Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8035
Views
10
Helpful
5
Replies

AMP Identity Persistence

ITandCoffee
Level 1
Level 1

‎05-16-2019 07:41 AM - edited ‎02-20-2020 09:09 PM

Hi all,

A couple of quick questions regarding identity persistence. When a computer is re-imaged and is not yet joined to our domain, will AMP still identify it using the MAC address and UUID to reinstall the endpoint connector? What about for remote computers that are not on our internal network, but running a VPN? What if their VPN is disabled and they are simply connected to the internet?

Thanks! 

0 Helpful
5 Replies 5

jesutorr@cisco.com
Cisco Employee
Cisco Employee

‎05-16-2019 09:23 AM

Hi,

 

Thanks for contacting Cisco Community, My name is Uriel Torres from the Advanced Threat Solutions team, You can configure identity persistence as the following.

 

  • By policy across policy
  • By MAC across policy
  • By policy across business
  • By MAC across business

 

I always recommend use:

  • By policy across the business
  • By MAC across business

 

For the first question, if you install AMP in a machine without the domain with the following and this configuration:

 

Hostname: Machine1

Mac Address: 0e:12:5a:d7:15:11

Identity persistence configuration: Identity persistence by hostname across the business.

Connector UUID: fac4e17e-bf66-4786-94ed-e63ed61033a6

 

 

Then if you add the following domain: example.com

You will have the following hostname: Machine1.example.com

Whit this configuration the information will be the following.

 

Hostname: Machine1.example.com

Mac Address: 0e:12:5a:d7:15:11

Identity persistence configuration: Identity persistence by hostname across business.

Connector UUID: e0857bde-2ce0-4ebd-8eb7-b32b52979c27

 

As you can see the UUID changes because the hostname has been changed, in this moment you will have 2 different machines registered on the cloud, if we look for a pattern the only concept that is the same is the MAC address, for this situation it will be better have "Identity Persistence By MAC across business"

 

With the same example of Machine 1 after adding the domain to the hostname even if the UUID changes the computer won't be duplicated because the MAC address will be the same.

 

**********

 

About the second inquiry, you can install the AMP connector with a simple internet connection.

 

Best regards,

ITandCoffee
Level 1
Level 1
In response to jesutorr@cisco.com

‎05-16-2019 12:18 PM

Thanks for the information Uriel! How does the console find PCs? For example, if a computer is re-imaged and first connects to a network that is not part of our domain, will the console reinstall the endpoint connector? I would imagine not (I would think the machine would need to be connected to our internal network), but I'm just trying to gain a better understanding of how identity persistence works or how/where it scans for PCs.

Thanks again!

0 Helpful

Troja007
Cisco Employee
Cisco Employee
In response to ITandCoffee

‎06-03-2019 04:43 AM

Hello @ITandCoffee ,

after the feature is enabled in the UI, you can choose how a system is identified again after re-imaging. 

 

Bildschirmfoto 2019-06-03 um 13.37.35.png

 

 

 

 

 

 

 

 

 

 

 

 

Here some more info how the settings are working (copied from the AMP help)

  • None: Connector logs are not synchronized with new Connector installs under any circumstance.
  • By MAC Address across Business: New Connectors look for the most recent Connector that has the same MAC address to synchronize with across all policies in the business that have Identity Synchronization set to a value other than None.
  • By MAC Address across Policy: New Connectors look for the most recent Connector that has the same MAC address to synchronize with within the same policy.
  • By Host name across Business: New Connectors look for the most recent Connector that has the same host name to synchronize with across all policies in the business that have Identity Synchronization set to a value other than None.
  • By Host name across Policy: New Connectors look for the most recent Connector that has the same hostname to synchronize with within the same policy.

 

Hope this gives you some better understanding into the feature.

Cheers,

Thorsten

0 Helpful

TylerFromPIH
Level 1
Level 1
In response to Troja007

‎02-03-2020 12:17 PM

Hello,

 

To jump on this thread, I am having a similar issue but do not see the "Identity Persistence" option in the policy area, nor do i see an option to enable/disable it. Where can i check to see what identity persistence settings I have, and where can i go to change them?

0 Helpful

Troja007
Cisco Employee
Cisco Employee
In response to TylerFromPIH

‎02-04-2020 08:52 AM

Hello @TylerFromPIH,

this feature is not enabled by default. You have to open a TAC case to enable the feature.

Greetings,

Thorsten

Customers Also Viewed These Support Documents