Hello all,
Apologies if I placed this in the wrong forum - this is more of a FirePOWER general inquiry. I have implemented TAMC on an ASA 5506 and I'm managing FirePOWER services on the ASA itself via ASDM. I have the balanced IPS policy in place, as well as a couple manual URL filtering rules and AMP running. While I can see that the system is doing its job for the most part, I find the reporting to be woefully inadequate. A couple examples:
If I look at the Reporting dashboard - Network Overview, under applications I see the protocols using the most bandwidth. For instance, I see BitTorrent listed and I want more info, so I click on that link and am taken to those details where I can see the list of users and their transaction and data usage (I do have LDAP AD integration and the agent installed on a machine on my network). But the vast majority of transactions fall under the user NotAvailable(0). Some of this I understand, as not everyone on my LAN is a domain member and thus not authenticating with AD credentials. Where I have a problem is that I can't see even rudimentary information concerning this traffic - such as the IP address of the offending hosts. Even when I do see a user associated with certain interesting traffic, I cannot identify the machine on the network that the user might be operating from. This leads me to the next example:
Apparently AMP is blocking some malicious traffic from a PC on my network as it has identified a threat and states that it is outbound traffic ("MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection"), but that seems to be as far as the reporting goes. I cannot determine for instance the source or destination hostname or IP address. This is obviously not very helpful information. I can see that there are threats on or to my network, but I'm flying blind as if comes to mitigating them.
So this brings me to my questions. What am I missing? I realize that the logging necessary and thus the memory required to store detailed reports is asking a lot from a 5506, and I assume that is the problem, but what are my options? I am aware of the separate VM-based Defense Center and/or FireSIGHT box and/or FirePOWER Management Center, but I must say the subject is incredibly murky. Even Cisco TAC seems confused with all the different terms, products, and options. I assume I would need to buy a license for it, which is no problem, but my Cisco partner/reseller tells me that Cisco is actually going to in-box management even on the larger ASAs (I asked about the 5515/5516 specifically).
Will DC/FireSIGHT give me the intelligence/visibility I'm seeking, assuming it will not be discontinued shortly? Or is there an in-box tool that I have overlooked?
I really love the concept of FirePOWER on an ASA, and coupled with AMP for Endpoints which I'm trying to learn more about seems to make for a very powerful solution. However, so far the reporting has been so lacking that I don't know if I should continue investing resources and time with the product.
Thanks for your time and any insight you may be able to provide.