Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
5
Helpful
4
Replies

FirePower ASA user to IP mapping

Hrvoje Samec
Level 1
Level 1

‎12-26-2016 01:11 PM

Hello

is there a way to see user to IP address mapping, and users AD group membership on FirePower system. I have some problems with user identification and want to check whether correct information is propageted to the FirePower system. Also, should I look for this information on FirePower Management Center or on SFR module installed on the ASA.

Information like these could be easily collected and checked on competitor devices but I can't find any documentation how to do this on Cisco firewall.

Labels:
4 Replies 4

cshackel77
Level 1
Level 1

‎01-04-2017 12:48 PM

Refer to this section of the guide (this is 5.4 but similar in later releases; can pull guide for whatever version you are on)

ASA FirePOWER Module User Guide for the ASA5506-X, ASA5506H-X, ASA5506W-X, ASA5508-X, and ASA5516-X, Version 5.4.1 - Con…

0 Helpful

Hrvoje Samec
Level 1
Level 1
In response to cshackel77

‎01-30-2017 01:16 AM

to answer my own question..

it looks like there is no way to see user to IP mapping on FPMC and/or SFR module with just one command. You have to use Perl script to that?!

0 Helpful

leciscokid
Level 1
Level 1
In response to Hrvoje Samec

‎02-06-2017 07:56 PM

Hrvoje,

Actually It depends on what you're specifically trying to solve for.

Firepower and FPMC arrive at a "user to IP Mapping" in one of a myriad of ways. Either passively by looking at network traffic such as IMAP, SMTP, HTTP, etc.

Or actively (authoritative) by looking at SFUA data, or AD Connector, or via ISE.

How are you gathering user Data in your installation ? Authoritatively or Passively ?

       If you're asking "Can I go into the UI and click a single button to view "ALL USER to ALL IP" mapping, the answer is "no". You can get there via some scripting, or you can get there with something like Splunk, where you can do an eStream connection to parse out events and connections and then write a simple search rule to give you just "user and src IP"

By their very nature, this IP to User mapping is dynamic and subject to change so there's no "static page" to go and view this data.

If you're trying to validate that "Betty" is using "172.16.56.7", this is much easier to do....

You can go into network discovery, and find the host profile for the IP in question, that you're attempting to validate, and if User data has been discovered for that IP, you will see the most current / highest trustworthy User(s) listed in the "current user" field. host-profile.jpg

0 Helpful

jnagata
Level 1
Level 1
In response to leciscokid

‎02-16-2018 05:32 AM

Leciscokid,

I tried to parse logs using eStreamer and eNcore, but it didn't work. Do you know if there's any another way to integrate FirePower and Splunk?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card