KB ID 0001179
Problem
FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.
So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.
Note: This is for Version 6.0.0
You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.
Solution
Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!
In the FMC > System > Integration >Identity Sources > User Agent > New Agent > Supply the IP of the server that you are going to install the agent on > OK > Save.
On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall
On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.
Grant your firepower user Remote Enable > Apply > OK.
On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.
Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.
On the Default Domain Controllers Group Policy > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log >Add in your FirePOWER user.
Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).
On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.
Open the agent and add in your domain controllers.
Note: Sometimes, you may have the following problem;
FirePOWER Agent – Real-Time Status ‘Unavailable’
Then add in the FMC Management details, go and have a coffee, and check everything has gone green.
Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)
Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users > Ensure all the methods are selected.
Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.
Related Articles, References, Credits, or External Links
Original article written 27/04/16
Hi, what can i do, if i Configure everything like you say, but at the Agent, the status of the firepower Management Centers stay at “pending” and I never get a “Last Reported” date???
I try and try, but it never report something… 🙁
I assume all the machines firewalls are off and the machine with the agent on can ping the DC?
Pete
Bah! I’ve having this exact same issue to. Windows Server 2012 R2, windows firewall is off. I get all green on both Active Directory and Firepower Management Center tabs. However, Last Reported is constantly blank, and no users are showing up in management center.
I’m assuming everything can ping each other, are you using LDAP or LDAPS?
Pete
Hi Pete,
On the DOMAIN CONTROLLER(S) that you will point the agent at, run compmgmt.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.
Should this be comexp.msc instead of compmgmt.msc?
Yes – Was having a coffee deficiency that day! Like this morning up till 02:45 taking to TAC – Bah!!!!
Updated Cheers Steve!!
Back on this page again 🙂 I can never find this bloody download!
🙂
Great article. Run into the following Problem which could be solved with a registry hack:
https://supportforums.cisco.com/discussion/13073621/firesightuser-agent-error-2201-report-login-information-ip-ip-failed-after-time
Might save the honored reader some coffee-hours…
Cheers – for the feedback!
P
Is this still valid for FMC 6.2? The last User Agent update is from August 2015!!!!
Absolutely version 2.2 I believe, did one last week!
Do we have to connect the agent to all domain controllers or only the ones running certain roles?
All of them, In a multi master roll any one can process a logon request 🙂
pete
Thank you so much for such a detailed well organized and written article .
Hi Pete,
Awesome article! Can you have more than one User Agent installed on 2 different servers for HA?
Thanks
I’ve never deployed it that way but I don’t see why not, they would both have to look at ALL the DC’s though 🙂
Pete
What route is everyone planning since SFUA is going bye bye?
I suspect Cisco will want you to use ISE 🙁
What about Configuring a realm? I’m getting stuck on that. It can not connect to the AD. I must be having issues with the Base DN and Group DN I am guessing. I performed a DSquery -name FMCUseragent* and it gives me the infor, but no matter no arrangement in Base DN or Group DN, it can’t connect to the AD and download a user list.
You mean like THIS?
Pete
In 6.6.1 there is a note that ‘Support for Cisco Firepower User Agent is deprecated and will be removed in a future release’ do you happen to know if we will only be able to use ISE in the future?
I honestly don’t know, but I’ll throw it open for comment…..