https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/4012057#M922735 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/169403">@cadet</a>&nbsp;If the proxy follows the conventional method of including the X-Forwarded-For (XFF) or similar field in the packets, Firepower can extract and display that information. It's a non-displayed by default so you would have to enable it in your Connection events table viewer.</P> <P>The option for it is under Policies &gt; Intrusion &gt; Network Analysis Policy</P> Wed, 15 Jan 2020 19:02:57 GMT Marvin Rhoads 2020-01-15T19:02:57Z https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3990659#M922730 <P>Hello!</P><P>&nbsp;</P><P><SPAN>"Cisco <STRONG>Firepower</STRONG> provides full contextual threat analysis and protection, <STRONG>with awareness into users, user history on every machine, mobile devices, client-side applications, operating systems, virtual machine-to-machine communications, vulnerabilities, threats, and URLs.</STRONG>" -&nbsp;<A href="https://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html#~competitive=0" target="_blank" rel="noopener">https://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html#~competitive=0</A></SPAN></P><P>&nbsp;</P><P>What products do customers need to offer to implement the "User, network, and endpoint awareness" features?</P><P>It seems to me that in addition to <STRONG>Firepower</STRONG> + <STRONG>FMC</STRONG>, <STRONG>Network Visibility module for Anyconnect</STRONG>&nbsp; is also needed?&nbsp;</P><P><STRONG>Or please explain how Firepower, which is located on the external edge of the network, receives information about "a user working on a workstation + client-side applications" in the local network behind a proxy server ?</STRONG></P><P>Thanks!</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:43:56 GMT https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3990659#M922730 cadet 2020-02-21T17:43:56Z https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3990702#M922731 <P>If Firepower is only sitting on the network edge then you might not see intra-network visibility. It can be architected instead to also cover "east-west" traffic and provide the visibility mentioned in the data sheet without any additional products.</P> <P>If you don't put it into the east-west path then other products such as Stealthwatch can provide this sort of visibility. It can ingest Netflow records from many locations, including the Anyconnect Network Visibility module. Generally though it suffices to gather flow records from the network equipment.</P> Thu, 28 Nov 2019 11:49:18 GMT https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3990702#M922731 Marvin Rhoads 2019-11-28T11:49:18Z https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3990751#M922732 <P>Thanks, Marvin!&nbsp;</P><P>&nbsp;</P><P>As I understand, is the <STRONG>same situation with the "Network file trajectory"&nbsp;</STRONG>?</P><P><SPAN>"Cisco maps how <STRONG>hosts transfer files, including malware files, across your network</STRONG>. It can see if a file transfer was blocked or the file was quarantined. This provides a means to scope, provide outbreak controls, and identify patient zero." -&nbsp;<A href="https://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html#~competitive=0" target="_blank">https://www.cisco.com/c/m/en_us/products/security/firewalls/competitive-comparison.html#~competitive=0</A></SPAN></P><P>&nbsp;</P><P>If <SPAN>we don't put Firepower&nbsp; into the east-west path of the traffic than we can not see <STRONG>file trajectory&nbsp;</STRONG><STRONG>across customer network without additional&nbsp;products&nbsp;such as, for example, AMP for Endpoint ?</STRONG></SPAN></P><P>&nbsp;</P><P>So, in design (case 1 in attach)&nbsp;<SPAN><STRONG>without&nbsp; AMP for Endpoint do I not see&nbsp;file trajectory between host B and C ?</STRONG></SPAN></P><P>Or do I need <STRONG>additional Firepower between&nbsp;host B and C</STRONG> (case 2 in attach) or&nbsp;<STRONG>AMP for Endpoint on both hosts ?</STRONG></P><P>&nbsp;</P><P><STRONG>Could you correct me if I am wrong?</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Nov 2019 13:13:10 GMT https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3990751#M922732 cadet 2019-11-28T13:13:10Z https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3991379#M922733 <P>In the hypothetical use case #2&nbsp;you describe, Malware traffic that was exclusively between B and C would never transit the firewall so of course the firewall would have to way to detect or provide insight into that particular flow.</P> <P>However in the real world, the malware would often be making calls to the Internet. In that case Firepower would see those calls from both B and C and thus be able to report that the same malware was seen on two hosts.</P> <P>See this example:</P> <P><A href="https://popravak.wordpress.com/2015/07/11/sourcefire-file-policies-aka-advanced-malware-protection/" target="_blank">https://popravak.wordpress.com/2015/07/11/sourcefire-file-policies-aka-advanced-malware-protection/</A></P> Sat, 30 Nov 2019 05:50:49 GMT https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/3991379#M922733 Marvin Rhoads 2019-11-30T05:50:49Z https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/4011800#M922734 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;wrote:<BR /><P>However in the real world, the malware would often be making calls to the Internet. In that case Firepower would see those calls from both B and C and thus be able to report that the same malware was seen on two hosts.</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Hi!</P><P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>, Thanks!&nbsp;I missed your answer.</P><P>I agree with you. But also in <STRONG>real-world scenarios</STRONG>, the customer often uses a <STRONG>proxy server</STRONG> that <STRONG>hides the IP addresses of users</STRONG> when they access to the Internet. And again we come back to a solution that r<STRONG>equires additional software (for example, AMP for Endpoint on hosts)&nbsp;</STRONG>for&nbsp;<STRONG>Network file trajectory&nbsp;</STRONG>functionality.</P><P>&nbsp;</P><P>Could you correct me if I am wrong?</P> Wed, 15 Jan 2020 12:33:51 GMT https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/4011800#M922734 cadet 2020-01-15T12:33:51Z https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/4012057#M922735 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/169403">@cadet</a>&nbsp;If the proxy follows the conventional method of including the X-Forwarded-For (XFF) or similar field in the packets, Firepower can extract and display that information. It's a non-displayed by default so you would have to enable it in your Connection events table viewer.</P> <P>The option for it is under Policies &gt; Intrusion &gt; Network Analysis Policy</P> Wed, 15 Jan 2020 19:02:57 GMT https://community.cisco.com/t5/network-security/firepower-awareness-user-appl/m-p/4012057#M922735 Marvin Rhoads 2020-01-15T19:02:57Z