PDF(1.1 MB) View with Adobe Reader on a variety of devices
ePub(1.2 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(890.9 KB) View on Kindle device or Kindle app on multiple devices
Updated:April 3, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to perform and configure Dynamic Access Policies on an Secure Firewall device based on the RAVPN client.
Cisco recommends that you have knowledge of these topics:
Register the Secure Firewall with FMC and have them synchronized and up to date with latest version of the configuration file.
Preconfigure Remote Access Virtual Private Network (RAVPN) policy on the Secure Firewall registered.
Download Hostscan package (.pkg) with its equivalent version of Anyconnect Security Mobility Client.
Basic konwledge on RAVPN solutions.
General concepts on DAP feature.
Secure Firewall Management Center administration and configuration knowledge.
The information in this document is based on these software and hardware versions:
FMC 7.0.0 version or later
Secure Firewall 7.0.0 version or later
MAC/Windows machine with Cisco Secure Client Anyconnect software 4.10 or later
Hostscan package 4.10 or later
Active Directory for AAA authentication.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
This documents describes a step by step guide on how to perform and configure Dynamic Access Policies on an Secure Firewall device based on RAVPN client machine attributes. HostScan is used to gather client information and DAP applies different policies to Mac OS and Windows users respectively.
RAVPN designs run in different and dynamic scenarios that can not be controlled by network administrators. Usually there are several connections that land on the same VPN Gateway which based on multiple variables (i.e username, organizaiton, hardware device, operative system and so on) can determine how each connection can be threated, some of them can require priviledged user roles, access to programs and applications, different IP Address assignment or subnet filter rules.
Dynamic access policies (DAP), is a new feature introduced in software release 7.0.0 of the Cisco Secure Firewall Threat Defense, that allows the network administrators to apply different policies to different users that run over these dynamic environments mentioned above, based on a collection of attributes from the RAVPN clients from Cisco Secure Client (Anyconnect) equivalent with one or multiple criteria (DAP criteria).
Anyconnect software provides the RAVPN client features and Posture module the ability to identify attributes like OS, anti-virus, anti-spyware and firewall software installed on the host and the HostScan application gathers this information .
1. Log in into FMC GUI with administrator credentials and from the home dashboard view click on Devices and select Dynamic Access Policy from the expanded menu.
2. From the Dynamic Access Policy view click on Create Dynamic Access Policy.
3. Specify a name for the DAP policy and selec t Create new next to the HostScan package dropdown menu (this action can open a new browser tab with the Object manager section).
Note:If a HostScan image has already been uploaded, select it from the dropdown menu, click on Save and skip to step 6.
4. In the Object tab view go to Add Secure Client File" to upload the HostScan package.
5. Specify the name of the file, click on Browse to upload the HostScan package (.pkg) from your local files and select HostScan package from the File type dropdown menu and then click on Save.
6. Go back to the Create Dynamic Access Policy tab from step 3.
Specify the name of the Dynamic Access Policy and this time you can see your new HostScan package on the dropdown menu and click on Save.
7. You can be redirected to the new DAP editor window, click on Create DAP Record to generate a new entry.
Note: In this example we can configure a DAP record to gather OS information from RAVPN Anyconnect client and allow the connection if host machine runs Mac OS.
8. Specify the name of the DAP record, check the Display User Message on Criterion Match and type a prompt message so that we let the user know that connection landed into a DAP based on the OS. Select Continue to allow connection under the Action field.
Note: You can either select Terminate or Quarantine as the action to apply based on your case.
Note: You can also apply a network ACL or Secure Client attributes as per your network requirements.
9. Go to Endpoint Criteria tab, select OS system and specify equals Mac OS X, leave Version dropdown empty as this example intention is to detect Mac OS regardless the version and click on Save.
Note: In this article EndpointCriteria attributes are used but you can use AAA Criteria for LDAP or RADIUS attributes match.
10. From the EndpointCriteria tab, you can see the new OS System criteria, followed by the Match criteria option.
Note: You can create multiple criteria entries and select MatchAll or Matchany as per your requirements.
11. Go to the right bottom of the page and click on Save.
11. New Mac OS DAP record can be display with its configuration parameters, confirm they are correct and click on CreateDAPRecord to create a new record for Windows OS detection.
Note: In this example the intention is to block Windows clients and allow only Mac OS for RAVPN connections.
12. Specify the name of the DAP Record, select Terminate under the Action field and type the warning message prompt to be sent to the user.
13. Go to EndpointCriteria tab and create a new equivalent criteria under OperativeSystem section, select Windows10 as the equivalent OS and click on Save then select MatchAny.
14. Go to the right bottom and click on Save.
15. On the DAP menu confirm there are two new entries with the new configuration.
16. Dynamic Access Policy has been created, in order to apply it to the RAVPN set up, go to Devices tab from FMC GUI and click on RemoteAccess.
17. Select your pre configured RAVPN policy and click on the edit butoon (pencil icon).
18. On the top right corner click on None next to the DynamicAccessPolicy text label.
19. On the Dynamic Access Policy window, select the DAP policy we just created and click OK.
20. On the top right corner confirm DAP is applied next to the Dynamic Access Policy text label and click on Save.
Deploy changes, click Deploy tab from FMC GUI, select the FTD Device and click Deploy button.
1. Go Command Line Interface (CLI) from the Secure Firewall, confirm HostScan configuration has been applied:
firepower# sh run webvpn
hostscan image disk0:/csm/hostscan_4.10.06083-k9.pkg
anyconnect image disk0:/csm/anyconnect-macos-4.10.04071-webdeploy-k9.pkg 1 regex "Mac OS"
firepower# sh run all dynamic-access-policy-record
user-message "nDID NOT MEET THE CRITERIA! TERMINATING"
dynamic-access-policy-record "MAC USER"
user-message "DAP-TEST MATCH!!!!MAC USER DETECTED"
dynamic-access-policy-record "WINDOWS USER"
user-message "WINDOWS DEVICE DETECTED!!TERMINATING CONNECTION!"
2. Confirm dap.xml file has been generated and stored in flash:
firepower# sh flash:
--#-- --length-- -----date/time------ path
76 4096 Feb 03 2023 19:01:10 log
222 1293 Feb 09 2023 17:32:16 dap.xml
This section provides the information you can use in order to troubleshoot and confirm how DAP process is performed and works as expected.
Note: On the Secure Firewall, you can set various debug levels; by default, level 1 is used. If you change the debug level, the verbosity of the debugs can increase. Do this with caution, especially in production environments.
Test with Mac OS.
Enable DAP debugs while user tries to connect from one Mac OS device.