cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1021
Views
5
Helpful
4
Replies
Beginner

FirePower ASA user to IP mapping

Hello

is there a way to see user to IP address mapping, and users AD group membership on FirePower system. I have some problems with user identification and want to check whether correct information is propageted to the FirePower system. Also, should I look for this information on FirePower Management Center or on SFR module installed on the ASA.

Information like these could be easily collected and checked on competitor devices but I can't find any documentation how to do this on Cisco firewall.

4 REPLIES 4
Beginner

Re: FirePower ASA user to IP mapping

Refer to this section of the guide (this is 5.4 but similar in later releases; can pull guide for whatever version you are on)

ASA FirePOWER Module User Guide for the ASA5506-X, ASA5506H-X, ASA5506W-X, ASA5508-X, and ASA5516-X, Version 5.4.1 - Con…

Beginner

Re: FirePower ASA user to IP mapping

to answer my own question..

it looks like there is no way to see user to IP mapping on FPMC and/or SFR module with just one command. You have to use Perl script to that?!

Highlighted
Beginner

Re: FirePower ASA user to IP mapping

Hrvoje,

Actually It depends on what you're specifically trying to solve for.

Firepower and FPMC arrive at a "user to IP Mapping" in one of a myriad of ways. Either passively by looking at network traffic such as IMAP, SMTP, HTTP, etc.

Or actively (authoritative) by looking at SFUA data, or AD Connector, or via ISE.

How are you gathering user Data in your installation ? Authoritatively or Passively ?

       If you're asking "Can I go into the UI and click a single button to view "ALL USER to ALL IP" mapping, the answer is "no". You can get there via some scripting, or you can get there with something like Splunk, where you can do an eStream connection to parse out events and connections and then write a simple search rule to give you just "user and src IP"

By their very nature, this IP to User mapping is dynamic and subject to change so there's no "static page" to go and view this data.

If you're trying to validate that "Betty" is using "172.16.56.7", this is much easier to do....

You can go into network discovery, and find the host profile for the IP in question, that you're attempting to validate, and if User data has been discovered for that IP, you will see the most current / highest trustworthy User(s) listed in the "current user" field. host-profile.jpg

Beginner

Re: FirePower ASA user to IP mapping

Leciscokid,

I tried to parse logs using eStreamer and eNcore, but it didn't work. Do you know if there's any another way to integrate FirePower and Splunk?