Cisco Cisco FirePOWER Appliance 7020
52-10
FireSIGHT System User Guide
Chapter 52 Licensing the FireSIGHT System
Understanding Licensing
To help you track your host license use, the FireSIGHT Host License Limit health module warns you if
you have fewer than a configurable number of host licenses left.
you have fewer than a configurable number of host licenses left.
Understanding the FireSIGHT User Limit
License:
FireSIGHT
The FireSIGHT license on your Defense Center determines how many individual users you can monitor.
When the system detects activity from a new user, that user is added to the Users database. You can detect
users in the following ways:
When the system detects activity from a new user, that user is added to the Users database. You can detect
users in the following ways:
•
You can use the network discovery policy to configure managed devices to passively detect logins
for LDAP, AIM, POP3, IMAP, Oracle, SIP (VoIP), and SMTP users.
for LDAP, AIM, POP3, IMAP, Oracle, SIP (VoIP), and SMTP users.
•
You can install User Agents on your Microsoft Active Directory LDAP servers to detect
authentications against Active Directory credentials.
authentications against Active Directory credentials.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To
add new users, you must either manually delete users from the database, or purge all users from the
database.
add new users, you must either manually delete users from the database, or purge all users from the
database.
However, the system favors authoritative user logins. If you have reached the licensed limit and the
system detects an authoritative user login for a previously undetected user, the system deletes the
non-authoritative user who has remained inactive for the longest time, and replaces it with the new user.
system detects an authoritative user login for a previously undetected user, the system deletes the
non-authoritative user who has remained inactive for the longest time, and replaces it with the new user.
Tip
Note that if you are using managed devices to detect user activity, you can restrict user logging by
protocol to help minimize username clutter and preserve FireSIGHT user licenses. For example,
monitoring users discovered via AIM, POP3, and IMAP may add users not relevant to your organization
due to network access from contractors, visitors, and other guests. For more information, see
protocol to help minimize username clutter and preserve FireSIGHT user licenses. For example,
monitoring users discovered via AIM, POP3, and IMAP may add users not relevant to your organization
due to network access from contractors, visitors, and other guests. For more information, see
.
Understanding the Access-Controlled User Limit
License:
Control
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
The FireSIGHT license on your Defense Center determines not only how many individual users you can
monitor, but also how many users you can use in access control rules to perform user control. These users
are called access-controlled users.
monitor, but also how many users you can use in access control rules to perform user control. These users
are called access-controlled users.
Note
To perform user control, your organization must use Microsoft Active Directory. The system uses User
Agents running on Active Directory servers to associate access-controlled users with IP addresses,
which is what allows access control rules to trigger.
Agents running on Active Directory servers to associate access-controlled users with IP addresses,
which is what allows access control rules to trigger.
You specify the groups that access-controlled users must belong to by configuring a connection (called
a user awareness authentication object) between the Defense Center and an Active Directory server.
Then, on a regular basis, the Defense Center queries the server and retrieves a list of the users in the
groups you specified in the authentication object. You can then use these users to perform access control.
a user awareness authentication object) between the Defense Center and an Active Directory server.
Then, on a regular basis, the Defense Center queries the server and retrieves a list of the users in the
groups you specified in the authentication object. You can then use these users to perform access control.