Solved: FireSIGHT User Agent

chee-meng_hong · ‎05-25-2017

Hi,

Need some advise on FireSIGHT User Agent. I have a FireSIGHT Management Center managing a number of ASA with Firepower service and integrate with global AD.

1. How many FireSIGHT User Agent shall I deploy?

2. FireSIGHT reports get the information from AD Event Viewer database?

3. With different DHCP servers in each location, will this affect the report, network control? Example sites shall not have overlapping IP networks, etc.

Or it is okay to have overlapping IP networks since firewall rules/filtering etc. are implemented in individual ASA.

Thank you

Meng

Marvin Rhoads · ‎05-26-2017

Overlapping subnets will be a problem since the User Agents all report back to FMC. The FMC would not know that address a is user a for one ASA but user b for a different ASA.

Generally the rule of thumb is that you need a user agent querying at least every domain controller that processes user logons. (It queries the Event Logs via WMI.)

A given agent can query up to 5 servers. Reference:

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3/Intro.html#50942

...so plan your deployment accordingly.

View solution in original post

Marvin Rhoads · ‎05-26-2017

Overlapping subnets will be a problem since the User Agents all report back to FMC. The FMC would not know that address a is user a for one ASA but user b for a different ASA.

Generally the rule of thumb is that you need a user agent querying at least every domain controller that processes user logons. (It queries the Event Logs via WMI.)

A given agent can query up to 5 servers. Reference:

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3/Intro.html#50942

...so plan your deployment accordingly.