cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Register for SecureX webinars to learn about our newest integrations and features.

1779
Views
0
Helpful
5
Replies
fongaratto
Beginner

Group-based Active Directory rule problems

Hello ALL,


I hope they’re okay!

We have 2 Firepower 4110 in version 6.6.1.

We need to create rules based on Active Directory groups.

Unfortunately the configuration is not working, the created rule is being ignored (please see in the pictures).

We are using the latest version of User Agent v2.4.0 build 1, with Service Status "Running". And integration with the services working well.

In FMC the Download of AD groups occurs correctly, without failures.

Any suggestions on how I can make the rules work based on AD groups?

 

Best regards.

5 REPLIES 5
Milos_Jovanovic
VIP Collaborator

Hi @fongaratto,

If you take a closer look, you'll notice that your group download is not done:

Capture.PNG

I don't know which group is this and if relevant, but I would make sure it is not group I need.

In your rule that you expect to be matched, you have many conditions - src and dst zones, src and dst networks, users and dst ports. In order for this rule to be mathced, all conditions must be satisfied (there is a logical AND operator between). Are there any Identity based rules in your policy that do work?

BR,

Milos

 

 

 

Hello Milos, you are always very fast and with great answers

 

I hadn’t noticed that, thank you very much for the tip.

 

Do you know what an example of an Identity rule would look like with suitable conditions to calculate?

 

Thanks.

Hi @fongaratto,

Your rule can be perfectly valid too, you just need to make sure you are matching everything you need to match.

Since you are still troubleshooting if identity rules are working or not, I would start with something really simple like permit identity group to certain server, and I would place that rule somewhere on top, just to check if your identity based approach is working at all or not. If it is working, then you just need to make proper rules then. If not, you'll need to troubleshoot identity learning then.

There are couple things here to look for - if SFUA is integrated properly with AD (and all relevant DCs, as security events are local to each DC), and if SFUA is integrated properly with FMC and if you are learning identities.

BR,

Milos

Hello,

 

Can you explain to me the steps to check the groups?

 

I am trying in expert mode:

 

cd /var/tmp/user_download/5/invalid_groups

!

cd /var/tmp/user_download/5/action_queue.log

 

But returns a message that the directory does not exist.

 

All the best.

Hi @fongaratto,

Try checking on UA side. You have an option to show debug messages in Log, and then check log file. Try going through these troubleshooting steps, to see if they help.

BR,

Milos

Create
Recognize Your Peers
Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards