SourceFire

Hello

I joined sourceFire module to our announcement, able to read the details of the AD, but whenever we create the rule in the access policy based on the user name in the AD, the policy does not apply but political source it works with the IP address.

Whenever the user login in the system as a domain, that information user should receive the sourcefire Sourcefire agent but when we check the analysys-> user-> sourcefire user activity, the entry is not displayed.

Kindly help us solve the problem.

Thank you and best regards,

Ashok

I had similar problems until recently. the first part of the question is that the domain controllers should be configured to record events of opening/closing session. This is done through advanced audit policies, and I put mine through a GPO that I asked all the domain controllers.  The second problem I had seemed to be with the agent.  IP udated my agent to 2.3, dumped all the configurations original and readded my domain controllers.  It seemed to work only when I used the domain name FULL controller area or localhost for the domain controller, the agent has been installed on.  I used a service account domain admin for the polling stations.

Finished last week and watched.  I notice in firesight my DC are now reporting one last time to report and my list of user events increased strongly.

Tags: Cisco Security

Similar Questions

  • Failure to download sourcefire intelligence feed

    I have a Cisco's Firesight device that gets the following error

    Received Soucefire_Intelligence_Feed code (impossible to download the file)

    Since the update system to 5.4.1.8

    I went through all the troubleshooting steps described in this document

    http://www.Cisco.com/c/en/us/support/docs/security/firesight-management-...

    and everything seems in good condition. No problem to set intelligence.sourcefire.com or do a curl command, etc.

    Firewall is open to this host (nothing has changed it)

    Does anyone else have this problem? What is going on?

    I had this problem as well. I opened a case of TAC with Cisco and they said it's a new bug (CSCvb70107). It was Wednesday, October 12, 2016. I received today a power update without making any changes on my system.

    Problem with hosting power of security intelligence.

  • Upgrade to version 6.0 SourceFire Module questions

    We have just implemented SourceFire Module version 5.4.1 on our ASA recently, but want to upgrade to version 6.0. I've been through Notes version 6.0 for the upgrade, which are dated to November 2015, but had a few questions that I was hoping someone here could answer:

    -Our FireSIGHT Management Center is a virtual appliance of 64-bit. Can we install version 6.0 on a virtual appliance VMWare running on EXSi 6.0? The only issue date list 5.1 and 5.5 ESXi ESXi.

    -Should what files I use for the update? The Release Notes say to use "SourceFire_3d_Defense_Center_S3_upgrade - 6.0.0 - 1005.sh. My choice on Cisco's Support site are: asasfr-sys - 6.0.0 - 1005.pkg, asasfr-5500 x-boot - 6.0.0 - 1005.img and Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh. I guess the sys-asasfr - 1005.pkg - 6.0.0 is for CME, and the Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh is for the ASAs.Is that right?

    -How long will the update for FMC and ASAs? The ASA is a 5516 x and the release notes look like they say that the update will take about 41 minutes.

    ESXi 6.0 is not officially supported so that your experience may vary. If you get stuck, you may TAC by telling you that you're on your own.

    "Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh" is used to upgrade the fire ASA power module in the Manager of firepower.

    If you were a fabricated construction or reimage then you would use the boot images and sys respectively.

    41 minutes for CME is right. As mentioned Philip, 2 hours is a better estimate of the ASA module, especially on a smaller area as the X 5516.

  • Sourcefire learning resources

    Looking for a good book (or several books also) on Sourcefire / ASA with firepower, any recommendations?

    Are it certifications for Sourcefire? haven't seen any on the cisco learning site.

    Thank you

    No books that I know, but the config guide is decent. I took the in-class training and it is very good as well. There are some free resources on community partners also.

  • Configuration and installation of SourceFire ASA

    Hello team,

    Recently, we have installed the SourceFire ASA-based software but its not in production, but now we intend to get SourceFire ASA production for the management of traffic and URL filtering. Right now, we have the FireSight of installation management system and uploaded image of SFR to ASA. Now ASA will exercise traffic of internet entry/exit point to our network. I have some doubts as follows:

    (1) ASA I see sfr module is in place, but what happens if I console module sfr this will affect my normal Internet traffic while I'm in the console of sfr.

    (2) are there models of basic configuration for the url filtering to make the job easier.

    (3) what are the control list to cross check before get sfr inline module in production.

    Thanks in advance for your help.

    Thank you - Jadesh

    Redirect us traffic to the fire power module using the modular policy framework for something like this:

     policy-map global_policy class class-default sfr fail-open service-policy global_policy global

    Generally, what you do on the console of sfr module do not affect the parent ASA. Until you have the policy to redirect traffic nothing will pass or affect by the module of sfr. As long as you have the 'rescue' the sfr descending module or the reset does not affect production ASA traffic.

    Of course once you run traffic through it and start applying policy, you have the option to block or otherwise affect this traffic.

    Beyond the user and Admin guides, you can take a glance series Lab Minutes that was done recently. They do a good job of walking your through basic tasks.

  • Sourcefire upgrade question

    I am after a few tips here.

    I have two management centres sourcefire (devices MC2000) running 5.4.1.7 par HA. They would have been on version 6 but 6 did not support HA.

    Now 6.1 was released, it supports HA for management centres.

    However, the path of 5.4.1.7 upgrade is...

    Version 5.4.1.x > Version 6.0 Pre-Installation Package > Version 6.0 > Version 6.0.1.x > Version 6.1orVersion 5.4.1.x > Version 6.0 Pre-Installation Package > Version 6.0 > Version 6.0.1. > Version 6.1 Pre-Installation Package > Version 6.1
    So this means that I must break the pair HA upgrade devices and then reform the AP. Or would you break the HA pair, upgrade an application and recreate the image on the second application then join the AP. Finally there is an option to reimage the device and restore the database to the new box. I'm trying to find the best method to do this. Giles

    Your first method will work.

    There is an iso image "Sourcefire_Defense_Center_S3 - 6.1.0 - 330 - Restore.iso ' at https://software.cisco.com/download/release.html?mdfid=286290710&flowid=...

    Unfortunately, you cannot restore the backup version prior to the latest version.

  • License key of Sourcefire for test

    Hello

    Is it possible for partners to request trial for Sourcefire products license?

    I just downloaded Sourcefire for VM on Cisco software, but do not know how to apply for a license. Just after the cisco.com/go/license

    Thank you.

    Hello

    Please join your CEC Contact to generate the demo/EVAL license

    V.Dhanasekaran (DD)

    SourceFire business analyst

  • How to add new SourceFire to the centre of defence

    Hello world

    Recently, we got new Sourcefire and need to know how to add it to the centre of defence.

    I'm new to environment fire source.

    Concerning

    Mahesh

    Mahesh,

    Maybe it's not a matter of license, but my team and I will address your issue.  I'll meet you at the end of day today.

    Thank you
    Merv Reyes

  • Sourcefire Intellegence Feed (impossible to download the file)

    Hello team,

    We want to know what is this error 'code received Sourcefire_Intellegence_Feed (impossible to download the file).

    Hi John,.

    This error indicates that for some reason, since the management center that you are not able

    Join sourcefire intelligence cloud (intelligence.sourcefire.com on port 443) to download the latest feeds.

    Check if the port and the connection is allowed.

    Mark and rate if it can help.

    Thank you

    Ankita

  • Sourcefire 3D appliance S3 upgrade 5.3.0.8 to 5.4.0.

    Hello! Try to update to the newer version on my sensor.

    As a first step, I try to update the system-updates, but I see that "no new updates available"

    Ok! I downloaded Sourcefire 3D appliance S3 upgrade (version 5.4.0 - 763) and publish updade Center.

    After this test to install the update. ([7%] running script 000_start/111_FS_integrity_check.sh...) After that, I got error.

    I have version of the sensor - 5.3.0.8, may be I have to install another version (not 5.4.0.)? Thank you!

    Hello team,

    The upgrade looks like a failed in the FS integrity check error. It will be the same error even if you install 5.4.0 without solving the problem.

    Could you please try to run the following command and restart the upgrade.

    Connection to the CLI of the device that is having the problem to upgrade.

    Raise to the root user and run the following command: -.

    Touch .skip_fsic

    Rate if this is useful.

    Concerning
    Jetsy

  • Sourcefire DC1000 support?

    Cisco continues to support DC devices or clients who already have Defense Center devices need to purchase them trash and go FMC devices?

    Also is the same as the Cisco FirePOWER 8130 8130 3? Just different naming?

    For most Cisco products, we usually see a document EoL that lists all the EoL, EoS information and what is the upgrade path.

    the Sourcefire 3500 3, I found the EoL, information, EoS, but no upgrade path. That we go to?

    Thank you

    Defense Center devices continue to be supported until they have individual EoS / EoL announcements - like all other Cisco products. Only the name of the product has changed.

    That said, the DC750 and the DC1000 may have slipped through the cracks. There was an EoS DC1500 and DC3500 and the other two products (750 and 1000) no longer appear in the Cisco ordering system. (Although you can always order a new service contract).

    I believe that this version of the software 5.4.1.1 is available for older domain controllers.

    The 8130 3 is just a rebranding. It's the same product under running the same software.

    Upgrade for the Sourcefire 3500 3 would be along the lines of a power of fire Cisco 3 7125 or AMP 7150 (based on the flow rate and the General numbers interfaces). However, your environment should be assessed more closely to make an appropriate recommendation. We would take in required interfaces, current and projected account, features used etc.

  • How I apply sourcefire 12MPx inline deployment but it monitor only (do not take action)?

    How I apply sourcefire 12MPx inline deployment but it monitor only (do not take action)?

    Hello

    Under the Advanced tab of your defined inline, select tap mode.

    Your sensor inline behaves as a passive sensor and does not drop packets.

    Paul

  • SourceFire IPS updates

    We are developing a new firewall with IPS SFP modules in them that will be managed by an application of SourceFire Security Center (1500 series)

    I know with the old IPS systems, modules would get their updates of signature directly. Now they get their updates of software and signature of the Management Server? (this would make things a lot easier)

    Hello Colin

    Yes, your Firesight Management Center Gets all the updates rules and Intrusion policies get updated and redeployed to your probes.

    HTH

    Paul

  • Sourcefire Defense Center with the new firepower of Cisco 7115

    Hi all

    I have a client who has DC3500 with 18 Sourcefire NGIPS recorded thereon.

    This customer needs to add additional 7115 NGIPS to the existing DC3500.

    My Question is, the 7115 to DC3500 new registration will be good or not?

    Best regards, Mohamed Amin

    Course - as long as you have the licenses to apply on the new sensor. The DC 3500 (now called Firesight 3500) is rated for up to 150 sensors managed (devices) and 300,000 guests/users.

  • Module of Sourcefire network connectivity

    I'm having a problem with with my module of Sourcefire network connectivity.  any address or default gateway IP I use in the initial Setup, I can't get it to connect to the network.  It is part of a X-5506.  Is there a setting on the SAA should I be studying?

    Hey there,

    What is your configuration?
    Are the Interface of management and at least one inside the interface connected to the same VLAN?

    Generally a good guide to start SFR Configuration: http://www.petenetlive.com/KB/Article/0001107

    See you soon,.

    Linus

  • Sourcefire 6.0 / FireSIGHT MC 6.0 - users do not fill

    Edit: moved to Sourcefire category.

    ---

    Hi all

    I was wondering if someone can lead me in the right direction here, I have a customer running Sourcefire 6.0 with the MC FireSIGHT and am having a problem with the IP address for the mapping of the users.  According to the analysis > users > users I have not all records.  I went to the 'Kingdom' of configuration under itnegration that tests OK and configure the download of the user who pulls down groups so I know that the link to "The Kingdom" is there.  The tasks show the successful with 2 groups and 293 users LDAP synchronization.  Political identity has been installed with passive authentication and active directory user on the System Agent is installed and successfully tested.  I noticed the following in the syslogs stored locally (change of name of host and user) and I wonder if it has something to do with it?

    2 February 2016 12:31:36 SF - IMS HOSTNAME [30127]: [30170] SFDataCorrelator:UserIdentity [WARN] could not find the Kingdom for the user user1, area XX
    2 February 2016 12:31:35 SF - IMS HOSTNAME [30127]: [30172] SFDataCorrelator:UserIdentity [WARN] could not find the realm for user user2, area XX

    Any other information needed let me know.

    Thank you

    Keith

    // // //

    Hello

    Check this: https://tools.cisco.com/bugsearch/bug/CSCux39125/?reffering_site=dumpcr

    To get the users properly how associate their IP addresses, the solution is to change the 'Main area of AD' field in the configuration area for the short name of the domain. This name is visible in the message in the logs.

    After you change this field, save the configuration of the Kingdom and to ensure that the user download continues to work as expected.

    Kind regards

    Aastha Bhardwaj

    Rate if this is useful!

Maybe you are looking for

  • What do you use to create a DVD movie?

    Apple no longer supports iDVD; that Apple offers in replacement of equal or greater capacity?

  • Apple TV 4 answer remotely wrong

    Hi all! I have a mac mini and apple TV (4) connected to my TV. The mini has a remote white Apple associated with it. The Apple TV is paired with the remote siri. When I use the remote white for my mini to do stuff on the mini, Apple TV is also result

  • Pack care not HP Support Assistant recohnised

    I bought a Care package a few months ago, and yet the HP Support Assistant always keeps tagging me to buy a package of care because the warranty will expire next year. "Your HP warranty for your 500-570na is scheduled to complete the 14/03/2016." Whe

  • VI does NOT open in LV2011 SP1

    Hi all Currently I am bearing all my code LabVIEW of LV 8.5 to SP1 LV2011. I have a lot of these files to upgrade and the majority of them at very good level. Maybe among 300 cases, I have two files right now that I can't open in SP1 LV2011 and save

  • Can I delete single files of Windows 7 Home Premium and reinstall this file or I mess up the operating system?

    I just scanned my system and received the following error report. : (86) QuickTime/QT Sys corrupted executable file for the program, SKD type Core. This file can be uninstalled and reinstalled on the Microsoft Web Site or it will mess up the entire o