FirePOWER: ‘No Authentication Required’ No Usernames

KB ID 0001460

Problem

When attempting to track Users with FirePOWER, the FMC would not show any usernames?

Solution

Theres a lot of reasons this might not work, let’s take a look at a few of them.

Firstly make sure the server running the ‘user agent’ is listed under  System >Integration > Identity Sources > User Agent.

It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).

Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).

Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).

WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).

After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.

Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).

In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).

You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.

Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.

Once all the boxes are ‘ticked’, users should start appearing.

Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

KB ID 0001179 

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Grant your firepower user Remote Enable > Apply > OK.

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

Open the agent and add in your domain controllers.

Note: Sometimes, you may have the following problem;

FirePOWER Agent – Real-Time Status ‘Unavailable’

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)

Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users  > Ensure all the methods are selected.

Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.

Related Articles, References, Credits, or External Links

Original article written  27/04/16

FirePOWER Agent – Real-Time Status ‘Unavailable’

KB ID 0001323 D

Problem

I was deploying a Cisco FirePOWER user agent last week, but once setup, the agent reported that the Real-Time status for SOME of the domain controllers was permanently ‘Unavailable’. Now I know you have to be patient with these things so I went and had a coffee.

Still it refused to ‘go green’.

Solution

I addition to all the other rights and firewall rules that you normally have to check. You may have to create another ‘inbound’ firewall rule on you domain controllers.

Type = Custom > Next > All Programs > Next > Protocol type = TCP, Local Port = RPC Dynamic Ports, Remote Port = All Ports > Next.

Add the IP address of the FirePOWER Management Appliance > Next > Allow the Connection > Next.

I’m allowing for all profiles > Next > Give the rule an easy to recognise name > Finish.

Now back on the server that’s running the user agent, you should just need to restart the ‘Cisco Firepower User Agent’ service. Though I usually just reboot the server and apply the ‘cup of coffee rule’.

That Didn’t Work!

All my domain controllers, (a mixture of 2012 R2 and 2016 servers) then reported in fine, ALL EXCEPT ONE. I even tried disabling the firewall, I rechecked all the other pre-requisites and made sure it was using the default domain controller group policy, if flatly refused to ‘go-green’.

You can enable logging on the user agent, and get it to log, to the server event log, so I tried that and got;

Event ID 2317: Unable to attach to event listener {IP-Address}. Check firewall settings on AD Server. Attempted to perform an unauthorised operation.

No matter what I did, I could not get this one domain controller to report in. In the end I installed the FirePOWER agent directly on this domain controller, and added it as a new agent source in the FirePOwer Management appliance, then it reported fine.

Related Articles, References, Credits, or External Links

NA

Watch BBC iPlayer on your Windows Mobile Device

KB ID 0000160 

Problem

At time of writing only the Samsung i900 is supported, which is great if – unlike me you have one, however if you don’t then you need a workaround.

Solution

1. You need to install the Opera Browser on your device Click Here

2. Launch Opera and in the url bar go to opera:config

3. Scroll all the way down to Custom User-Agent and type in sgh-i900

4. Scroll all the way down and click Save, (If it asks you to reboot don’t bother – you don’t need to).

5. Now iPlayer will work.

Related Articles, References, Credits, or External Links

NA