Cisco Cisco Firepower Management Center 4000
1-4
FireSIGHT User Agent Configuration Guide
Chapter 1 Introduction
Understanding User Agents
Understanding Legacy Agent Support
Version 1.0 (legacy) User Agents installed on Active Directory LDAP servers can continue to send user
login data from the Active Directory server to a single Defense Center. Deployment requirements and
detection capabilities of legacy agents are unchanged. You must install them on the Active Directory
server to connect to exactly one Defense Center. Note, however, that the User Agent Status Monitor
health module does not support legacy agents and should not be enabled on Defense Centers with legacy
agents connected. You should plan to upgrade your deployment to use Version 2.2 of the User Agent as
soon as possible, in preparation for future releases when support for legacy agents will be phased out.
login data from the Active Directory server to a single Defense Center. Deployment requirements and
detection capabilities of legacy agents are unchanged. You must install them on the Active Directory
server to connect to exactly one Defense Center. Note, however, that the User Agent Status Monitor
health module does not support legacy agents and should not be enabled on Defense Centers with legacy
agents connected. You should plan to upgrade your deployment to use Version 2.2 of the User Agent as
soon as possible, in preparation for future releases when support for legacy agents will be phased out.
Understanding Agents and Access Control in Version 5.x
License:
Control
If your organization uses Microsoft Active Directory LDAP servers, Cisco recommends that you install
User Agents to monitor user activity via your Active Directory servers. If you want to perform user
control in Version 5.x, you must install and use User Agents; the agents associate users with IP
addresses, which in turn allows access control rules with user conditions to trigger. You can use one
agent to monitor user activity on up to five Active Directory servers.
User Agents to monitor user activity via your Active Directory servers. If you want to perform user
control in Version 5.x, you must install and use User Agents; the agents associate users with IP
addresses, which in turn allows access control rules with user conditions to trigger. You can use one
agent to monitor user activity on up to five Active Directory servers.
To use an agent, you must configure a connection between each Defense Center connected to the agent
and the monitored LDAP servers. This connection not only allows you to retrieve metadata for the users
whose logins and logoffs were detected by User Agents, but also is used to specify the users and groups
you want to use in access control rules. For more information on configuring LDAP servers for user
discovery, see the FireSIGHT System User Guide.
and the monitored LDAP servers. This connection not only allows you to retrieve metadata for the users
whose logins and logoffs were detected by User Agents, but also is used to specify the users and groups
you want to use in access control rules. For more information on configuring LDAP servers for user
discovery, see the FireSIGHT System User Guide.
Note
Legacy agents, which you install on your Microsoft Active Directory servers, also monitor users when
they authenticate against Active Directory credentials. However, you should plan to transition to Version
2.2 of the User Agent as soon as possible in preparation for end of support for legacy agents in future
releases.
they authenticate against Active Directory credentials. However, you should plan to transition to Version
2.2 of the User Agent as soon as possible in preparation for end of support for legacy agents in future
releases.
Understanding the Users Database
License:
FireSIGHT
The users database contains a record for each user detected by either managed devices or User Agents.
The total number of detected users the Defense Center can store depends on your FireSIGHT license.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To
add new users, you must either manually delete old or inactive users from the database, or purge all users
from the database.
The total number of detected users the Defense Center can store depends on your FireSIGHT license.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To
add new users, you must either manually delete old or inactive users from the database, or purge all users
from the database.
However, the system favors authoritative user logins. If you have reached the limit and the system detects
an authoritative user login for a previously undetected user, the system deletes the user who has remained
inactive for the longest time, and replaces it with the new user.
an authoritative user login for a previously undetected user, the system deletes the user who has remained
inactive for the longest time, and replaces it with the new user.
You can view the contents of the users database with the Defense Center web interface. For information
on viewing, search for, and deleting detected users, see the FireSIGHT System User Guide.
on viewing, search for, and deleting detected users, see the FireSIGHT System User Guide.