How to configure the dynamic firewall

This topic helps you understand the concepts and options to configure the dynamic firewall discussed in About the dynamic firewall.

Summary

The dynamic firewall integrates an identity source (such as Cisco ISE) with Cisco Identity Intelligence, which provides user trust information to the Secure Firewall Management Center.

Configure Cisco Identity Intelligence to collect user trust information.
Configure a supported Secure Firewall Management Center identity source.
Configure a supported identity realm.
Enable the dynamic attributes connector.
Configure the dynamic firewall.

Workflow

The following procedure provides a high-level overview of how to configure the dynamic firewall.

As a Duo user with the Owner role, provision a Cisco Identity Intelligence tenant. You can provision a tenant from Duo Advantage as discussed in Provision Your Cisco Identity Intelligence Tenant.
In Cisco Identity Intelligence, create an API integration and use the information to set up the dynamic firewall. We use Cisco Identity Intelligence to find user and device risk information in your network. For more information about Cisco Identity Intelligence, see How-to Guides. For more information about this task, see Get required information for Identity Intelligence.
(Microsoft Azure AD realm only.) In Identity Intelligence, create a Microsoft Entra ID integration. For more information, see Microsoft Entra ID (Azure AD) Data Integration.
Create an identity source. (If you already have an identity source, continue with the next step.) You can do this in any of the following ways:
- The Configure Dynamic Firewall dialog box displays Configure links to start setting up your identity source.
- Click Integrations > Identity > Identity SourcesSystem () > Integration > Identity Sources.
For more information about creating identity sources, see:
Create an identity realm. We support the following realms:
- Create an LDAP Realm or an Active Directory Realm and Realm Directory Only Microsoft AD is supported; LDAP realms are not supported.
- Create an Azure AD (SAML) Realm for Passive Authentication
Enable the dynamic attributes connector. The dynamic attributes connector is required to use the dynamic firewall. It enables your identity source to integrate with Identity Intelligence to provide enhanced insights into user activity. See Enable the Dynamic Attributes Connector.
Create the dynamic firewall instance. (If you already have a dynamic firewall instance, continue with the next step.) Click Integrations > Dynamic Attributes Connector and click Configure Dynamic Firewall. See Create a dynamic firewall instance.
Associate your identity source with Cisco Identity Intelligence. See Associate an identity source with Identity Intelligence.
View system-defined filters. We create dynamic attributes filters for the following:
- Untrusted device
- Trusted device
- Untrusted user
- Questionable user
You can edit or replace these dynamic attributes filters as discussed in Create dynamic attributes filters.
View system-defined access control rules. We create an access control policy named Dynamic Firewall Policy (or similar) with the following rules:
- Block an untrusted user from any source network to any destination network.
- Monitor a questionable user from any source network to any destination network.
- Block an untrusted device from any source network to any destination network.
You can edit or delete the access control policy and rules as discussed in View and edit the system-created access control policy.