Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

KB ID 0001179 

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

FMC AD Agent

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

FMC User agent register

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

Allow WMI on Server Firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Firepower Agent rights

Grant your firepower user Remote Enable > Apply > OK.

firepower agent rights

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

COM Security FirePOWER

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

COM Rights FirePOWER AD User

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

manage audit and security log

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

FirePOWER user Agent

Open the agent and add in your domain controllers.

FirePOWER Monitor AD

Note: Sometimes, you may have the following problem;

FirePOWER Agent – Real-Time Status ‘Unavailable’

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)

Add FMC to FirePOWER User Agent

Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users  > Ensure all the methods are selected.

Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.

Related Articles, References, Credits, or External Links

Original article written  27/04/16

Author: PeteLong

Share This Post On

23 Comments

  1. Hi, what can i do, if i Configure everything like you say, but at the Agent, the status of the firepower Management Centers stay at “pending” and I never get a “Last Reported” date???

    I try and try, but it never report something… 🙁

    Post a Reply
    • I assume all the machines firewalls are off and the machine with the agent on can ping the DC?

      Pete

      Post a Reply
      • Bah! I’ve having this exact same issue to. Windows Server 2012 R2, windows firewall is off. I get all green on both Active Directory and Firepower Management Center tabs. However, Last Reported is constantly blank, and no users are showing up in management center.

        Post a Reply
        • I’m assuming everything can ping each other, are you using LDAP or LDAPS?

          Pete

          Post a Reply
  2. Hi Pete,

    On the DOMAIN CONTROLLER(S) that you will point the agent at, run compmgmt.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

    Should this be comexp.msc instead of compmgmt.msc?

    Post a Reply
    • Yes – Was having a coffee deficiency that day! Like this morning up till 02:45 taking to TAC – Bah!!!!
      Updated Cheers Steve!!

      Post a Reply
      • Back on this page again 🙂 I can never find this bloody download!

        Post a Reply
    • Cheers – for the feedback!

      P

      Post a Reply
  3. Is this still valid for FMC 6.2? The last User Agent update is from August 2015!!!!

    Post a Reply
    • Absolutely version 2.2 I believe, did one last week!

      Post a Reply
  4. Do we have to connect the agent to all domain controllers or only the ones running certain roles?

    Post a Reply
    • All of them, In a multi master roll any one can process a logon request 🙂

      pete

      Post a Reply
  5. Thank you so much for such a detailed well organized and written article .

    Post a Reply
  6. Hi Pete,

    Awesome article! Can you have more than one User Agent installed on 2 different servers for HA?

    Thanks

    Post a Reply
    • I’ve never deployed it that way but I don’t see why not, they would both have to look at ALL the DC’s though 🙂

      Pete

      Post a Reply
  7. What route is everyone planning since SFUA is going bye bye?

    Post a Reply
    • I suspect Cisco will want you to use ISE 🙁

      Post a Reply
  8. What about Configuring a realm? I’m getting stuck on that. It can not connect to the AD. I must be having issues with the Base DN and Group DN I am guessing. I performed a DSquery -name FMCUseragent* and it gives me the infor, but no matter no arrangement in Base DN or Group DN, it can’t connect to the AD and download a user list.

    Post a Reply
  9. In 6.6.1 there is a note that ‘Support for Cisco Firepower User Agent is deprecated and will be removed in a future release’ do you happen to know if we will only be able to use ISE in the future?

    Post a Reply
    • I honestly don’t know, but I’ll throw it open for comment…..

      Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *