Solved: Re: FMC and AD integration

Srinivasan Nagarajan · ‎04-22-2020

Hi Experts,

We've ASA with sourcefire (6.4) running and in the network I manage, I see no AD agent configured (System->Integration) but I do see usernames under user activity.There is no realms or the identity policies configured.

Under the user activity usernames are mapped with IP address with the Realms: Discovered Identities with the Authentication Type: No Authentication.

We've Network discovery set with Hosts and users selected. Can someone please suggest without the AD agent or the Realm configured, how the FMC learns about the users..

Thanks in advance

Regards

Sri

Marvin Rhoads · ‎04-22-2020

Sourcefire User Agent will actively query your domain controller(s) to get the username-IP address mapping. Passive identity methods are dependent on unencrypted traffic passing through the firewall with the username revealed (and it only does it for a subset of applications).

If the Firepower device isn't getting the identity from either an active or passive method, it will give you the indication about "No authentication required". Basically saying it doesn't know the username and you haven't configured it to be a requirement.

View solution in original post

Marvin Rhoads · ‎04-22-2020

It can discover username-IP address mapping via passive inspection of any unencrypted traffic flowing through the appliance.

Srinivasan Nagarajan · ‎04-22-2020

Hi Marvin,

Thanks for the reply.

Yeah, User-IP mapping is learnt by Network discovery. Since this is passive one, how different this is from gaining the same info from the sourcefire agent..

And in the Connections->Events->Table view for the Initiator User: No authentication required

Could you pls assist what this means..

Marvin Rhoads · ‎04-22-2020

Sourcefire User Agent will actively query your domain controller(s) to get the username-IP address mapping. Passive identity methods are dependent on unencrypted traffic passing through the firewall with the username revealed (and it only does it for a subset of applications).

If the Firepower device isn't getting the identity from either an active or passive method, it will give you the indication about "No authentication required". Basically saying it doesn't know the username and you haven't configured it to be a requirement.

Srinivasan Nagarajan · ‎04-23-2020

Hi Marvin,

Thanks a lot for the info. It's very informative and helpful.

One final question, We're running on ASA with Sourcefire and I noticed there are some policies configured under Access Control Policies (ACP).

1.Since we already have firewall policies in ASA, not sure why we do configure ACP in Sourcefire with action 'Allow'...?

2. Is there any default-deny or implicit deny for the ACP policies similar to typical firewall rules...?

Marvin Rhoads · ‎04-23-2020

As far as access control policies used for Firepower service modules, we typically use them to enhance the ASA layer 4 policies with the Layer 7 IPS capabilities of Firepower. So Intrusion Prevention using the Snort engine, Security Intelligence enforcement of blocking known bad sites and addresses, URL Filtering, Malware protection, Geolocation blocking and such.

There's no implicit deny but there is a default action which we most often set to be a balanced Security and connectivity Intrusion Policy