- From FMC CLI, verify ISE integration status using the command
root@vFPMC:/etc/rc.d# cat /var/sf/run/adi-health
$status = {
'ADI' => 'UP',
'Realm5(AD)_TESTLAB.COM' => 'UP',
'Realm5(AD)_ldap://192.168.7.100:389' => 'UP',
'Realm5(AD)_ldap://192.168.7.99:389' => 'UP',
'Realm5(AD)_ldap://172.16.21.100:389' => 'UP',
'Realm5(AD)_ldap://172.16.21.99:389' => 'UP',
'Realm7(AD)_TESTLAB.LOCAL' => 'DOWN', *** ignore this
'Realm7(AD)_ldap://192.168.7.16:389' => 'DOWN',
'Realm7(AD)_ldap://172.16.21.15:389' => 'DOWN',
'ISE Services' => 'UP',
'ISE Identity' => 'UP',
'ISE Attributes' => 'UP',
'ISE Remediation' => 'UP',
'ISE SXP' => 'DISABLED',
'ISEConnection' => 'UP',
'Session Directory Subscription' => 'UP',
'Session Directory Bulkdownload' => 'UP',
'Endpoint MetaData Subscription' => 'UP',
'Endpoint MetaData Bulkdownload' => 'UP',
'SGT MetaData Subscription' => 'UP',
'SGT MetaData Bulkdownload' => 'UP',
'Endpoint Protection Service Capability' => 'UP',
'Adaptive Network Control Capability' => 'UP',
'SXP Subscription' => 'UNKNOWN',
'SXP Bulkdownload' => 'UNKNOWN',
};
- From FMC CLI verify that session updates are received from ISE (this can verified using GUI Analysis > User Activity)
root@vFPMC:/Volume/home/admin# adi_cli session
input 'q' to quit
received realm information: operation REALM_DELETE_ALL, Null realm info
received realm information: operation REALM_ADD, realm name TESTLAB.COM, short name TESTLAB, id 5
received realm information: operation REALM_ADD, realm name TESTLAB.local, short name TESTLAB, id 7
ADI is connected
received user session: username 00:02:99:05:55:51, ip ::ffff:192.168.236.108, location_ip ::ffff:192.168.136.12, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:02:99:12:43:44, ip ::ffff:192.168.126.12, location_ip ::ffff:192.168.126.10, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:02:99:1A:82:E5, ip ::ffff:192.168.134.12, location_ip ::ffff:192.168.134.20, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:20:E4:22:51, ip ::ffff:192.168.226.155, location_ip ::ffff:192.168.126.20, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:E6:2F:1C, ip ::ffff:192.168.4.52, location_ip ::ffff:192.168.14.10, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:9E:CC, ip ::ffff:192.168.126.103, location_ip ::ffff:192.168.126.20, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:9E:F6, ip ::ffff:192.168.130.105, location_ip ::ffff:192.168.130.14, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:9F:3F, ip ::ffff:192.168.132.119, location_ip ::ffff:192.168.132.10, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:AC:BC, ip ::ffff:192.168.123.102, location_ip ::ffff:192.168.123.15, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:B6:3D, ip ::ffff:192.168.134.103, location_ip ::ffff:192.168.134.30, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:C0:A8, ip ::ffff:192.168.124.108, location_ip ::ffff:192.168.124.12, realm_id 0, domain , type Add, identity Passive.
received user session: username 00:04:F2:F5:EF:A9, ip ::ffff:192.168.4.51, location_ip ::ffff:192.168.14.10, realm_id 0, domain , type Delete, identity Passive
- From FTD CLI, verify the mapping of IP delivered from FMC to FTD using the script user_map_query.pl -i 172.16.20.165 (you can lookup using -u with username instead of IP. Use --help to see all available switches)
root@aun-firepower:/home/admin# user_map_query.pl -i 172.16.20.165
WARNING: This script was not tested on this major version (6.5.0)! The results may be unexpected.
Current Time: 05/06/2020 06:19:30 UTC
Getting information on IP Address(es)...
___
IP #1: 172.16.20.165
---
==============================
| Database |
==============================
##) Username (ID) [Realm ID]
1) testuser (2827) [5]
for_policy: 0
Last Seen: Unknown
Realm Name: Unknown
From above information, we know that the user testuser has a unique identity of 2827 in FTD
- Use the command cat /ngfw/var/sf/detection_engines/<UUID>/ngfw.rules to verify the ACP rules with identity mapping
# Start of AC rule.
268485640 allow any any any any 172.16.22.10 32 22 any 6 (group 4)
268485640 allow any any any any 172.16.22.10 32 any any 1 (group 4)
# End rule 268485640
From above info, we know that AD Group is having unique identity in FTD as 4 (in FMC ACP GUI this group is named Network-Admins)
- Use the command system support firewall-engine-dump-user-identity-data to generate a dump file with current identity info on the FTD
- From expert mode run the command cat /var/sf/detection_engines/<UUID>/instance-1/user_identity.dump to view the dump file
root@aun-firepower:/home/admin# cat /var/sf/detection_engines/2dec3c86-7e22-11ea-9253-e530beb8a2d2/instance-1/user_identity.dump
-------------------
User/Group counts:
-------------------
num hosts: 742
num groups: 1
num user/group mappings: 3
num of users: 757
num of shared users: 0
num skipped: 0
num cache misses: 0
num cache updates: 0
-------------------
User/Group mem usage:
-------------------
group_bit_hash: 32884
user_group_hash: 32963
host_hash: 360176
user_ip_hash: 27252
total: 453275
-------------------
Sxp memory usage:
-------------------
Sxp nodes count: 0
Sxp tree size : 32
----------------
IP:USER
----------------
……..
Host ::ffff:172.16.20.165
::ffff:172.16.20.165:2827 realm 5 type 1
::ffff:172.16.20.165: sgt id 0, sgt val 0, device_type 1239, location_ip ::ffff:192.168.14.1
……
-------------------
USER:GROUPS
-------------------
2198:4, (active_sessions: 1)
2315:4, (active_sessions: 1)
2827:4, (active_sessions: 1)
From above info, we know that user testuser with identity 2827 is mapped to group 4 which is assigned to the ACP policy as Network-Admins AD Group
- To understand the identity lookup process on FTD, run the command system support identity-debug
> system support identity-debug
Please specify an IP protocol:
Please specify a client IP address: 172.16.20.165
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Monitoring identity debug messages
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 Starting authentication (sfAuthCheckRules params) with zones -1 -> -1, port 0 -> 0, geo 16663792 -> 16663810
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 found passive session
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 returning passive session
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 found passive binding for user_id 2827
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 matched auth rule id = 1 user_id = 2827 realm_id = 5
- When a connection is started, FTD will lookup the identity DB to get the username of the incoming IP, this will be appended to the other packet information(SGT, VLAN, etc) to be looked up against ACP policy. We saw earlier that user 2827 is mapped to AD group 4 which is allowed by the ACP policy.
> system support firewall-engine-debug
Please specify an IP protocol:
Please specify a client IP address: 172.16.20.165
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Monitoring firewall engine debug messages
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 new firewall session
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 Starting with minimum 8, 'TEST-MGMT', and IPProto first with zones -1 -> -1, geo 0 -> 0, vlan 0, source sgt type: 0, source sgt tag: 0, ISE sgt id: 0, dest sgt type: 0, ISE dest sgt tag: 0, svc 3501, payload 0, client 2000003501, misc 0, user 2827, icmpType 8, icmpCode 0
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 rule order 8, 'TEST-MGMT', matched group 4
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 match rule order 8, 'TEST-MGMT', action Allow
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 MidRecovery data sent for rule id: 268485640,rule_action:2, rev id:282505566, rule_match flag:0x0
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 HitCount data sent for rule id: 268485640,
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 IAB: number=2, load=0.003017
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 IAB: latency=57
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 IAB: drops=0.000000
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 allow action
172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 deleting firewall session flags = 0x800, fwFlags = 0x102
***** Check Identity DB in FTD ******
Run the command OmniQuery.pl to connect to identity DB
Type select * from user_group_map; to list the user to group mappings
From the output we can identify the ID’s of user1 (37) and user2 (39) used in testing and the group associated with the user.
Type select * from user_group; to list the group mappings
From the output you can determine the current realm ID 4 and the 2 downloaded groups (Customer1 and Customer2). Realm ID 3 was previously used for testing, which is why the output lists the groups.
Type select * from user_identities; to list the user identities table
The output will provide the Realm ID (only relevant if more than one Realm in use), the user ID and the real username
You can apply filters using syntax like OmniQuery.pl -db mdb -e "select * from user_identities where username like '%test.user%';"
No comments:
Post a Comment