Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

KB ID 0001179 

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Grant your firepower user Remote Enable > Apply > OK.

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

Open the agent and add in your domain controllers.

Note: Sometimes, you may have the following problem;

FirePOWER Agent – Real-Time Status ‘Unavailable’

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)

Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users  > Ensure all the methods are selected.

Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.

Related Articles, References, Credits, or External Links

Original article written  27/04/16

23 thoughts on “Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

  1. Hi, what can i do, if i Configure everything like you say, but at the Agent, the status of the firepower Management Centers stay at “pending” and I never get a “Last Reported” date???

    I try and try, but it never report something… 🙁

    • I assume all the machines firewalls are off and the machine with the agent on can ping the DC?

      Pete

      • Bah! I’ve having this exact same issue to. Windows Server 2012 R2, windows firewall is off. I get all green on both Active Directory and Firepower Management Center tabs. However, Last Reported is constantly blank, and no users are showing up in management center.

  2. Hi Pete,

    On the DOMAIN CONTROLLER(S) that you will point the agent at, run compmgmt.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

    Should this be comexp.msc instead of compmgmt.msc?

  3. Do we have to connect the agent to all domain controllers or only the ones running certain roles?

  4. Hi Pete,

    Awesome article! Can you have more than one User Agent installed on 2 different servers for HA?

    Thanks

    • I’ve never deployed it that way but I don’t see why not, they would both have to look at ALL the DC’s though 🙂

      Pete

  5. What about Configuring a realm? I’m getting stuck on that. It can not connect to the AD. I must be having issues with the Base DN and Group DN I am guessing. I performed a DSquery -name FMCUseragent* and it gives me the infor, but no matter no arrangement in Base DN or Group DN, it can’t connect to the AD and download a user list.

  6. In 6.6.1 there is a note that ‘Support for Cisco Firepower User Agent is deprecated and will be removed in a future release’ do you happen to know if we will only be able to use ISE in the future?

Leave a Reply

Your email address will not be published. Required fields are marked *