Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

Advertisement

KB ID 0001179 Dtd 27/04/16

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

FMC AD Agent

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

FMC User agent register

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

Allow WMI on Server Firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Firepower Agent rights

Grant your firepower user Remote Execute > Apply > OK.

firepower agent rights

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

COM Security FirePOWER

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

COM Rights FirePOWER AD User

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

manage audit and security log

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

FirePOWER user Agent

Open the agent and add in your domain controllers.

FirePOWER Monitor AD

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Add FMC to FirePOWER User Agent

 

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

4 Comments

  1. Hi, what can i do, if i Configure everything like you say, but at the Agent, the status of the firepower Management Centers stay at “pending” and I never get a “Last Reported” date???

    I try and try, but it never report something… 🙁

    Post a Reply
    • I assume all the machines firewalls are off and the machine with the agent on can ping the DC?

      Pete

      Post a Reply
  2. Hi Pete,

    On the DOMAIN CONTROLLER(S) that you will point the agent at, run compmgmt.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

    Should this be comexp.msc instead of compmgmt.msc?

    Post a Reply
    • Yes – Was having a coffee deficiency that day! Like this morning up till 02:45 taking to TAC – Bah!!!!
      Updated Cheers Steve!!

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *