Troubleshoot User Access with CDO
Consider the case of users being denied access to a resource that they should have access to. Here is an approach you can take to diagnose and remediate that problem.
Procedure
Step 1 | Users inform your security team that their access to a resource is blocked. Determine how that resource is typically reached. What is it's IP address? Do you reach it on a specific port? What protocol is used to send information to the resource? | ||
Step 2 | From the Inventory page, click the Devices tab. | ||
Step 3 | Click the FTD tab and select the ASA and run packet tracer. See ASA Packet Tracer for more instructions. | ||
Step 4 | Examine the packet trace table for rules that may have denied access to the resource. | ||
Step 5 | After identifying the rule denying access, create a change request label in CDO and enable it. See Change Request Management. This will help you identify in Change Log policy changes you made to allow access to the resource. | ||
Step 6 | Edit the rule from CDO to correct the behavior. Your ASA is now out of sync with CDO. | ||
Step 7 | Deploy the changes to the ASA from the Inventory page. CDO traces packets through the configuration saved on the ASA not a configuration staged on CDO. Be aware, you will also be deploying any other configuration changes staged on CDO to your ASA. | ||
Step 8 | Re-run packet tracer to determine if the policy change provides the desired results. Confirm that your users now have access to the resource. | ||
Step 9 | Assuming your users now have access, clear the change request label in CDO. This prevents unrelated activity from being associated with this fix.
|