Firewall Threat Defense dynamic access policies
A Secure Firewall Threat Defense dynamic access policy is a collection of access control attributes that
-
addresses issues of multiple group memberships and endpoint security in VPN environments
-
grants access to particular users for particular sessions according to defined policies, and
-
adapts to dynamic environments with multiple variables affecting each VPN connection.
Dynamic access policy operation
VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection. For example, intranet configurations that frequently change, the various roles each user inhabits within an organization, and log in attempts from remote access sites with different configurations and levels of security. The task of authorizing users is much more complicated in a VPN environment than it is in a network with a static configuration.
You can create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. The Firewall Threat Defense device generates a DAP during user authentication by selecting or aggregating attributes from one or more DAP records. The device then selects these DAP records based on the endpoint security information of the remote device and AAA authorization information for the authenticated user. Then the device applies the DAP record to the user tunnel or session.