User Agent with Firepower / Unknown User

GRANT3779 · ‎07-24-2018

Hi New Look CSC,

I have the user agent installed and integrated with our FMC. It seems to be working to an extent where many AD Accounts and being matched to an IP when looking through connections, reports etc.. However, I do see a lot of "unknown" user also and just wondering what would cause this? Looking at the IP addresses associated with the unknown user, these are LAN addresses for my end users so I would have expected the AD username to have been matched to the address.

yogdhanu · ‎07-24-2018

Hello There,

The term unknown simply means firepower does not know the username associated with that IP address.

It can happen for multiple reasons but since the feature is working for most of other users, I would start the troubleshooting from user agent itself.

User agent is dependent on reading windows logon event 4624 to identify new domain logons and then create user-IP mapping to be forwarded to FMC.

>Login to machine which has user agent installed and then navigate to its installation directory.

>There will be an application called tools.exe.

>Run the app as admin and export current user-IP map from 4th tab.

If this mapping does not have the user-mapping for unknown users that you see on FMC, its likely that AD is not generating the logon events for those users and AD ecosystem needs to be checked.

If the mapping does have the user-IP mapping but the same does not show up on FMC, then the troubleshooting goes to FMC and can have multiple causes.

If the FMC is already on latest release, it could be that when FMC does LDAP query for those usersnames provided by user agent, it does not get sAMAccountName attribute and thus FMC does not recognize it as valid user.

If that doesn't solve the problem, then go ahead and open TAC case.

Rate if helps,

Yogesh