Identity Persistence feature on Cisco AMP for Endpoints allows a computer object UUID (Universally Unique Identifier) to be reused when a computer or virtual machine is reimaged or redeployed. This prevents creating duplicate computer objects in a dashboard, and maintains contiguous data for those computer objects. This also helps to maintain the endpoint connectors, provide continuity of data, and keep the license count in check.
Access to the Cisco AMP for Endpoints dashboard.
Configure identity persistence before initially deploying the connector.
Identity Persistence is only supported on Windows operating systems.
Note: The Identity Persistence feature must be enabled by contacting Cisco TAC.
Cisco AMP for Endpoints dashboard
The identity persistence option uses the following workflow when this is enable:
Identity persistence option is configured in a policy.
The AMP for Endpoints installer is generated from the dashboard and deployed on a new computer or virtual machine.
A new computer object is created with a UUID and the identity persistence flag.
Registration Check: When the connector service starts, the cloud registration check is performed. The registration check evaluates the information of the current machine, such as, hostname and MAC address. It also evaluates the Identity Persistence setting in the policy against the cloud to determine if a new UUID needs to be generated.
Registration Criteria: A computer object has a hidden flag set corresponding to the identity persistence setting used. This flag, along with the unique information (hostname or MAC address) is used to provide the existing UUID to anymachine that matches the criteria. If a flag and the unique information of the machine does not match with any existing computer object, a new UUID and object are generated for the machine.
Note: When using hostname, the fully qualified domain name (FQDN) is used. If you have a machine named test and another machine named test.domain.com, they do not match, and the UUID is not reused.
Moving Computers: Moving computers between groups with different identity persistence settings creates duplicates. This is due to a hidden flag that is associated with each identity persistence setting. When the settings do not match, duplicates are generated. Both groups must have the same policy applied when working with across policy settings. If the settings are the same but the policies are different, duplicates are created.
Note: If you want to clone or image a computer with the Cisco AMP for Endpoints installed, please read this document.
MAC Address Election: A machine may have multiple MAC addresses, however, it is not possible to manually influence the MAC address election process during the connector registration. You should use the MAC address settings only if you can guarantee that your machines will only have one MAC address, otherwise use the hostname.
Default Group: Identity persistence should also be configured for the policy applied to your default group. In the event that a policy or group is deleted with an active machine, the machine is placed into the default group when a registration check is performed next time. If the identity persistence is not configured for the default group, then duplicate object is generated.
Note: In some cases a cloned virtual machine may be placed in the Default Group rather than the group it was cloned from. If this occurs, move the virtual machine into the correct group in the FireAMP Console.
Follow the steps below to deploy the connector with identity persistence:
Step 1: Apply the desired identity persistence setting to your policies:
Navigate to Management > Policies.
Select the desired policy. Click Edit.
Go to General tab. It is selected, by default.
Select the Connector Identity Persistence. The Identity Synchronization drop down appears.
Note: Enabling a feature after installation of endpoints causes duplicate objects to be generated for every machine.
Select an Indentity Synchronization option that is the best for your environment. The following options are available:
None: Feature is not enabled. Connector UUIDs are not synchronized with new Connector installs under any circumstance. Each new installation generates a new machine object.
By MAC Address across Business: New Connectors look for the most recent Connector that has the same MAC address to synchronize across all policies in the business that have Identity Synchronization set to a value other than None. When selected, a machine object is created and flagged to synchronize with any machine that uses that MAC address across the entire account.
By MAC Address across Policy: New Connectors look for the most recent Connector that has the same MAC address to synchronize with within the same policy. When selected, a machine object is created and flagged to synchronize with any machine that uses that MAC address and is assigned registered against the specific policy.
By Hostname across Business: New Connectors look for the most recent Connector that has the same hostname to synchronize with across all policies in the business that have Identity Synchronization set to a value other than None. When selected, a machine object is created and flagged to synchronize with any machine that uses that hostname across the entire account.
Note: If you choose to use identity persistence, Cisco recommend using By Hostname across Business. A machine has one hostname, but may have more than one MAC address. By configuring across your business, it reduces the complexity of the configuration by making the objects globally available rather than per policy.
By Hostname across Policy: New Connectors look for the most recent Connector that has the same hostname to synchronize with within the same policy. When selected, a machine object is created and flagged to synchronize to any machine that uses that hostname and registered to the specific policy.
Step 2: Download the installation package from the cloud dashboard:
Navigate to Management > Download Connector.
Select the desired group name, and options.
Use Redistributable for third party deployment software, or offline installations.
Note: Cisco does not support the creation of packages or installation using third party deployment software.
3. Deploy the connector to the machines in your organization.
In order to verify if the identity persistence is working, follow the steps below:
Install the connector to generate a computer object that is flagged for identity synchronization.
After the object has been created make a note of the <uuid> from the local.xml file in the installation directory C:\Program Files\Sourcefire\fireAMP\local.xml. You should see a line similar to the following:
Afterwards uninstall the connector. Choose No to have all files removed from the installation path.
Reboot the PC and reinstall AMP for Endpoints with the same package as before.
Check the local.xml file again per the above steps and make sure it matches the UUID from the original local.xml file.
Make sure that the installation packages and identity persistence settings are consistent.
If you enable identity persistence post-deployment, and use an older package to install the connector without identity persistence enabled, the connector generates duplicates as they register, and update the policies with current settings.
If your machines appear to be sharing a UUID, make sure that they are not sharing unique information, such as MAC addresses within virtualized environments.