Skip to main content



Cisco Defense Orchestrator

How to Implement a Firepower Identity Policy

If you want to manage identity policies for your Firepower Threat Defense (FTD) device using Cisco Defense Orchestrator (CDO) you need to create identity sources first. You can configure the remaining settings using Defense Orchestrator.

When configured correctly, you will be able to see usernames in the monitoring dashboards and events in FDM. You will also be able to use user identity in access control and SSL decryption rules as a traffic-matching criteria. 

Note: At this time, CDO can not configure some of the components needed to implement identity policies such as remote access VPN and Cisco Identity Services Engine. These components must be configured in FDM, which is the local manager of the FTD device. Some of the steps in the procedure below indicate that you must use FDM to configure some identity components to implement identity policies. 


The following procedure provides an overview of what you must configure to get identity policies to work:

  1. Create the AD identity realm. Whether you collect user identity actively or passively, you need to configure the Active Directory (AD) server that has the user identity information. See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information.
  2. If you want to use passive authentication identity rules, configure the passive identity sources using FDM.

You can configure any of the following, based on the services you are implementing in the device and the services available to you in your network.

  • Remote access VPN—If you intend to support remote access VPN connections to the device, user logins can provide the identity based on the AD server or on local users (those defined within FDM). For information on configuring remote access VPN, See Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager > Virtual Private Networks > Remote Access > Configuring Configuring Remote Access VPNs.
  • Cisco Identity Services Engine (ISE) or Cisco Identity Services Engine Passive Identity Connector (ISE PIC)—If you use these products, you can configure the device as a pxGrid subscriber, and obtain user identity from ISE. See Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager > Reusable Objects > Identity Sources > Configure Identity Services Engine for instructions.
  1. Using Defense Orchestrator, enable the identity policy and configure passive or active authentication. See Configure Identity Policy Settings for more information. 
  2. Using Defense OrchestratorConfigure Identity Policy Default Action. If your intention is to use passive authentication only, you can set the default action to passive authentication and there is no need to create specific rules.
  3. Using Defense OrchestratorConfiguring Identity Rules. Create rules that will collect passive or active user identities from the relevant networks.

  4. (Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.
  5. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 
  • Was this article helpful?