Cisco Cisco Firepower Management Center 2000

FireSIGHT

When the FireSIGHT System analyzes IP traffic, it attempts to identify the commonly used applications 
on your network. Application awareness is crucial to performing application-based access control.

There are three types of applications that the system detects:

application protocols such as HTTP and SSH, which represent communications between hosts

clients such as web browsers and email clients, which represent software running on the host

web applications such as MPEG video and Facebook, which represent the content or requested URL 
for HTTP traffic

logoff detection

The agent reports detected logoffs to Version 5.2+ Defense Centers.

Logoffs may not be immediately detected. The timestamp associated with a logoff reflects 
when the agent detected the user was no longer mapped to the host IP address, which may not 
correspond to the actual time the user logged off of the host. 

Logoffs are generated by the agent itself when it detects a user logged out of a host IP address. 
Logoffs are also generated when the agent detects that the user logged into a host has 
changed, before the Active Directory server reports that the user has changed.

real-time data retrieval

The Active Directory server must be running Windows Server 2008 or Windows Server 2012.

multiple logins to the same 
host by different users

The system assumes that only one user is logged into any given host at a time, and that the 
current user of a host is the last authoritative user login. If only non-authoritative logins have 
been logged into the host, the last non-authoritative login is considered the current user. If 
multiple users are logged in through remote sessions, the last user reported by the Active 
Directory server is the user reported to the Defense Center.

multiple logins to the same 
host by the same user

The system records the first time that a user logs into a specific host and disregards 
subsequent logins. If an individual user is the only person who logs into a specific host, the 
only login that the system records is the original login.

If another user logs into that host, however, the system records the new login. Then, if the 
original user logs in again, his or her new login is recorded.

Unicode characters

The user interface may not correctly display user names with Unicode characters.

The agent does not report user names with Unicode characters to Version 4.10.x Defense 
Centers.

LDAP user accounts in the 
users database

If you remove or disable an LDAP user on your user awareness or RUA LDAP servers, or 
exclude the user name from being reported to the Defense Center, the Defense Center does 
not remove that user from the users database, and that user continues to count against your 
licensed limit for user listed in the database. You must manually purge the user from the 
database. For Version 5.x, note that the user license limit is applied in parallel for 
access-controlled users; the user count for access-controlled users depends on the number of 
users retrieved by your LDAP configuration.

AOL Instant Messenger 
(AIM) login detection

Managed devices can detect AIM logins using the OSCAR protocol only. While most AIM 
clients use OSCAR, some use TOC2.