Visibility based Firewall Enforcement

Overview

Profiler provides visibility of the endpoints connected to network. On Profiler, Profile groups can be created using an attribute or combination of device attributes.

The profiler discovered and classified devices with matching attributes belong to configured groups. In few customer environments such as manufacturing industries devices should be able to access applications/resources protected by firewall.

In such scenarios, IPS allows Administrator to provision Auth Table Mapping policy and Resource Access policy configured using profile groups for the devices. IPS provisions the device identity information to the firewall and then Administrator can configure firewall policy based on the requirement.

The provisioning of device information to firewall is described below:

1. Profiler configured on IPS discovers devices connected to network.
2. IPS gets the profiled device information, which belongs to one or more groups. IPS then uses this device information to provision Auth Table Mapping to firewall. The Auth Table Mapping policy defines Profile Group based access control to firewall protected devices.
3. Device Identity details (user id: MAC address of the device, IP address and Profile Group Name) are provisioned to firewall.
4. Device tries to access resources protected by firewall. Devices are allowed to access resources behind firewall based on Profile Group.
5. Any change to Profile Group information for a device will be updated in the firewall.

- SRX security policy applies to the role ID and not the role name. Hence, IPS exports Profile group IDs to SRX and not the Profile group names.
- Resource access policy and IoT policy configured based on Profile groups will be exported to firewall along with group information.