is there a way to see user to IP address mapping, and users AD group membership on FirePower system. I have some problems with user identification and want to check whether correct information is propageted to the FirePower system. Also, should I look for this information on FirePower Management Center or on SFR module installed on the ASA.
Information like these could be easily collected and checked on competitor devices but I can't find any documentation how to do this on Cisco firewall.
Refer to this section of the guide (this is 5.4 but similar in later releases; can pull guide for whatever version you are on)
to answer my own question..
it looks like there is no way to see user to IP mapping on FPMC and/or SFR module with just one command. You have to use Perl script to that?!
Actually It depends on what you're specifically trying to solve for.
Firepower and FPMC arrive at a "user to IP Mapping" in one of a myriad of ways. Either passively by looking at network traffic such as IMAP, SMTP, HTTP, etc.
Or actively (authoritative) by looking at SFUA data, or AD Connector, or via ISE.
How are you gathering user Data in your installation ? Authoritatively or Passively ?
If you're asking "Can I go into the UI and click a single button to view "ALL USER to ALL IP" mapping, the answer is "no". You can get there via some scripting, or you can get there with something like Splunk, where you can do an eStream connection to parse out events and connections and then write a simple search rule to give you just "user and src IP"
By their very nature, this IP to User mapping is dynamic and subject to change so there's no "static page" to go and view this data.
If you're trying to validate that "Betty" is using "172.16.56.7", this is much easier to do....
You can go into network discovery, and find the host profile for the IP in question, that you're attempting to validate, and if User data has been discovered for that IP, you will see the most current / highest trustworthy User(s) listed in the "current user" field.
I tried to parse logs using eStreamer and eNcore, but it didn't work. Do you know if there's any another way to integrate FirePower and Splunk?