FireSIGHT URL Filtering using Sourcefire User Agent and LDAP AD

No lie, this one took me a while to figure out.  First, if you haven’t done so already, check out this article which clearly explains (with pictures!) how to accomplish this basic URL filtering without user awareness:

URL Filtering on a FireSIGHT System Configuration Example

If you only desire to filter based on something basic like networks, you’re all set. However, if you want to get more granular and start creating policies based on AD/LDAP group membership, this post is for you.  I’ll go ahead and assume you already have the FirePOWER modules or appliances installed somewhere in your network and they’re being managed by FireSIGHT.  Follow the steps below:

1. Configure LDAP User policy in FireSIGHT
2. Install and configure the Sourcefire User Agent on a system connected to the domain
3. Connect the User Agent to Active Directory
4. Connect the User Agent to FireSIGHT
5. Configure Access Policy rules

Topology is something like this:

firesight-sourcefire-user-agent

1. Configure LDAP User policy in FireSIGHT

Go to Policies > Users, and click on “Add LDAP Connection

firesight-url-ad-ldap

Fill out the required fields to create the connection to LDAP

Name – Just some name, can be anything you desire
Server Type – Choose MS Active Directory
Primary/Backup Servers – Active Directory servers
Base DN – The base DN for your domain (e.g. overlaid.net would be dc=overlaid,dc=net)
Username – This is the username you’ll use to connect to AD. I recommend creating a dedicated service account for this. You should type out the full LDAP path (e.g. cn=firesight,ou=users,dc=overlaid,dc=net)
Password – Password for the user
Encryption – Choose your method

firesight-url-ad-ldap

* I recommend leaving the base dn to your root (e.g. dc=overlaid, dc=com)

At this point, you should be able to Fetch DNs with success. If you can’t, you likely have an issue with your account or the LDAP parameters.

Notice I highlighted the box for User/Group Access Control Parameters. Check this box, as it will be required for using this user data in the Access Policies.

firesight-url-ad-ldap

You should be able to use the “Test” and “Fetch Groups” buttons with success. The “Test” button is very helpful when troubleshooting your bind to AD. Note, you can specify which groups to include for you policies. If none are selected, all will be included. Save.

Under Policies > Users, ensure that the LDAP connection is enabled:

firesight-url-ad-ldap

2. Install the Sourcefire User Agent on a system connected to the domain

You must install a User Agent, either on a Domain Controller, or just some system that is a part of the domain, with the sole purpose of gathering user data (login, logoff, etc). Since policies are performed based on IP addresses, this collected data will be used to track users in the network by gathering the IP from their login/logoff records. No agents need to be installed on workstations or Domain Controllers. You can essentially setup one or more dedicated virtual machines with the single purpose of running this user agent application.

I dedicated a virtual machine running Windows Server 2012 R2 that was a member of my domain.

Configure an AD account with appropriate permissions for User Agent operations

Follow this guide to grant the necessary AD permissions for the account to be used for the User Agent. Note, you can use the same service account used for the LDAP bind, or you can create another altogether for the user agent. I created another dedicated account.  Do not skip a step!

Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent

Download the user agent from Cisco.com

firesight-url-ad-ldap

 

Install Microsoft SQL Compact 3.5 on the User Agent machine

Note, the Sourcefire User Agent guide mentions this little note:

firesight-url-ad-ldap

However, in my install I was not prompted to install Microsoft SQL Compact 3.5, and ended up getting errors when attempting to run the Sourcefire User Agent.  Since you’ll likely be installing on a 64-bit system, make sure to follow the steps outlined by Microsoft:

1. Download SSCERuntime-ENU and extract the contents to a folder of your choice.
2. Install SSCERuntime_x86-ENU then install SSCERuntime_x64-ENU

Now you’re ready to install SourceFire Active Directory User Agent.

Install and Configure the Sourcefire User Agent

When installation is complete, you should see an icon on the desktop. Double-click

firesight-url-ad-ldap

Give your agent a name and set the Logout frequency check to 5 minutes.

3. Connect the User Agent to Active Directory

Go to the Active Directory Servers tab. Click “Add” and fillout the necessary information to connect to AD. Make sure you check the box to Process real-time events.

firesight-url-ad-ldap

Once connected, as long as all the proper settings were applied to the Domain Controller per the link above, you should see the Polling Status and Real-time Status available.

firesight-url-ad-ldap

4. Connect the User Agent to FireSIGHT

In Firesight Management Center, go to Policies > Users and click “Add User Agent”. You should be presented with the box below. Enter the IP address and name of the User Agent, which should match what you named it in step 2.

firesight-url-ad-ldap

Back in the Sourcefire User Agent, click the Sourcefire DCs tab and enter the IP address of the FireSight Management Server. Click Add.

firesight-url-ad-ldap

You should see this in the “available” status. Phew!

firesight-url-ad-ldap

5. Configure Access Policy rules

Many helpful resources out there for basic Access Policies, such as the one linked at the beginning of this post.  The same logic applies, except now we can add specific users or AD groups. In Firesight, go to your Policies > Access Control and edit your policy. Add a rule. Now, you should be able to add an additional parameter, “Users” to the mix.  Choose the AD group that you want to use for the policy, choose the URLs and action you wish to be performed.  Save and Apply.

firesight-url-ad-ldap

As a test, I’ll block access to Cisco.com and the Travel category (shame on me).

firesight-url-ad-ldap

Now, try to go to Cisco.com

firesight-url-ad-ldap

 

Success!

Reporting

I went to Cisco.com and a few other Travel-related sites.  These were all blocked.  We can run a report for my username and see the sites that were blocked.  In FireSIGHT Management Center, go to Overview > Reporting and click on the first icon next to “User Report” to generate a report.

firesight-url-ad-ldap

A pop-up asks you to enter the username you wish to report on:

firesight-url-ad-ldap
Run the report and you can see which sites were blocked:

fs21

Resources

I highly recommend you refer to the Admin guides for both FireSIGHT and the User-agent

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401.pdf
http://www.cisco.com/c/dam/en/us/td/docs/security/firesight/user-agent/FireSIGHT-User-Agent-Configuration-Guide-v2-2.pdf

My colleague Steve has a nice post with a wealth of references to get you started if you’re just beginning on your journey with Sourcefire (now FireSIGHT and FirePOWER).

http://ccie-or-null.net/2015/07/27/where-to-start-with-cisco-sourcefire/

6 comments

  1. thank you again for this note, i follow step by step your documentation, and all running without any problem !! perfect !
    The tip about installation SCCE is very interesting else, i can’t running this Tools CISCO Agent….
    To follow !

  2. please I need your advise as I faced the following error :

    there was an error connecting to the server, check user name and password and permission.

    also be noted that all of the above concerns already covered on our DC

  3. This is perfect !
    I have a trouble when the user change de session on Windows without logout.
    The access permit continuim with the other login..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s