Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3285
Views
0
Helpful
5
Replies

Group-based Active Directory rule problems

fongaratto
Level 1
Level 1

‎09-23-2021 02:35 PM

Hello ALL,


I hope they’re okay!

We have 2 Firepower 4110 in version 6.6.1.

We need to create rules based on Active Directory groups.

Unfortunately the configuration is not working, the created rule is being ignored (please see in the pictures).

We are using the latest version of User Agent v2.4.0 build 1, with Service Status "Running". And integration with the services working well.

In FMC the Download of AD groups occurs correctly, without failures.

Any suggestions on how I can make the rules work based on AD groups?

 

Best regards.

Labels:
Prints rules.png
Preview file
269 KB
0 Helpful
5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-24-2021 01:36 AM - edited ‎09-24-2021 01:37 AM

Hi @fongaratto,

If you take a closer look, you'll notice that your group download is not done:

Capture.PNG

I don't know which group is this and if relevant, but I would make sure it is not group I need.

In your rule that you expect to be matched, you have many conditions - src and dst zones, src and dst networks, users and dst ports. In order for this rule to be mathced, all conditions must be satisfied (there is a logical AND operator between). Are there any Identity based rules in your policy that do work?

BR,

Milos

 

 

 

0 Helpful

fongaratto
Level 1
Level 1
In response to Milos_Jovanovic

‎09-24-2021 05:35 AM

Hello Milos, you are always very fast and with great answers

 

I hadn’t noticed that, thank you very much for the tip.

 

Do you know what an example of an Identity rule would look like with suitable conditions to calculate?

 

Thanks.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to fongaratto

‎09-25-2021 12:34 PM

Hi @fongaratto,

Your rule can be perfectly valid too, you just need to make sure you are matching everything you need to match.

Since you are still troubleshooting if identity rules are working or not, I would start with something really simple like permit identity group to certain server, and I would place that rule somewhere on top, just to check if your identity based approach is working at all or not. If it is working, then you just need to make proper rules then. If not, you'll need to troubleshoot identity learning then.

There are couple things here to look for - if SFUA is integrated properly with AD (and all relevant DCs, as security events are local to each DC), and if SFUA is integrated properly with FMC and if you are learning identities.

BR,

Milos

0 Helpful

fongaratto
Level 1
Level 1
In response to Milos_Jovanovic

‎09-29-2021 01:28 PM

Hello,

 

Can you explain to me the steps to check the groups?

 

I am trying in expert mode:

 

cd /var/tmp/user_download/5/invalid_groups

!

cd /var/tmp/user_download/5/action_queue.log

 

But returns a message that the directory does not exist.

 

All the best.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to fongaratto

‎09-29-2021 11:20 PM

Hi @fongaratto,

Try checking on UA side. You have an option to show debug messages in Log, and then check log file. Try going through these troubleshooting steps, to see if they help.

BR,

Milos

0 Helpful
Top