When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW. Is this true?
Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"? Would it then enforce that ACL? So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server? Even if I was authenticating from say, my workstation?