Visibility based Firewall Enforcement

Overview

Profiler provides visibility of the endpoints connected to network. On Profiler, Profile groups can be created using an attribute or combination of device attributes.

The profiler discovered and classified devices with matching attributes belong to configured groups. In few customer environments such as manufacturing industries devices should be able to access applications/resources protected by firewall.

In such scenarios, Ivanti Policy Secure allows Administrator to provision Auth Table Mapping policy and Resource Access policy configured using profile groups for the devices. Ivanti Policy Secure provisions the device identity information to the firewall and then Administrator can configure firewall policy based on the requirement.

The provisioning of device information to firewall is described below:

1. Profiler configured on Ivanti Policy Secure discovers devices connected to network.
2. IPS gets the profiled device information, which belongs to one or more groups. Ivanti Policy Secure then uses this device information to provision Auth Table Mapping to firewall. The Auth Table Mapping policy defines Profile Group based access control to firewall protected devices.
3. Device Identity details (user id: MAC address of the device, IP address and Profile Group Name) are provisioned to firewall.
4. Device tries to access resources protected by firewall. Devices are allowed to access resources behind firewall based on Profile Group.
5. Any change to Profile Group information for a device will be updated in the firewall.

- Resource access policy and IoT policy configured based on Profile groups will be exported to firewall along with group information.