Cisco Cisco Firepower Management Center 4000
35-10
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
Understanding Application Detection
License:
FireSIGHT
When the FireSIGHT System analyzes IP traffic, it attempts to identify the commonly used applications
on your network. Application awareness is crucial to performing application-based access control.
on your network. Application awareness is crucial to performing application-based access control.
There are three types of applications that the system detects:
•
application protocols such as HTTP and SSH, which represent communications between hosts
•
clients such as web browsers and email clients, which represent software running on the host
•
web applications such as MPEG video and Facebook, which represent the content or requested URL
for HTTP traffic
for HTTP traffic
logoff detection
The agent reports detected logoffs to Version 5.2+ Defense Centers.
Logoffs may not be immediately detected. The timestamp associated with a logoff reflects
when the agent detected the user was no longer mapped to the host IP address, which may not
correspond to the actual time the user logged off of the host.
when the agent detected the user was no longer mapped to the host IP address, which may not
correspond to the actual time the user logged off of the host.
Logoffs are generated by the agent itself when it detects a user logged out of a host IP address.
Logoffs are also generated when the agent detects that the user logged into a host has
changed, before the Active Directory server reports that the user has changed.
Logoffs are also generated when the agent detects that the user logged into a host has
changed, before the Active Directory server reports that the user has changed.
real-time data retrieval
The Active Directory server must be running Windows Server 2008 or Windows Server 2012.
multiple logins to the same
host by different users
host by different users
The system assumes that only one user is logged into any given host at a time, and that the
current user of a host is the last authoritative user login. If only non-authoritative logins have
been logged into the host, the last non-authoritative login is considered the current user. If
multiple users are logged in through remote sessions, the last user reported by the Active
Directory server is the user reported to the Defense Center.
current user of a host is the last authoritative user login. If only non-authoritative logins have
been logged into the host, the last non-authoritative login is considered the current user. If
multiple users are logged in through remote sessions, the last user reported by the Active
Directory server is the user reported to the Defense Center.
multiple logins to the same
host by the same user
host by the same user
The system records the first time that a user logs into a specific host and disregards
subsequent logins. If an individual user is the only person who logs into a specific host, the
only login that the system records is the original login.
subsequent logins. If an individual user is the only person who logs into a specific host, the
only login that the system records is the original login.
If another user logs into that host, however, the system records the new login. Then, if the
original user logs in again, his or her new login is recorded.
original user logs in again, his or her new login is recorded.
Unicode characters
The user interface may not correctly display user names with Unicode characters.
The agent does not report user names with Unicode characters to Version 4.10.x Defense
Centers.
Centers.
LDAP user accounts in the
users database
users database
If you remove or disable an LDAP user on your user awareness or RUA LDAP servers, or
exclude the user name from being reported to the Defense Center, the Defense Center does
not remove that user from the users database, and that user continues to count against your
licensed limit for user listed in the database. You must manually purge the user from the
database. For Version 5.x, note that the user license limit is applied in parallel for
access-controlled users; the user count for access-controlled users depends on the number of
users retrieved by your LDAP configuration.
exclude the user name from being reported to the Defense Center, the Defense Center does
not remove that user from the users database, and that user continues to count against your
licensed limit for user listed in the database. You must manually purge the user from the
database. For Version 5.x, note that the user license limit is applied in parallel for
access-controlled users; the user count for access-controlled users depends on the number of
users retrieved by your LDAP configuration.
AOL Instant Messenger
(AIM) login detection
(AIM) login detection
Managed devices can detect AIM logins using the OSCAR protocol only. While most AIM
clients use OSCAR, some use TOC2.
clients use OSCAR, some use TOC2.
Table 35-1
User Awareness Limitations (continued)
Limitation
Description