FirePOWER: ‘No Authentication Required’ No Usernames

KB ID 0001460

Problem

When attempting to track Users with FirePOWER, the FMC would not show any usernames?

Solution

Theres a lot of reasons this might not work, let’s take a look at a few of them.

Firstly make sure the server running the ‘user agent’ is listed under  System >Integration > Identity Sources > User Agent.

It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).

Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).

Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).

WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).

After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.

Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).

In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).

You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.

Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.

Once all the boxes are ‘ticked’, users should start appearing.

Related Articles, References, Credits, or External Links

NA

Barracuda Web Filter – Not Displaying Usernames

KB ID 0001296 

Problem

I installed a Barracuda Web Filter 410 hardware appliance last week for a client on a 30 day trial. It was in ‘inline’ mode in front of their firewall and was happily logging all web activity and sites that were getting blocked. The problem was when you looked in the log this is what you saw;

With other vendors you simply need to put an agent in to fix this, and as it turns out Barracuda is no different.

Solution

I went onto the web and tried to get the agent, but you can download it straight from the appliance. (Users and Groups > Authentication Tab)

To proceed you need to add your domain controllers onto the Barracuda

Note: You will need a domain account (a simple domain user is fine, it does not need any additional rights). Here I’m connecting via 389, if you wanted to connect with LDAPS see the following article.

Windows Server 2012 – Enable LDAPS

Once you have installed the ADAgent.exe, (on each domain controller), run it and enter your domain user account, and test it connects properly.

Then add in your Barracuda device.

Note: Theres nothing else you need to do in the agent but while you are setting it up I suggest you see the logging level to debugging.

Now, before the successful logon events can be uploaded to the barracuda, the domain controllers need to have auditing enabled for;

  • Audit account logon events (success)
  • Audit logon events (success)

Set this in the ‘local security policy’ on each of the domain controllers, (administrative tools local security policy).

On the Barracuda itself  you now have to register the agent for each one you have deployed, after a few minutes they should ‘go green’ this is done on the same tab you specified the domain controllers.

You now need to wait until your users have logged off and back on again before it starts logging properly so leave it a while to slowly populate.

Related Articles, References, Credits, or External Links

Barracuda Email Security Gateway Setup and Deployment