Solved: SourceFire

S.ashok S · ‎11-04-2015

Hi,

I have integrated sourceFire module with our AD, able to fetch details from AD but whenever we create rule in access policy based on user name which is in AD, the policy is not applying but policy with source IP address it is working.

Whenever the user login into the system as a domain user, that information should receive the sourcefire from Sourcefire agent but when we check the analysys->user->user activity in sourcefire, the entry is not showing.

Kindly help us to resolve the issue.

Thanks and regards,

Ashok

inlandprinting · ‎11-19-2015

I had similar problems until just recently. the first part of the issue is that the Domain controllers needed to be setup to log Logon/Logoff events. this is done through advanced audit policies, and i set mine up through a GPO that i applied to all DC's. The second problem i had seemed to be with the agent. ip udated my agent to 2.3, dumped all the original configurations and readded my domain controllers. this seemed to only work when i used the FQDN of the DC's, or localhost for the DC the agent was installed on. i used a domain admin service account for the polling.

Finished this last week and have been monitoring. i notice in firesight all of my DC's are now reporting a last report time, and my user events list has grown significantly.

View solution in original post

Aastha Bhardwaj · ‎11-04-2015

Hi,

Please check the basic configuration first. Refer link : http://www.cisco.com/c/dam/en/us/td/docs/security/firesight/user-agent/FireSIGHT-User-Agent-Configuration-Guide-v2-2.pdf

Also check if you have grant minimum permissions or not:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

Also check the AD ,event viewer do you get the logon and logoff events i.e 4624 id for that ip and user.Check corresponding logs on User agent.

Log in to the machine that is running the user agent, go into the directory where the User Agent files are and run "Tools.exe". Then select the "User Map" tab and export all of the current User to IP mappings to a CSV. Then open up the CSV and find out who is currently logged into the IPs .

If the user agent has the correct mapping of IP to use then DC should also see the same.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

S.ashok S · ‎11-06-2015

Hi,

Thank you for your reply.

Cisco TAC team has asked me to upgrade FireSight center as well as Source fire sortware to latest one. Tomorrow we are going to upgrade. Will post the result.

Thanks and regards,

Ashok

S.ashok S · ‎11-23-2015

Hi,

Even we upgraded the latest, the problem did not solve.

As said by Mr.inlandprinting in the above post, we have enabled log Logon/Logoff events in AD and then it was started working.

Thanks and regards,

Ashok

inlandprinting · ‎11-19-2015

I had similar problems until just recently. the first part of the issue is that the Domain controllers needed to be setup to log Logon/Logoff events. this is done through advanced audit policies, and i set mine up through a GPO that i applied to all DC's. The second problem i had seemed to be with the agent. ip udated my agent to 2.3, dumped all the original configurations and readded my domain controllers. this seemed to only work when i used the FQDN of the DC's, or localhost for the DC the agent was installed on. i used a domain admin service account for the polling.

Finished this last week and have been monitoring. i notice in firesight all of my DC's are now reporting a last report time, and my user events list has grown significantly.

S.ashok S · ‎11-27-2015

Hi,

Again the problem has repeated after we upgraded 6.0 version which supports decryption for https traffic. Anybody faced the issue in 6.0 version, if yes kindly help us to to fix it.

Thanks and regards,

Ashok