Cisco Cisco Firepower Management Center 4000
35-7
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
The total number of detected users the Defense Center can store depends on your RNA or FireSIGHT
license. After you reach the licensed user limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database, or
purge all users from the database.
license. After you reach the licensed user limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database, or
purge all users from the database.
Note
Version 1.0 (legacy) Cisco Agents installed on Active Directory LDAP servers can continue to send user
login data from the Active Directory server to a single Defense Center. Deployment requirements and
detection capabilities of legacy agents are unchanged. You must install them on the Active Directory
server to connect to exactly one Defense Center. Note, however, that the User Agent Status Monitor
health module does not support legacy agents and should not be enabled on Defense Centers with legacy
agents connected. You should plan to upgrade your deployment to use Version 2.1 of the User Agent as
soon as possible, in preparation for future releases when support for legacy agents will be phased out.
login data from the Active Directory server to a single Defense Center. Deployment requirements and
detection capabilities of legacy agents are unchanged. You must install them on the Active Directory
server to connect to exactly one Defense Center. Note, however, that the User Agent Status Monitor
health module does not support legacy agents and should not be enabled on Defense Centers with legacy
agents connected. You should plan to upgrade your deployment to use Version 2.1 of the User Agent as
soon as possible, in preparation for future releases when support for legacy agents will be phased out.
Defense Center-LDAP Server Connections
License:
FireSIGHT
The Defense Center-LDAP server connection allows you to retrieve metadata for certain detected users.
You can retrieve metadata for LDAP users, whether their logins were detected by managed devices or by
a User Agent; you can also retrieve metadata for POP3 and IMAP users if those users have the same
email address as an LDAP user.
You can retrieve metadata for LDAP users, whether their logins were detected by managed devices or by
a User Agent; you can also retrieve metadata for POP3 and IMAP users if those users have the same
email address as an LDAP user.
If your organization uses Microsoft Active Directory servers, the connection also allows you to specify
the LDAP users and groups you want to use in access control rules. If you want to perform user control,
you must configure a connection between the Defense Center and an Active Directory server. If your
organization does not use Active Directory, you can still detect user logins using managed devices, and
you can still obtain metadata for some of those users from an Oracle or OpenLDAP server. However, you
cannot perform user control based on those users or their activity.
the LDAP users and groups you want to use in access control rules. If you want to perform user control,
you must configure a connection between the Defense Center and an Active Directory server. If your
organization does not use Active Directory, you can still detect user logins using managed devices, and
you can still obtain metadata for some of those users from an Oracle or OpenLDAP server. However, you
cannot perform user control based on those users or their activity.
From the LDAP server, the Defense Center obtains the following information and metadata about each
user:
user:
•
LDAP user name
•
first and last names
•
email address
•
department
•
telephone number
Users Database
License:
FireSIGHT
The users database contains a record for each user detected by either managed devices or User Agents.
The total number of detected users the Defense Center can store depends on your RNA or FireSIGHT
license. After you reach the licensed limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database, or
purge all users from the database.
The total number of detected users the Defense Center can store depends on your RNA or FireSIGHT
license. After you reach the licensed limit, in most cases the system stops adding new users to the
database. To add new users, you must either manually delete old or inactive users from the database, or
purge all users from the database.
However, the system favors authoritative user logins. If you have reached the limit and the system detects
an authoritative user login for a previously undetected user, the system deletes the non-authoritative user
who has remained inactive for the longest time, and replaces it with the new user.
an authoritative user login for a previously undetected user, the system deletes the non-authoritative user
who has remained inactive for the longest time, and replaces it with the new user.