Identities are acquired through authentication web portal on Identity Awareness Gateway (Captive Portal), or Transparent Kerberos Authentication.

Active Directory Query (AD Query)

Identities are acquired seamlessly from Microsoft Active Directory. This is a clientless identity acquisition tool.

Identity Agents

Identities are acquired using agents that are installed on the user endpoint computers.

Terminal Servers

Identities are acquired using agents that are installed on Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. These agents are used to identify individual user traffic coming from Terminal Servers.

RADIUS Accounting

Identities are acquired using RADIUS Accounting directly from a RADIUS accounting client.

Identity Collector

Identities are acquired using agents that are installed on Microsoft Active Directory Domain Controllers, Cisco Identity Services Engine (ISE) Servers, or NetIQ eDirectory Servers.

Identity Web API

Gives you a flexible method for creating identities.

Remote Access

Identities are acquired for Mobile Access clients and IPsec VPN clients configured to work in Office Mode, when they connect to the Security Gateway.

Identity Awareness Security Gateways can share the identity information that they acquire with other Identity Awareness Security Gateways. This way, users that need to pass through many Security Gateways are only identified once. See Advanced Identity Awareness Deployment for more information.

Access Role Objects

In SmartConsole, you can create Access Role objects to define users, computers and network locations as one object.

You can use Access Role objects as a source or a destination parameter in a rule.

Access Role objects can include one or more of these objects:

For example, a rule that allows file sharing over FTP between the IT department and the Sales department Access Roles.

Name

Source

Destination

VPN

Services & Applications

Action

IT and Sales File Sharing

IT_dept

Sales_dept

*Any

ftp

accept