This document describes that how the Identity Persistence or Identity Synchronization feature on Cisco Advanced Malware Protection (AMP) for Endpoints allows a computer object Universally Unique Identifier (UUID) to be reused when a computer or Virtual Machine (VM) is reimaged or redeployed using a golden-image. This prevents the creation of duplicate computer objects in a dashboard, and maintains contiguous data for those computer objects. This also helps to maintain the endpoint connectors, provide continuity of data, and keep the license count in check.
Cisco recommends that you have knowledge of this topics:
Access to the Cisco AMP for Endpoints dashboard
Configure Identity Persistence before you initially deploy the connector
Identity Persistence is only supported on Windows Operating System (OS)
Note: The Identity Persistence feature must be enabled after consultation with Cisco Technical Assistance Center (TAC).
Note: Identity Persistence should only be used in your AMP policy for your VDI environment or for physical endpoints deployed or reimaged using a golden image.
Note:There are two scenarios that can apply for deploying AMP for endpoints on physical machines: 1. When deploying or reimaging a physical endpoint with a golden image having AMP connector pre-installed, then you MUST use Identity Persistence if you wish to avoid duplicates. 2. When deploying or reimaging a physical endpoint with a golden-image and later installing the AMP connector, then Identity Persistence it is NOT NEEDED and completely NOT advised to be used otherwise it can generate issues such as following: * Incorrect connector seats count. * Incorrect Reporting results. * Device Trajectory data mismatch. * Machine name swapping within audit logs. * Connectors registering and de-registering randomly from the console. * Connectors not reporting properly to the cloud. * UUID Duplication. * Machine name Duplication. * Data inconsistency.
The information in this document is based on Cisco AMP for Endpoints dashboard.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Hostname vs. MAC Address
Things need to be considered when choosing between ID Sync by MAC or ID Sync by Hostname:
How many users are logging in to one machine? Is it one user per machine?
If it's one user per machine, use ID Sync by Hostname.
Does the machine only have one MAC address? Does it host another virtual machine?
If there are multiple MAC addresses, use ID Sync by Hostname
Note: Some network scanners or packet capturing tool will install an NPCAP loopback adapter which will create another MAC address entry. This MAC address will be the same for all machines with that tool installed. If using ID Sync by MAC, this will result to duplicates or machines sharing the same UUID.
The Identity Persistence option uses these workflow when this is enable:
Identity Persistence option is configured in a policy.
The AMP for Endpoints installer is generated from the dashboard and deployed on a new computer or VM.
A new computer object is created with a UUID and the Identity Persistence flag.
When the connector service starts, the cloud registration check is performed. The registration check evaluates the information of the current machine such as, hostname and MAC address. It also evaluates the Identity Persistence setting in the policy against the cloud in order to determine if a new UUID needs to be generated.
A computer object has a hidden flag set which corresponds to the Identity Persistence setting used. This flag, along with the unique information (hostname or MAC address) is used to provide the existing UUID to any machine that matches the criteria. If a flag and the unique information of the machine does not match with any existing computer object, a new UUID and object are generated for the machine.
Note: When you use hostname, the Fully Qualified Domain Name (FQDN) is used. If you have a machine named test and another machine named test.domain.com, they do not match, and the UUID is not reused.
The movement of computers between groups with different Identity Persistence settings creates duplicates. This is due to a hidden flag that is associated with each Identity Persistence setting. When the settings do not match, duplicates are generated. Both groups must have the same policy applied when they work with across policy settings. If the settings are the same but the policies are different, duplicates are created.
MAC Address Election
A machine may have multiple MAC addresses, however, it is not possible to manually influence the MAC address election process during the connector registration. You must use the MAC address settings only if you can guarantee that your machines only has one MAC address, otherwise use the hostname.
Identity Persistence must also be configured for the policy applied to your default group. In the event that a policy or group is deleted with an active machine, the machine is placed into the default group when a registration check is performed next time. If the Identity Persistence is not configured for the default group, then duplicate object is generated.
Note: In some cases, a cloned VM might be placed in the Default Group rather than the group it was cloned from. If this occurs, move the VM into the correct group in the FireAMP Console.
Follow the steps here in order to deploy the connector with Identity Persistence:
Step 1. Apply the desired Identity Persistence setting to your policies:
Navigate to Management > Policies
Select the desired policy. Click Edit
Navigate to General tab. It is selected, by default
Select the Connector Identity Persistence. The Identity Synchronization drop down appears as shown in the image.
Note: The enablement of a feature after the installation of endpoints can cause duplicate objects to be generated for every machine.
Select an Identity Synchronization option that is the best for your environment. These options are available:
None: Feature is not enabled. Connector UUIDs are not synchronized with new Connector installs under any circumstance. Each new installation generates a new machine object.
By MAC Address across Business: New Connectors look for the most recent Connector that has the same MAC address in order to synchronize across all policies in the business that have Identity Synchronization set to a value other than None. When selected, a machine object is created and flagged to synchronize with any machine that uses that MAC address across the entire account.
By MAC Address across Policy: New Connectors look for the most recent Connector that has the same MAC address in order to synchronize with within the same policy. When selected, a machine object is created and flagged to synchronize with any machine that uses that MAC address and is assigned registered against the specific policy.
By Host name across Business: New Connectors look for the most recent Connector that has the same hostname in order to synchronize with across all policies in the business that have Identity Synchronization set to a value other than None. When selected, a machine object is created and flagged to synchronize with any machine that uses that hostname across the entire account.
Note: If you choose to use Identity Persistence, Cisco recommends that you use By Host name across Business. A machine has one hostname, but can have more than one MAC address. The configuration across your business can reduce the complexity of the configuration as it makes the objects globally available rather than per policy.
By Host name across Policy: New Connectors look for the most recent Connector that has the same hostname in order to synchronize with within the same policy. When selected, a machine object is created and flagged to synchronize to any machine that uses that hostname and registered to the specific policy.
Step 2. Download the installation package from the cloud dashboard as shown in the image:
Navigate to Management > Download Connector
Select the desired group name, and options
Use Redistributable for third party deployment software, or offline installations
Note: Cisco does not support the creation of packages or installation which uses third party deployment software.
Step 3. Deploy the connector to the machines in your organization.
Use this section in order to confirm that your configuration works properly.
In order to verify if the Identity Persistence works, follow these steps:
Install the connector in order to generate a computer object that is flagged for Identity Synchronization.
After the object has been created, make a note of the <uuid> from the local.xml file in the installation directory C:\Program Files\Sourcefire\fireAMP\local.xml. You must see a line similar to this:
Afterwards, uninstall the connector. Choose No to have all files removed from the installation path.
Reboot the PC and reinstall AMP for Endpoints with the same package as earlier.
Check the local.xml file again as per the initial steps and ensure that it matches the UUID from the original local.xml file.
This section provides information you can use in order to troubleshoot your configuration.
Ensure that the installation packages and Identity Persistence settings are consistent.
If you enable Identity Persistence post-deployment, and use an older package in order to install the connector without Identity Persistence enabled, the connector generates duplicates as they register, and update the policies with current settings.
If your machines appear to share a UUID, ensure that they do not share the unique information, such as MAC addresses within virtualized environments.