Cisco ASA Series Cli Configuration Manual page 901

Software version 9.0 for the services module

Hide thumbs Also See for ASA Series:

Configuration manual (429 pages)

Getting started (31 pages)

Mount and connect (12 pages)

Table of Contents

Configuring the Identity Firewall

! Apply VPN-Filter with bypassing access-list check enabled

sysopt connection permit-vpn

access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0

access-list v2 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0

username user1 password QkBIIYVi6IFLEsYv encrypted privilege 0 username user1 attributes

username idfw password eEm2dmjMaopcGozT encrypted

username idfw attributes

sysopt connection permit-vpn

access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0 access-list

v1 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0 group-policy group1

group-policy group1 attributes

Collecting User Statistics

To activate the collection of user statistics by the Modular Policy Framework and match lookup actions

for the Identify Firewall, enter the following command:

user-statistics [accounting | scanning]

hostname(config)# class-map c-identity-example-1

hostname(config-cmap)# match access-list

identity-example-1

hostname(config-cmap)# exit

hostname(config)# policy-map p-identity-example-1

hostname(config-pmap)# class c-identity-example-1

hostname(config-pmap)# user-statistics accounting

hostname(config-pmap)# exit

hostname(config)# service-policy p-identity-example-1

interface outside

Monitoring the Identity Firewall

This section contains the following topics:

vpn-group-policy group1 vpn-filter value v2

vpn-group-policy testgroup vpn-filter value v1

vpn-filter value v1

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

Monitoring AD Agents, page 1-22

Monitoring Groups, page 1-22

Monitoring Memory Usage for the Identity Firewall, page 1-22

Monitoring Users for the Identity Firewall, page 1-23

>> Per user VPN-filter control

>> Per group VPN-filter control

Activates the collection of user statistics by the Modular

Policy Framework and matches lookup actions for the

Identify Firewall.

The accounting keyword specifies that the ASA collect the

sent packet count, sent drop count, and received packet count.

The scanning keyword specifies that the ASA collect only the

sent drop count.

When you configure a policy map to collect user statistics, the

ASA collects detailed statistics for selected users. When you

specify the user-statistics command without the accounting

or scanning keywords, the ASA collects both accounting and

scanning statistics.

Cisco ASA Series CLI Configuration Guide

Monitoring the Identity Firewall

Show Quick Links

Chapters

Table of Contents

Troubleshooting

Cisco ASA Series Cli Configuration Manual page 901

Hide quick links:

Chapters

Troubleshooting

Related Manuals for Cisco ASA Series

Related Products for Cisco ASA Series

This manual is also suitable for:

Table of Contents