01-19-2015 07:26 PM - edited 03-11-2019 10:22 PM
Hi,
I recently having lab for ASA with FirePower integrated Microsoft AD deployment,
but I am wondering whether FirePower must install agent on AD server?
I installed agent on AD server and setting LDAP connection on FireSIGHT VDC server,
then it can fetch AD forest, and dashboard about source/destination user is all can display user information,
but I tried remove agent and stop service on AD, then the FireSIGHT VDC is still can settings LDAP connection,
so i am wondering whether FirePower must install agent on AD server,
If not, has different between both install or uninstall?
please help, thanks!
Solved! Go to Solution.
01-22-2015 06:43 AM
SFUA is required for accurate user information. It needs to use WMI and does not have the option of using other methods.
Please see the SFUA documentation for details.
https://support.sourcefire.com/sections/10/sub_sections/46
01-19-2015 08:07 PM
Are you asking about the Sourcefire User Agent (SFUA)?
Defense Center / Firesight Management Center (old and new names) use that to get user identity for reporting. Even if the SFUA is deinstalled, it will still have the historical record.
01-19-2015 08:24 PM
Thanks Marvin Rhoads,
I see...
so if I want to deploy a POC environment and need show LDAP user information on dashboard,
then I must install SFUA on AD server?
01-20-2015 12:42 PM
SFUA must be installed on a machine in your environment. It doesn't need to be on the Domain controller itself but it will use a username with credentials that can query the DC's Security Logs for logon / logoff events etc.
It uses WMI and there are detailed instructions in the SFUA User Guide. Regarding the privileges needed by the SFUA user in AD see the more explicit tips here:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html
01-21-2015 08:43 AM
Thanks Marvin,
If i want to configure ASA SFR module as monitor-only mode,
and I only need collect user access information on FireSIGHT dashboard,
no user access control, do I must still install agent to connect to domain controller?
or can FireSIGHT agentless collect user access information?
01-21-2015 11:22 AM
Without a SFUA, the system will give its best guess based on observed traffic.
The SFUA will be able to query the domain controller(s) via WMI and thus correlate logon/logoff events that are only available via that method.
01-22-2015 04:03 AM
Thanks Marvin,
Can I use a member of domain admin account to connecting between domain controller and agent instead of configure WMI?
01-22-2015 06:43 AM
SFUA is required for accurate user information. It needs to use WMI and does not have the option of using other methods.
Please see the SFUA documentation for details.
https://support.sourcefire.com/sections/10/sub_sections/46
01-26-2015 11:21 PM
Thanks Marvin,
I installed agent on a host and configured DC's IP and AD setting, then I can see the status is 'available' and polling log for AD are keep update, but I see the last reported columns in AD and sourcefire DC tab are empty, no user login/off event appear on FireSIGHT and which also doesn't shows user ID and IP addresses.
I ensure the network discovery and LDAP agent & connection settings are configured, but still can't see the user information on FireSIGHT.... plz help me...
05-19-2015 12:08 AM
Hi CHANG,
I am facing the same issue as you were facing.
"I installed agent on a host and configured DC's IP and AD setting, then I can see the status is 'available' and polling log for AD are keep update, but I see the last reported columns in AD and sourcefire DC tab are empty, no user login/off event appear on FireSIGHT and which also doesn't shows user ID and IP addresses."
Was your case resolved? If so, please do share the solution.
08-26-2016 07:16 AM
Same Problem over here.... ;-)
08-26-2016 08:09 PM
There is a 'tools.exe" (recalling from memory) utility for troubleshooting in the SFUA installation directory.
Run it as administrator and go through the testing options it provides.
you might also check the (not quite the same but almost) guide that's provided with ISE 2.1 for querying AD.
Reference: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html?bookSearch=true#concept_8CFD8CF4072E4C7BBD01CED44D8FBC54
08-29-2016 07:49 AM
Hi, yes I now the testtool...
I'll tried it...
Here I tell you, i tried an Svc-Acc with following Rights:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html
It doesnt work, so i take an Account (domain-Admin, Enterprise Admin, Schema-Admin) now the test-tools say, yes, it works. But the Agent doesn't map users and doesn't report to my firepower:
I set the identity Source:
I make tests, and they're communicating
the
netstat -tan | grep 330
doesnt show me the full column, but it seems to be ok.
But:
DC ist Available, Real-time Status Available,sometimes Management Center is Available, now its pending
(when i restart the Server with user Agent, sometimes everything is unknown.. )
and its never report to Firepower...
I don't really understand, the tools said we get connection, but nothing is reported? Ah.. I got a realm, and there the "user download" works really well... in between I'm really despaired, i dont really now whats wrong with the user Agent...
08-29-2016 07:58 AM
The issue is most often with the connection to and ability to retrieve message from AD.
Which version of User Agent are you using? I have seen fewer issues when running the latest release (currently Version 2.3)
Are you running it on the DC itself or from a another host? If you are on the DC, you need to use localhost as the target vs the IP address.
08-30-2016 02:36 AM
I Use the Version 2.3.10 of the user agent, and it's not on a DC just a member-server, when I read of a SQL-Compact installation, I do not wanted it on a DC...
First I thought Antivir is the problem, but on a member-server without antivir, i got similar problems and I exclude the path of the user agent from scanning
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide