Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
5
Replies

ASA5516-X: Usefulness of the AgentService.exe process

jds5
Level 1
Level 1

‎10-11-2021 05:01 AM

 

Hello,

 

One of our servers has this executable:
\Cisco Systems, Inc\Cisco Firepower User Agent for Active Directory\AgentService.exe

-What is the use of this process?
-Why does it do exec RPC on remote machines?
-If we remove it what is the impact on our firepower?

 

Plateforme ASA5516-X

ASA Version 9.8(4)22  

 

Thank you,

 

BR,

José

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-11-2021 06:13 AM

Firepower User Agent is a program that runs on a computer in your domain and synchronizes AD logon and logoff events on configured DCs to a local SQL Express database which is in turn synchronized up the the configured FMC.

It serves to inform FMC of username - IP address mapping for use in both event analysis and policies.

0 Helpful

jds5
Level 1
Level 1

‎10-11-2021 07:32 AM

Thank you for these precisions.


Is it true that this agent is no longer being maintained?
What will be the solution to replace it

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jds5

‎10-11-2021 01:07 PM

Yes- User Agent is deprecated.

Firepower 6.7 will not allow you to add User Agent as an identity source.

7.0 will not allow you to upgrade from an earlier version until you remove it.

The replacement is Cisco ISE (or the stripped down ISE-PIC if you only need ISE for Identity). If you have a hardware FMC, you are eligible for a free ISE-PIC license. Otherwise you have to purchase it if you want to continue using identity integration with your FMC.

0 Helpful

jds5
Level 1
Level 1

‎10-21-2021 08:51 AM

 

After the audit of our network, we notice that the machine on which the AgentService.exe process is installed launches RPC executions on all the machines in our domain.
Is this normal behavior?

How to allow only one connection between the firepower and our AD?
What will be the impact if we remove the user agent?

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jds5

‎10-21-2021 08:33 PM

The host running the Cisco Firepower User Agent should only be accessing the configured domain controllers from which it retrieves logon/logoff events in order to gather a mapping of usernames to IP addresses. It writes them to a local SQL Express database which is in turn synced with the configured FMC(s).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card