Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4857
Views
20
Helpful
9
Replies

Cisco Firepower Threat Defense User to IP Mapping?

Go to solution
shubhamkulkarni39
Level 1
Level 1

‎03-09-2017 04:24 AM - edited ‎03-12-2019 02:02 AM

Hello, 

I would like to know How User to IP Mapping works in Cisco Firepower Appliances 9300 and 4100 

Below are My Questions: 

1. Maximum Number of AD Servers Supported in FTD ?

2. Can we Integrate Existing Syslog with FTD for Identity Based Policy ?

3. Can we Integrate Citrix Xenapp with FTD for Identity Based Policy ?

4. Can we Integrate Third Party Authorization Server with FTD for Identity based policy ?

5. Can the access be allowed/deny based on the device that the user used for previous login?

6. Identity firewall solution for non domain devices,including personal mobile devices ? 

7. Maximum User to IP Mapping Supported on FTD 9300 Appliance?

8. Maximum User-groups supported on FTD 9300 Appliance?

9  How Many IP addresses a user identity can be mapped against? 

10 Can the timer be set per server (Different for AD and syslog) ?

11 In case of fail-over to standby device, is the user-ip and user-group database synchronisation achieved, including other run time information ?

12 Can segregation be performed based on the access from domain and non-domain devices (i.e. differential user access levels from domain and non-domain devices) ?

13 Capability to extend the user identification policies to personal mobile devices? 

14 If single user login through multiple devices (including domain, non-domain and mobile), how will identity FW react to this ?

15 Support for client IP probing and configurability of the probe timing? 

16 Integration with Mcafee SIEM, any open source SIEM, Nessus Vulnerability Scanner.?

Thanks

Shubham

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to shubhamkulkarni39

‎03-11-2017 01:58 AM

From what you were saying I would think you are working for an integrator so I would guess your local Cisco SE should be able to help you out with this if anything i unclear.

I will try to answer some of your questions, but some of them are about hard limits which are mostly not documented and you will need Cisco to provide more detailed information and proper guidelines.

1. Maximum Number of AD Servers Supported in FTD ?

If you are using the User Agent, each User Agent can poll max. 5x AD servers for login events. If you need to scale this out further you will need additional agents. Source: CSCvb26089

2. Can we Integrate Existing Syslog with FTD for Identity Based Policy ?

What do you mean by integration? Parsing a random syslog stream for identity mappings? If yes, no that is not supported

3. Can we Integrate Citrix Xenapp with FTD for Identity Based Policy ?

Yes. You can use the Terminal Server Agent starting with version 6.2. This works by assigning each user on the terminal server a unique source port range to a user can be mapped to <ipaddress>:<source-port-range>

4. Can we Integrate Third Party Authorization Server with FTD for Identity based policy ?

If you are using Active Authentication (Captive Portal) you can use Kerberos to authenticate

5. Can the access be allowed/deny based on the device that the user used for previous login?

That sounds like a very weird requirement. If I understand this correctly you want to know if we can block/permit traffic for ip addresses which a user has had before - No.

6. Identity firewall solution for non domain devices,including personal mobile devices ?

Captive Portal, but tbh ISE integration is the way to go for this. Guest access via WLAN controller to get identity into ISE and publish to FMC via pxGRID (alternative to User Agent, Cisco ISE required!) 

7. Maximum User to IP Mapping Supported on FTD 9300 Appliance?

I am not aware of any hard limits. If you got a large scale deployment you should definetly reach out to Cisco for guidance. Believe me you will do it either way if you encounter issues later on. I have pushed around 4k mappings to a SM-24 module so far without issues

8. Maximum User-groups supported on FTD 9300 Appliance?

I am not aware of any hard limits. If you got a large scale deployment you should definetly reach out to Cisco for guidance. I have had no issues with testing of 4k groups and 12k users but dont do this in production. Keep in mind that AD will only report a max of 1500 users in one group due to a flag set on the windows server. If you need to increase this value a config change on the windows side is required. Details: CSCva06227

9  How Many IP addresses a user identity can be mapped against? 

I am not aware of any hard limits. If you got a large scale deployment you should definetly reach out to Cisco for guidance.

10 Can the timer be set per server (Different for AD and syslog) ?

Since you cant provide indentity integration with Syslog there are no different timers. You may set the global timeout for identity mappings to expire after a period of time

11 In case of fail-over to standby device, is the user-ip and user-group database synchronisation achieved, including other run time information ?

User to ip mappings are always synced to both firewalls from FMC so you should not have any state related issues with user identity. If you want to know which feature is synced to which degree you might wanna check out the FMC 6.2 config guide for further information.

12 Can segregation be performed based on the access from domain and non-domain devices (i.e. differential user access levels from domain and non-domain devices) ?

Yes. One rule using identity group and one rule without identity group. :)

13 Capability to extend the user identification policies to personal mobile devices? 

If your mobile device can trigger a logon event in AD thats possible. ISE would be another option.

14 If single user login through multiple devices (including domain, non-domain and mobile), how will identity FW react to this ?

There is only a difference between passive and active authentication. As a general rule of thumb the same user can login to multiple devices (1:n relation between user and device) and policy can be enforced for each device without issues. Multiple users to one ip address is only supported using Terminal Server Agent.

15 Support for client IP probing and configurability of the probe timing?

FMC can probe clients to fill its host profiles but what exactly do you mean by probing and for what information? 

16 Integration with Mcafee SIEM, any open source SIEM, Nessus Vulnerability Scanner.?

You can always push your events using either E-Streamer or syslog to your logging server. Logpoint & Splunk integration is working out of the box. (Logpoint due to a recent project, so not sure if its publicly available yet)

After going through all of this I have to say this sounds like a list from a bidding. If thats indeed the case please engage cisco presales support for partners who will be happy to help you out

View solution in original post

9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-09-2017 05:43 AM

Such a long list of questions would benefit better from a conversation with your preferred partner or Cisco Systems Engineer (SE).

Go to solution
shubhamkulkarni39
Level 1
Level 1
In response to Marvin Rhoads

‎03-10-2017 06:38 AM

Hi,

Actually we are deploying Cisco Firepower Appliances on Customer Site.

Customer Wants to know details about Cisco Firepower identity sources and working to compare other Firewalls.

I need this information urgently, so that I can discuss with them to Finalise the proposal.

I am not able to discuss with Cisco Partner or Engineer. .if i get half information. that will be beneficial for me as weel.

How can i Know about this?

Thanks

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to shubhamkulkarni39

‎03-11-2017 01:58 AM

From what you were saying I would think you are working for an integrator so I would guess your local Cisco SE should be able to help you out with this if anything i unclear.

I will try to answer some of your questions, but some of them are about hard limits which are mostly not documented and you will need Cisco to provide more detailed information and proper guidelines.

1. Maximum Number of AD Servers Supported in FTD ?

If you are using the User Agent, each User Agent can poll max. 5x AD servers for login events. If you need to scale this out further you will need additional agents. Source: CSCvb26089

2. Can we Integrate Existing Syslog with FTD for Identity Based Policy ?

What do you mean by integration? Parsing a random syslog stream for identity mappings? If yes, no that is not supported

3. Can we Integrate Citrix Xenapp with FTD for Identity Based Policy ?

Yes. You can use the Terminal Server Agent starting with version 6.2. This works by assigning each user on the terminal server a unique source port range to a user can be mapped to <ipaddress>:<source-port-range>

4. Can we Integrate Third Party Authorization Server with FTD for Identity based policy ?

If you are using Active Authentication (Captive Portal) you can use Kerberos to authenticate

5. Can the access be allowed/deny based on the device that the user used for previous login?

That sounds like a very weird requirement. If I understand this correctly you want to know if we can block/permit traffic for ip addresses which a user has had before - No.

6. Identity firewall solution for non domain devices,including personal mobile devices ?

Captive Portal, but tbh ISE integration is the way to go for this. Guest access via WLAN controller to get identity into ISE and publish to FMC via pxGRID (alternative to User Agent, Cisco ISE required!) 

7. Maximum User to IP Mapping Supported on FTD 9300 Appliance?

I am not aware of any hard limits. If you got a large scale deployment you should definetly reach out to Cisco for guidance. Believe me you will do it either way if you encounter issues later on. I have pushed around 4k mappings to a SM-24 module so far without issues

8. Maximum User-groups supported on FTD 9300 Appliance?

I am not aware of any hard limits. If you got a large scale deployment you should definetly reach out to Cisco for guidance. I have had no issues with testing of 4k groups and 12k users but dont do this in production. Keep in mind that AD will only report a max of 1500 users in one group due to a flag set on the windows server. If you need to increase this value a config change on the windows side is required. Details: CSCva06227

9  How Many IP addresses a user identity can be mapped against? 

I am not aware of any hard limits. If you got a large scale deployment you should definetly reach out to Cisco for guidance.

10 Can the timer be set per server (Different for AD and syslog) ?

Since you cant provide indentity integration with Syslog there are no different timers. You may set the global timeout for identity mappings to expire after a period of time

11 In case of fail-over to standby device, is the user-ip and user-group database synchronisation achieved, including other run time information ?

User to ip mappings are always synced to both firewalls from FMC so you should not have any state related issues with user identity. If you want to know which feature is synced to which degree you might wanna check out the FMC 6.2 config guide for further information.

12 Can segregation be performed based on the access from domain and non-domain devices (i.e. differential user access levels from domain and non-domain devices) ?

Yes. One rule using identity group and one rule without identity group. :)

13 Capability to extend the user identification policies to personal mobile devices? 

If your mobile device can trigger a logon event in AD thats possible. ISE would be another option.

14 If single user login through multiple devices (including domain, non-domain and mobile), how will identity FW react to this ?

There is only a difference between passive and active authentication. As a general rule of thumb the same user can login to multiple devices (1:n relation between user and device) and policy can be enforced for each device without issues. Multiple users to one ip address is only supported using Terminal Server Agent.

15 Support for client IP probing and configurability of the probe timing?

FMC can probe clients to fill its host profiles but what exactly do you mean by probing and for what information? 

16 Integration with Mcafee SIEM, any open source SIEM, Nessus Vulnerability Scanner.?

You can always push your events using either E-Streamer or syslog to your logging server. Logpoint & Splunk integration is working out of the box. (Logpoint due to a recent project, so not sure if its publicly available yet)

After going through all of this I have to say this sounds like a list from a bidding. If thats indeed the case please engage cisco presales support for partners who will be happy to help you out

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oliver Kaiser

‎03-11-2017 06:38 AM

this sounds like a list from a bidding

That's why I declined to reply in detail. I don't complete other partners' bid responses or students' homework.

Go to solution
shubhamkulkarni39
Level 1
Level 1
In response to Oliver Kaiser

‎03-12-2017 11:42 PM

Thanks kaisero.....

0 Helpful

Go to solution
ipagliani
Level 1
Level 1
In response to Oliver Kaiser

‎03-14-2017 04:15 PM

Ciao,

regarding integration between ISE and FMC is it possible to see the information about a Guest username into FMC events log?

I did it today and I used both SGT and endpoint information but I've not seen any usernames in the events log.

Thanks

0 Helpful

Go to solution
shubhamkulkarni39
Level 1
Level 1

‎03-21-2017 05:33 AM

Hello  kaisero,

Thanks a lot for your answers..it helps me a lot..

I need further queries about Cisco Firepower Threat defence. related to AMP and other features.

Below are my questions.

1. applications running in the network on non-standard ports.?

2.  content updates on the FTD platform without disrupting traffic inspection ?

3. Integration of selective forwarding of firewall logs with existing SIEM ?

4. ability to block known bad files such as .scr, .hlp, .lnk, .js, .hta, MS+Macro, etc. without the need of sandbox analysis performance part as we cannot test performance) ?

5. Integration with VMWare V-center for mapping guest VM hosts directly into DAG to ease policy framework even when guest VM’s have moved to another ESXi Hosts.?

6. Creating schedule based application & url-filtering rules ?

7. Integration with proxy server & using XFF headers for identity of users behind the proxy ?

8. Test malware samples targeted for Mac OS & Android APK files ?

9  Integration of 3rd party threat intelligence feeds ?

10 Integration of firewall with existing firewall policy management tools for rule base management.?

11 Block unknown URLs to prevent call backs to newly generated Urls by malware.?

12 Detect and Block TCP Port scan, UDP Port scan and Host sweep  and Block IP address of Attacker for specified time duration traversing Firewall.? 

13  2 Factor Authentication Pop-up for specific critical applications and with pre-defined timers for re-auth of each application.?

14 DNS Sinkhole to identify the actual infected host on network trying to request bad URL?

15 Test and validate the ability to inspect the transfer of suspicious files over SSL (SSL Decryption), block known files and analyze the behavior or unknown files when they run ? 

16 Test and validate defense of attacks over Facebook file transfers (file transfer methods over applications like Google, Facebook, etc. file transfers over port 80) ? 

17 Credential Theft Prevention ?

it would be great if you could help me!

Thanks

Shubham

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to shubhamkulkarni39

‎03-21-2017 06:38 AM

Please contact cisco to support you with answering those questions if you dont want to research...

Personally I dont mind helping even with partner inqueries but you only copy-paste the questions your customer wants answered... Research all the questions yourself using the online resources, then post again to verify if you are mistaken somewhere. ;)

0 Helpful

Go to solution
shubhamkulkarni39
Level 1
Level 1
In response to Oliver Kaiser

‎03-21-2017 07:33 AM

Hello,

I have done various research about above questions, but i did not get answers for that.

there are various questions, which i have query, some questions i found answers. but above questions are not getting anywhere.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card