Firewall Device Identity Policy
The company is instituting a BYOD pilot project. They are going to be letting employee’s personal devices connect through a wireless network. Most will only be allowed only to the Internet but some will have access to the Internal LAN.
• The wireless interface the users will be connecting on is “WiFi”.
• The source address has been defined as the DCHP scope assigned to the wireless network, “Internal_wireless”.
• The Internal Network is on the interface designated as “LAN”
• There is no need to NAT the traffic.
• The AntiVirus Profile to be used is “Internal-AV”, already defined.
• The Application Profile to be used is “Internal-AC”, already defined.
• The IPS Profile to be used is “Internal-IPS”, already defined.
• The Device group for this policy is “IT_Personnel_phones”.
• The IT team is a trusted group that will be accessing practically everything so the schedule will be the predefined “always” and the Service will be the predefined “ALL”.
• While the IT team is trusted the company would like to verify that they are compliant with the Endpoint profile so the check for this must be enabled on the policy.
Go to Policy > Policy > Policy.
Create a new policy
Fill out the fields with the following information:
Field | Value |
Policy Type | Firewall |
Policy Subtype | Device Identity |
Incoming Interface | wifi |
Source Address | all |
Outgoing Interface | port9 |
Enable NAT | not enabled |
Customize Authentication Messages | (optional) |
Add tag | (optional) |
Comments | (optional) |
In the Configure Authentication Rules section, create a new Authentication rule by filling out the fields with the following information.
Field | Value |
Destination Address | Internal_Network |
Device | IT_Personnel_Phones |
Compliant with Endpoint Profile | enable |
Schedule | always |
Service | ALL |
Action | (automatically assigned value of “ACCEPT” |
Log Allowed Traffic | (optional) |
Traffic Shaping | (optional) |
In the Security Profile Section:
Enable and select the security profiles as follows:
Security Profiles | Status | Profile Name |
AntiVirus | ON | Internal-AV |
Web Filter | OFF | (option should be greyed out) |
Application Control | ON | Internal-AC |
IPS | ON | Internal-IPS |
Email Filter | OFF | (option should be greyed out) |
DLP Sensor | OFF | (option should be greyed out) |
VoIP | OFF | (option should be greyed out) |
ICAP | OFF | (option should be greyed out) |
Select OK
Enter the following CLI command:
config firewall policy
edit 0
set srcintf "wifi"
set dstintf "LAN"
set srcaddr "Internal_wireless"
set action accept
set identity-based enable
set identity-from device
config identity-based-policy
edit 1
set schedule always
set utm-status enable
set dstaddr Internal_Network
set service ALL
set devices IT_Personnel_phones
set endpoint-compliance enable
set av-profile Internal-AV
set ips-sensor Internal-IPS
set application-list Internal-AC
next
end