Set Up Stealthwatch Security Analytics

Install Stealthwatch Security Analytics

Procedure

Step 1

From the main menu, choose System > Software Management.

Step 2

Under Available Applications for the release, check the check box next to Stealthwatch Security Analytics.

Step 3

Click Install.

After the installation is complete, click View Installed Applications to ensure that the Stealthwatch Security Analytics service is listed.

Access control for Stealthwatch Security Analytics

Access control for Stealthwatch Security Analytics on Catalyst Center can be managed using these configurations:

Configuration

Description

Role

Defines the available permissions for users to access the Catalyst Center features.

You can create a custom role and choose the required permission for Stealthwatch. When you choose a permission for Stealthwatch, Catalyst Center automatically assigns the necessary permissions for its dependent capabilities including network design, network management, network provision, and system. You can modify these permissions, if needed.

Access group

Limits the access for a role to a specific scope based on the site hierarchy.

For a custom role, when you set the Stealthwatch permission to Read or Write, choose the Global scope for the corresponding access group.

Users

Defines the username, password, and so on. Limits the access to features based on the access group.

To create roles, access groups, and users, see "Manage Users" in the Cisco Catalyst Center Administrator Guide.

Permission requirement for Stealthwatch Security Analytics

This table lists the minimum permissions required for a user to provision Stealthwatch Security Analytics on a device.

Access

Description

Permission

Security > Stealthwatch

Configure network elements to send data to Cisco Stealthwatch to detect and mitigate threats, even in encrypted traffic.

Write

Network Design > Profiles and Settings

Manage site-wide network settings such as AAA, NTP, DHCP, and so on. Manage telemetry and profiles.

Write

Network Management > Hierarchy

Create a network hierarchy of areas, buildings, and floors based on geographic location. This role also includes CMX server settings.

Read

Network Management > Inventory

Add, update, or delete devices on your network. Manage device attributes; view and manage network topology and configurations.

Read

Network Provision > Device Provision

Provision devices with site-specific settings and policies that are configured for the network.

Write

System > System Administration

Manage core system administrative capabilities including HA, Disaster Recovery, and Backup and Restore.

Read

System > System Settings

Manage core system connectivity settings. This role includes Integrity Verification, Integration Settings, Debugging Logs, Telemetry Collection, System EULA, IPAM, Data Platform, Cisco Credentials, Smart account, Smart Licensing, SSM Connection Mode, and Device EULA.

Read

Register Stealthwatch

Procedure

Step 1

From the main menu, choose System > Settings.

Step 2

In the Search Settings bar in the left pane, enter Stealthwatch.

Step 3

Click Stealthwatch in the left pane.

Step 4

Enter the IP address of the Stealthwatch Management Console or the fully qualified domain name (FQDN).

Step 5

Enter the username and password for the user account that you'd like to use to access the Stealthwatch Management Console.

Note

 

After adding a new user to the Stealthwatch Management Console, make sure that the user logs in to the Stealthwatch Management Console at least once before integrating it with Cisco Stealthwatch. Upon first login, the user is prompted to set a new password and activate the API access.

These minimum privileges are required for the Stealthwatch user account:

  • Data Role: Read only

  • Function Roles: Configuration Manager and Network Engineer

Note

 

You can create a custom user role in Catalyst Center to enable another user to provision Stealthwatch Security Analytics on devices. For more information, see Access control for Stealthwatch Security Analytics.

Step 6

Click Save.

After Stealthwatch is registered successfully, the status is displayed as Active | Registered and Running just above the IP Address field.

Set up the UDP Director

The User Datagram Protocol (UDP) Director receives and replicates NetFlow and other traffic to multiple destinations.

Before you begin

Install and configure UDP Director in the Stealthwatch Management Console. For more information, see UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0).

Procedure

Step 1

From the main menu, choose Design > Network Settings.

Step 2

(Optional) From the left hierarchy tree, choose the site for which you want to configure the Stealthwatch Flow Destination.

Step 3

In the Servers tab, scroll down and expand the Stealthwatch Flow Destination area.

Step 4

Choose one of these options to add a flow destination:

If you chose...

Then...

Select from flow destinations configured in the Stealthwatch

from the Select flow destination drop-down list, choose a flow destination.

If you see the error No Stealthwatch flow destination server configured, see Register Stealthwatch.

Add an external flow destination server

enter the IP address and port of the flow destination in the corresponding fields.

Step 5

Click Save.

Enable Stealthwatch Security Analytics

Procedure

Step 1

From the main menu, choose Provision > Stealthwatch Security.

Step 2

In the left pane, use the drop-down list to choose the required option.

If you want to enable Stealthwatch Security Analytics for...

Then choose...

sites

All Sites

fabrics

All Fabrics

By default, All Sites is chosen.

Step 3

From the left hierarchy tree, choose the site or fabric for which you want to enable Stealthwatch Security Analytics.

Alternatively, you can search for the site or fabric using the search bar.

Step 4

Click the site card to select the site or fabric for which you want to enable Stealthwatch Security Analytics.

If required, you can navigate the site and fabric hierarchy down to a specific floor.

The site card displays the number of devices that are enabled, ready, and not ready.

Note

 

At least one device must be ready to enable Stealthwatch Security Analytics.

Step 5

Review the prechecks and click Get Started.

Step 6

Review the flow destination set up for the selected site or fabric.

If you...

Then...

want to change the flow destination

  1. Click Change Settings.

  2. Set a new flow destination and restart the workflow.

see the Select a flow destination for the site to proceed error

  1. Click Update Settings.

  2. Set a flow destination and restart the workflow.

Step 7

Click Next.

Step 8

Ensure that the Ready tab is selected in the device table.

Step 9

Review the list of devices on which Stealthwatch Security Analytics will be enabled.

If you want to exclude enabling Stealthwatch Security Analytics on...

Then...

all devices

click the Exclude all devices toggle button.

specific devices

under the Exclude Device column, click the corresponding toggle button.

Step 10

Use the toggle button in the ETA Telemetry column to enable or disable the collection of Encrypted Traffic Analytics telemetry data.

By default, this option is enabled for devices that are Encrypted Traffic Analytics-capable. For a list of devices that are compatible with Encrypted Traffic Analytics, see Enable Stealthwatch Security Analytics.

Step 11

Schedule the task for deployment.

Depending on Visibility and Control of Configurations settings, you can either:

Step 12

On the Tasks window, monitor the task deployment.

Note

 

Before the provisioning action, whether it is run immediately or at a later time, an additional set of prechecks is run. The task fails if:

  • the device CPU exceeds 70% at that point in time,

  • NBAR is enabled on the access switches,

  • there are no Stealthwatch Security Analytics-applicable interfaces on the switch, or

  • there is no route information for routers.

Stealthwatch Security Analytics prechecks

The Stealthwatch Security Analytics service conducts an automatic precheck of the devices in your sites and fabrics to ensure that they meet the criteria for deployment.

These checks are conducted:

  • Required Software: the software running on your devices must meet the minimum requirements.

  • Required Device Role: the device role must support the deployment of the service.

    • If you're using Cisco ASR and ISR Series Routers, ensure that their Device Role is set to Border Router.

    • If you're using Cisco Catalyst 9300 or 9400 Series Switches, ensure that their Device Role is set to Access.

  • Required Hardware: the device hardware must support the deployment of the service.

  • Required Licenses: the active license on the devices in your site must meet the minimum requirements.

  • No conflicts with existing configurations: there should be no compatibility issues with other services.

    This check fails if

    • the device is managed by vManage,

    • NBAR is enabled on the device, or


      Note

      An NBAR conflict applies to devices for Enable Flexible NetFlow, and Cisco Catalyst 9300 and Cisco Catalyst 9400 switches running versions earlier than Cisco IOS XE Release 17.3.1.

    • one or more interfaces on this device already have existing NetFlow monitors enabled.

The devices that meet all these criteria are considered to be Ready.


Note

For information about hardware, software, and license requirements, see Stealthwatch Security Analytics supported devices.

View Not Ready devices

Devices that fail these checks are considered Not Ready for the enablement of Stealthwatch Security Analytics:

  • software,

  • compatibility, or

  • license.

Use this procedure to view the list of devices that are not ready.

Procedure

Step 1

From the main menu, choose Provision > Stealthwatch Security.

Step 2

From the left hierarchy tree, choose the site or fabric for which you want to view the devices that aren’t ready.

Alternatively, you can use the search bar to search for a site or fabric.

Step 3

Click the required site card to select the site or fabric for which you want to view the devices that aren’t ready.

Step 4

Click Get Started.

Step 5

Click Next.

Step 6

In the device table, click Not Ready.

The list of devices that aren’t ready for Stealthwatch Security Analytics enablement is displayed, along with the status of each check for each device.

Step 7

Hover your cursor over the red icon to view more information about any failed checks.

Enable Flexible NetFlow export to the Stealthwatch Cloud

You can configure Stealthwatch Security Analytics to enable Flexible NetFlow export to the Stealthwatch Cloud.

The Stealthwatch Cloud supports Cisco Catalyst 9200 and 9300 devices that are running Cisco IOS XE Release 17.3.1 and later.

Before you begin

  • Make sure that you have the DNA Advantage software license.

  • Confirm that the Stealthwatch Security Analytics user role has Configuration Manager and Network Engineer permissions.

  • Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature, and add them to sites.

Procedure

Step 1

In the Stealthwatch Cloud portal, complete these steps:

  1. Choose Settings > Sensors > Service key.

  2. In the Service key field, copy the service key and save it for later use.

    The Stealthwatch Cloud can send Flexible NetFlow data to these regions:

    • US

    • EU

    • APJC

    The service key varies by region. Depending on your sites, you can have up to three different service keys.

Step 2

In Catalyst Center, configure the Stealthwatch flow destination to the Stealthwatch Cloud.

  1. From the main menu, choose Design > Network Settings > Network.

  2. From the left hierarchy tree, choose the site for which you want to configure the Stealthwatch flow destination.

  3. Scroll down and expand the Stealthwatch Flow Destination area.

  4. Click the Stealthwatch Cloud radio button.

  5. In the Service Key field, paste the service key that you copied earlier.

  6. Click Save.

Step 3

Enable Stealthwatch Security Analytics and confirm that the flow destination is set to Stealthwatch Cloud.

For more information, see Enable Stealthwatch Security Analytics.

Step 4

The Enabled tab shows the new devices with an SWC Status of Enabled.

Step 5

Schedule the task for deployment.

Depending on Visibility and Control of Configurations settings, you can either:

Step 6

On the Tasks window, monitor the task deployment.

Step 7

Return to the Stealthwatch Cloud portal and choose Settings > Sensors.

Look for the new sensor:

Tip

 

The sensor name is the device hostname.

  • The sensor turns green when data is uploaded to the Stealthwatch Cloud portal.

  • The sensor turns red when data isn’t sent to the Stealthwatch Cloud portal.

In the Stealthwatch Cloud portal, when the sensors turn green, traffic details are visible in the dashboard.

Deploy your device configurations now or later

When you reach the scheduling step of a workflow that supports Visibility and Control of Configurations, use this procedure to deploy your device configurations now or later.

Before you begin

Ensure that you’ve disabled Visibility and Control of Configurations in the settings.

Procedure

Step 1

Click Now or Later and, if necessary, update the task name.

Note

 

If only visibility is enabled or both visibility and control are enabled, Preview and Deploy (Recommended) is chosen by default, and Now and Later are dimmed.

Step 2

On the Performing Initial Checks window, prepare and submit the task for deployment.

  1. Address all the issues to deploy the device configurations.

    Ensure all validations are successful by clicking Recheck in the bottom-right corner of the window.

  2. Click Submit.

    The device configurations will deploy at the scheduled time. You can view the task on the Tasks window.

Preview and deploy your device configurations

When you reach the scheduling step of a workflow that supports Visibility and Control of Configurations, use this procedure to preview and deploy your device configurations.

Before you begin

Ensure that you’ve enabled Visibility and Control of Configurations in the settings.

Procedure

Step 1

Click Preview and Deploy (Recommended) and, if necessary, update the task name.

Note

 

If only visibility is enabled or both visibility and control are enabled, Preview and Deploy (Recommended) is chosen by default, and Now and Later are dimmed.

Step 2

On the Performing Initial Checks window, address all the issues to continue with your current deployment.

Ensure all validations are successful by clicking Recheck in the bottom-right corner of the window.

Step 3

On the Preparing Devices and Configuration Models window, wait for the system to prepare the devices and generate the device configurations.

Tip

 

This preparation can take some time. You can click Exit and Preview Later and view the work item in the Tasks window.

Step 4

On the Preview Configuration window, review the device configurations and then choose a deployment option.

Click...

To...

Deploy or Submit for Approval

deploy the device configurations.

Exit and Preview Later

review and deploy the device configurations later.

Later, go to the Tasks window, open the work item, and click Deploy or Submit for Approval.

Note

 

You can submit the device configurations for ITSM approval and deploy them without previewing all the configurations.

Step 5

Schedule the deployment.

  1. Indicate when and, if applicable, where you want to deploy the configuration.

    If you’re submitting the configurations for review, add notes for the IT administrator.

  2. Click Submit.

    You can check the work item approval status or the task deployment status on the Tasks window. If it's not approved, resubmit the work item for ITSM approval. When it’s approved, it's deployed at the scheduled time.

    Note

     

    After submitting the task, view the progress of the provisioning task with the Task Progress bar in the Activities > Tasks window by clicking the task name.