Cisco Cisco Firepower Management Center 4000
1-6
FireSIGHT User Agent Configuration Guide
Chapter 1 Introduction
Understanding User Agents
In addition, if you are planning to implement user access control, you must set up a connection to each
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
User Data Collection Limitations
License:
FireSIGHT
The following table describes the limitations of user data collection, either generally or as they
specifically relate to agents.
specifically relate to agents.
Table 1-1
User Data Collection Limitations
Limitation
Description
user control
To perform user control, your organization must use Microsoft Active
Directory LDAP servers. The system obtains the users and groups you can use
in access control rules from Active Directory, and also ties users to IP addresses
with the logins and logoffs reported by User Agents installed on Active
Directory servers.
Directory LDAP servers. The system obtains the users and groups you can use
in access control rules from Active Directory, and also ties users to IP addresses
with the logins and logoffs reported by User Agents installed on Active
Directory servers.
login detection
The agent reports user logins to hosts with IPv6 addresses to Defense Centers
running Version 5.2+.
running Version 5.2+.
The agent reports non-authoritative user logins and NetBIOS logins to Defense
Centers running Version 5.0.1+.
Centers running Version 5.0.1+.
The agent reports authoritative logins from actual user names to Defense
Centers running Version 4.10.x+.
Centers running Version 4.10.x+.
If you want to detect logins to an Active Directory server, you must configure
the Active Directory server connection with the server IP address. See
the Active Directory server connection with the server IP address. See
for
more information.
If multiple users are logged into a host using remote sessions, the agent may
not detect logins from that host properly. See
not detect logins from that host properly. See
for more information on how to prevent this.
logoff detection
The agent reports detected logoffs to Version 5.2+ Defense Centers.
Logoffs may not be immediately detected. The timestamp associated with a
logoff is the time the agent detected the user was no longer mapped to the host
IP address, which may not correspond with the actual time the user logged off
of the host.
logoff is the time the agent detected the user was no longer mapped to the host
IP address, which may not correspond with the actual time the user logged off
of the host.
Logoffs are generated by the agent itself when it detects a user logged out of a
host IP address. Logoffs are also generated when the agent detects that the user
logged into a host has changed, before the Active Directory server reports that
the user has changed.
host IP address. Logoffs are also generated when the agent detects that the user
logged into a host has changed, before the Active Directory server reports that
the user has changed.
real-time data
retrieval
retrieval
The Active Directory server must be running Windows Server 2008 or
Windows Server 2012.
Windows Server 2012.