KB ID 0001179 Dtd 14/08/17
FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.
So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.
Note: This is for Version 6.0.0
You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.
Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!
In the FMC > System > Integration >Identity Sources > User Agent > New Agent > Supply the IP of the server that you are going to install the agent on > OK > Save.
On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall
On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.
Grant your firepower user Remote Enable > Apply > OK.
On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.
Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.
On the Default Domain Controllers Group Policy > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log >Add in your FirePOWER user.
Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).
On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.
Open the agent and add in your domain controllers.
Note: Sometimes, you may have the following problem;
Then add in the FMC Management details, go and have a coffee, and check everything has gone green.
Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)
Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users > Ensure all the methods are selected.
Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.
Related Articles, References, Credits, or External Links
Original article written 27/04/16