Guest

Preview Tool

Cisco Bug: CSCvi15830 - wrong configurations on Threat Defense device when network group object is used on identity policy

Last Modified

May 21, 2019

Products (32)

  • Cisco Firepower Management Center
  • Cisco Firepower Management Center 2500
  • Cisco FirePOWER Appliance 8260
  • Cisco FirePOWER Appliance 8360
  • Cisco FirePOWER Appliance 8120
  • Cisco FirePOWER Appliance 7050
  • Cisco FirePOWER Appliance 8140
  • Cisco FirePOWER Appliance 8350
  • Cisco AMP 7150
  • Cisco FirePOWER Appliance 8130
View all products in Bug Search Tool Login Required

Known Affected Releases

6.2.0 6.2.0.3 6.2.1 6.2.2 6.2.3 6.3.0

Description (partial)

Symptom:
The destination network configuration for identity rules is incorrect and mirrors the source networks instead.

Managed device settings show the same network on the source and destination:

root@FTD:/var/sf/detection_engines/be1ab262-17b6-11e8-b7be-1fc669acdbad# cat idenity.rules     
                                                            
global_settings
{
    auth_port 885;
}
identity_rules
{
    1
    {
        rule_id 1;
        realm_id 2;
        captive_portal_fallback 0;
        action ad_agent;
        src_ip 1.1.1.0/24;
        dst_ip 1.1.1.0/24;
    }
    2
    {
        rule_id 2;
        action no_auth;
    }

Conditions:
1) Configure a network group object, and add networks to it directly using the Add button (don't use one of the preconfigured objects).

2) Configure an identity policy rule, and use the network group object which we configured in the first step as a source network.  Use any other group or combination of groups in the destination network (this issue will not occur if you only use literals, network objects, or none ("any") in destination network).

3) Add the identity policy to the access control policy, and deploy the policy to managed devices.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.