Cisco Cisco Firepower Management Center 2000
35-9
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
If you plan to use Version 2.1 of the FireSIGHT System User Agent to send LDAP login and logoff data
to your Version 5.x Defense Centers, you must configure a connection for each agent on each Defense
Center where you want the agent to connect. That connection allows the agent to establish a secure
connection with the Defense Center, over which it can send the user activity data.
to your Version 5.x Defense Centers, you must configure a connection for each agent on each Defense
Center where you want the agent to connect. That connection allows the agent to establish a secure
connection with the Defense Center, over which it can send the user activity data.
If the agent is configured to exclude specific user names, user activity data for those user names are not
reported to the Defense Center. These excluded user names remain in the database, but are not associated
with IP addresses.
reported to the Defense Center. These excluded user names remain in the database, but are not associated
with IP addresses.
In addition, if you are planning to implement user access control, you must set up a connection to each
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
Microsoft Active Directory server where you plan to collect data, with user awareness parameters
configured.
The maximum number of users you can use in access control depends on your FireSIGHT license. When
configuring the Defense Center-LDAP server connection, make sure the total number of users you
include is less than your FireSIGHT user license. See
configuring the Defense Center-LDAP server connection, make sure the total number of users you
include is less than your FireSIGHT user license. See
for more information.
User Data Collection Limitations
License:
FireSIGHT
The following table describes the limitations of user data collection.
Table 35-1
User Awareness Limitations
Limitation
Description
user control
To perform user control, your organization must use Microsoft Active Directory LDAP
servers. The system obtains the users and groups you can use in access control rules from
Active Directory, and also ties users to IP addresses with the logins and logoffs reported by
User Agents installed on Active Directory servers.
servers. The system obtains the users and groups you can use in access control rules from
Active Directory, and also ties users to IP addresses with the logins and logoffs reported by
User Agents installed on Active Directory servers.
non-Kerberos logins for
LDAP connections
LDAP connections
Managed devices interpret only Kerberos logins for LDAP connections as LDAP
authentications. Managed devices cannot detect encrypted LDAP authentications if they use
other protocols, such as SSL or TLS.
authentications. Managed devices cannot detect encrypted LDAP authentications if they use
other protocols, such as SSL or TLS.
On the other hand, User Agents use the security logs on Active Directory servers to collect
user login data and have no such limitations.
user login data and have no such limitations.
login detection
Version 2.1 of the User Agent reports user logins to hosts with IPv6 addresses to Defense
Centers running Version 5.2+.
Centers running Version 5.2+.
The agent reports non-authoritative user logins and NetBIOS logins to Defense Centers
running Version 5.0.1+.
running Version 5.0.1+.
The agent reports authoritative logins from actual user names to Defense Centers running
Version 4.10.x+.
Version 4.10.x+.
If you want to detect logins to an Active Directory server, you must configure the Active
Directory server connection with the server IP address. See the FireSIGHT System User
Agent Configuration Guide for more information.
Directory server connection with the server IP address. See the FireSIGHT System User
Agent Configuration Guide for more information.
If multiple users are logged into a host using remote sessions, the agent may not detect logins
from that host properly. See the FireSIGHT System User Agent Configuration Guide for more
information on how to prevent this.
from that host properly. See the FireSIGHT System User Agent Configuration Guide for more
information on how to prevent this.