Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
10
Helpful
4
Replies

Information mismatch between ASA And Firepower

Go to solution
kostasthedelegate
Level 4
Level 4

‎08-30-2019 04:54 AM

Hello, 

 

I have a customer that has ASA with firepower services. 

In the summary board of FMC he sees in the "Top Web App Seen" less traffic than he sees in ASA.

Also, in the Analysis->Users the users shown are fewer than the actual users in the network. 

 

I show and there is no connection to the AD, but there is CDA. In the CDA the users are shown correctly. 

 

Any hint what it might be wrong?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
alex_dufresne
Level 1
Level 1
In response to kostasthedelegate

‎08-30-2019 11:21 AM

Firepower gets its user information from passive traffic analysis. For example, unsecured FTP connections or explicit AD user authentication via an unencrypted intranet page. VPN users should also be in your user list. 

 

I have pointed out which parts need to be configured on the Firepower side (pxGrid, if you have ISE, or AD connector if you don't). The AD connector needs to be installed on a domain controller and tracks logins from WMI events. See the FMC deployment guide for more information on how to get this up and running: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63.html --> Under the "Discovery and Identity" section.

 

As for CDA, I have never configured it, so I can't really help out any more than that.

 

Finally, let me reiterate that seeing different user data in Firepower than in the ASA is not alarming at all. If you want to use either one to monitor your users in your network, you'll have to configure either the Firepower Network Discovery part or the ASA CDA part. Decide on which implementation is more appropriate for your customer, while considering that Firepower is Cisco's future. 

 

Best of luck to you in your project! ;)

View solution in original post

4 Replies 4

Go to solution
alex_dufresne
Level 1
Level 1

‎08-30-2019 05:55 AM

The Firepower Services Module and the ASA are two completely separated entities. So, the identity awareness that you would get from the ASA CDA's Active Directory information is not replicated to the Firepower. 

 

Also, by "there is no connection to the AD", what do you mean?

 

On the Firepower side, you can configure user awareness either through pxGrid integration (ISE), the AD connector (agent on the DC monitoring WMI events) or through Web redirection with active login. 

 

On the ASA side, you should be getting that user information from monitoring AD events with CDA.

 

If one entity has the AD monitoring, but not the other, then what information you get will differ quite a bit.

 

See here for the Firepower configuration and here for the CDA configuration.

Go to solution
kostasthedelegate
Level 4
Level 4
In response to alex_dufresne

‎08-30-2019 06:52 AM

Hello @alex_dufresne , 

 

Thank you for the information. 

 

Ok I am not familiar with CDA. Your info helped me. I have some questions though. 

 

"The Firepower Services Module and the ASA are two completely separated entities. So, the identity awareness that you would get from the ASA CDA's Active Directory information is not replicated to the Firepower."

"Also, by "there is no connection to the AD", what do you mean?"

 

When I browse Realms in FMC I do not see any connection to the AD. Why do I see users information in the FMC?

 

The thing is that the customer compared the graphs from FMC to those from ASA and he sees a difference in the total number of MBytes.

 

I am trying to see what information I should seek to figure out if this is an issue

 

Regards, 

Konstantinos

0 Helpful

Go to solution
alex_dufresne
Level 1
Level 1
In response to kostasthedelegate

‎08-30-2019 11:21 AM

Firepower gets its user information from passive traffic analysis. For example, unsecured FTP connections or explicit AD user authentication via an unencrypted intranet page. VPN users should also be in your user list. 

 

I have pointed out which parts need to be configured on the Firepower side (pxGrid, if you have ISE, or AD connector if you don't). The AD connector needs to be installed on a domain controller and tracks logins from WMI events. See the FMC deployment guide for more information on how to get this up and running: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63.html --> Under the "Discovery and Identity" section.

 

As for CDA, I have never configured it, so I can't really help out any more than that.

 

Finally, let me reiterate that seeing different user data in Firepower than in the ASA is not alarming at all. If you want to use either one to monitor your users in your network, you'll have to configure either the Firepower Network Discovery part or the ASA CDA part. Decide on which implementation is more appropriate for your customer, while considering that Firepower is Cisco's future. 

 

Best of luck to you in your project! ;)

Go to solution
kostasthedelegate
Level 4
Level 4
In response to alex_dufresne

‎09-01-2019 11:08 PM

Thank you adufresneb,
Your answers helped me put it together.

Regards,
Konstantinos
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card