Since 2 weeks I'm using the FirePOWER management Center (VMWare) with my ASA5516-X. I have configured the DC to do network discovery on my network and I'm very suprised by the presumed Operating Systems in my network. It thinks the Windows 10 devices are running Windows 7 (Vista, 7, Server 2008, Phone 7.5, Phone 8.0, 8) and with our Windows Server 2012r2 servers it's showing the same.
The reason I am suprised by this result is because when I go to Analysis -> Hosts -> Discovery Events and I look at the Descriptions colums of the discovery events where the devices are discoverd it's showing the following things:
Windows 10 discovery -> OS Microsoft Windows 10 NULL device is
Windows Server 2012r2 discovery -> OS Microsoft Windows 8, Server 2012 NULL Device is
Am I missing something here? Why is the FirePOWER Management Center showing old Operating Systems in the host profiles while the Discovery Events are clearly showing the right Operating Systems.
Did you figure this out? I have the same question and I am a Google ninja but see nothing on why my 2012 servers are showing as Windows 7. We are on 126.96.36.199-1023 btw.
Nope, I haven't received a response yet. Let's just assume the guys at Cisco are on vacation, because else Cisco can learn a lot from Microsoft where you receive a response within 3 days from a MVP on their technet forum. I chose Cisco because of their large community, altough that's what I thought, but I've posted 2 discussions (incl this one) in this forum the last 30 days and never received any responses.
Cisco Support Community is a community that relies primarily on your fellow Cisco users to answer questions. While some Cisco staff contribute, it is not a formal support arrangement with associated service levels.
If you have a specific problem requiring Cisco support, you can open a TAC case and receive support according to the coverage you have purchased.
That said, FirePOWER events and data can be tricky to guess why a given host appears a certain way in your FMC since there are so many variables involved. Host OS identification is primarily a passive activity in that FMC most often derives its conclusion from traffic passing through the registered sensor according to the policies that are set. If you find OS identification to be wrong, there are several remedies.
The most specific is to go into the host profile and edit the Operating system. That addresses a one time of occasional manual correction. It's obviously not very scalable.
More generally, if passive identification is not meeting your need you can create a correlation policy and use the nmap as the remediation. You can also set nmap to run on a periodic basis against certain hosts or subnets and thus better inform FMC via the results of active scans rather the the default passive method it uses.
The FirePOWER Management Center Configuration Guide has a whole chapter on nmap scanning.
I had a feeling you where going to say that about this forum. From now on I create a TAC ticket for every question I have. The drawback is that the only person who receives the answer is me and then it's up to me if I want to share it with the rest of the world.
Coming back to the subject. Naturally I also did a NMAP scan, but the result was even worse than the passive scan. Probably because NMAP version 6.0.1 is being used, which was released in June 2012 when Windows 10 and Server 2012r2 where not even released yet. I will drop this question with the TAC support team and I will get back when I have an answer.
Ah I hadn't realized the nmap distribution is so out of date. I wonder if one could slip in the current nmap until Cisco updates the included version? I'll keep this in mind and bring it up with the Cisco folks I talk to and see if I can shed any light on this.
Perhaps we will see nmap updated with FirePOWER 6.1 (due out any day now). The Linux kernel for the latest FMC (188.8.131.52) is similarly a bit older, currently running 3.10.53 from 2014.
I did check a FirePOWER deployment and see some OS's identified as Windows 10, although I'm sure there are more than what have been identified.
re the forum...
I'm sure there are some very good MVPs on MS but I've also seen a bunch giving canned answers over and over.
I have to admit I'm a Cisco fanboy but then I've been a customer for over 20 years and a partner for the past 5+. They are by no means perfect; but I've dealt with most of the major networking vendors in my career and each has its strengths and weaknesses.
All in all I think Cisco comes out on top. They do have room for improvement and I engage with them throughout the year point out those areas in very blunt terms.
At the same time, I've been active in CSC almost since it began in 2000 and am proud of what we've accomplished as a community.
It looks like even the brand new FirePOWER Management Center 6.1 still has the old nmap.
I'll pass this shortcoming on to the Cisco SEs for what it's worth.
root@sfvdc:/var/sf/nmap/bin# nmap -V
Nmap version 6.01 ( http://nmap.org )
Compiled with: nmap-liblua-5.1.3 openssl-1.0.2g.6.0.4 libpcre-7.6 nmap-libpcap-1.2.1 nmap-libdnet-1.12 ipv6
The following reaction from Cisco on 11-21-2016:
I have received a response from Engineering and it looks like the issue is that we need to add OS mapping for these Operating Systems which are not being identified correctly. There is no workaround for this issue at this time but a bug has been created to address this behavior and this should be resolved within the next few VDB releases.
The following Bug ticket is about this ticket, but not accessible by public view:
Thanks for the update. Unfortuantely even FMC 6.2 with the latest VDB 279 still doesn't update the nmap:
admin@sfvdc:/var/sf/nmap/bin$ nmap -V
Nmap version 6.01 ( http://nmap.org )
Compiled with: nmap-liblua-5.1.3 openssl-1.0.2i.6.0.265 libpcre-7.6 nmap-libpcap-1.2.1 nmap-libdnet-1.12 ipv6
On 06-APR-2017 Cisco release VDB version 280 for the FirePOWER Management Center. This version finally supports Windows 10 and Windows Server 2012r2 so this issue is solved
Thanks for the update.
Interestingly, nmap is the same version as I had posted earlier.
However the VDB release notes do indeed show that Windows 10 is among the updates under the "Operating System and Hardware Fingerprint Details"
That's a very obscure update - you only see those notes when looking at the downlaods page and examining the list in detail.
Are you seeing your Windows 10 endpoints correctly profiled now?
Most of our host are correctly identified as Windows 10 now, but not all of them. I have to monitor it for a while before I can take any good conclusions about this update.