Set Up Stealthwatch Security Analytics

Install Stealthwatch Security Analytics

Procedure

Step 1

From the Cisco DNA Center home page, navigate to System > Software Updates.

Step 2

Ensure that Updates is selected in the left pane.

Step 3

Click Install next to Stealthwatch Security Analytics.

After the installation is complete, the Stealthwatch Security Analytics service shows up under the Installed Applications page.

Register Stealthwatch

Procedure

Step 1

From the Cisco DNA Center home page, navigate to System > Settings from the menu.

Step 2

In the left pane, enter Stealthwatch in the Search Settings bar.

Step 3

Click Stealthwatch in the left pane.

Step 4

Enter the IP address of the Stealthwatch Management Console or the fully qualified domain name (FQDN).

Step 5

Enter the username and password for the user account that you'd like to use to access the Stealthwatch Management Console.

The following are the minimum privileges required for the Stealthwatch user account:

Data Role: Read only
Function Roles: Configuration Manager and Network Engineer

Note

You can create a custom user role in Cisco DNA Center to enable another user to provision Stealthwatch Security Analytics on devices. For more information about how to create a custom user role, see the Cisco DNA Center User Guide.

The following table lists the minimum permissions required for a user to provision Stealthwatch Security Analytics on a device.


Access	Description	Permission
Network Design > Advanced Network Settings	Advanced network settings for AAA, PKI certificates and Stealthwatch	Write
Network Design > Network Settings	Common site-wide network settings such as AAA, NTP, DNS servers, and IP pools. Need Write permissions on Network Profiles to create Wireless Profile.	Write
Network Provision > Provision	Provision devices with the site settings and policies that are configured for the network.	Write
Network Services > Stealthwatch	Configure devices with the site settings and policies that are configured for the network.	Read
System > Basic	Access to individual user settings. All users are granted this access.	Write

Step 6

Click Save.

After Stealthwatch has successfully been registered, the status displays as Active | Registered and Running just above the IP Address field.

Set Up User Datagram Protocol Director

The User Datagram Protocol (UDP) Director receives and replicates NetFlow and other traffic to multiple destinations.

Before you begin

You should already have installed and configured UDP Director in the Stealthwatch Management Console. For more information, see the UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0).

Procedure

Step 1	From the Cisco DNA Center home page, navigate to Design > Network Settings.
Step 2	(Optional) Use the left pane to drill down to the site for which you want to configure the Stealthwatch Flow Destination.
Step 3	Click Add Servers in the top-right portion of the GUI.
Step 4	From the Add Servers pop-up, check the Stealthwatch Flow Destination check box and click OK. After you click OK, you might need to scroll down to find the Stealthwatch Flow Destination configuration section.
Step 5	To add a flow destination configured in the Stealthwatch, click the corresponding radio button. Alternatively, you can add a destination that isn't managed by the Stealthwatch Management Console by clicking the corresponding radio button.
Step 6	If you've chosen to select a flow destination configured in Stealthwatch, select the desired flow destination. If you see the error No Stealthwatch flow destination server configured, see Register Stealthwatch. If you've chosen to add an external flow destination, specify the IP address and port of the desired flow destination.
Step 7	Click Save.

Enable Stealthwatch Security Analytics

Procedure

Step 1

From the Cisco DNA Center home page, navigate to Provision > Stealthwatch Security Analytics from the menu.

Step 2

In the left pane, use the drop-down list to select All Sites or All Fabrics, depending on whether you want to enable Stealthwatch Security Analytics for sites or for fabrics. By default, All Sites is selected.

Step 3

In the left pane, drill down to the site or fabric for which you want to enable Stealthwatch Security Analytics. Alternatively, you can search for the site or fabric using the search bar.

Step 4

Select the site or fabric for which you want to enable Stealthwatch Security Analytics by clicking the site card. If required, you can navigate the site and fabric heirarchy down to a specific floor.

The site card displays the number of devices that are enabled, ready, and not ready.

Note

At least one device must be ready for you to enable Stealthwatch Security Analytics.

Step 5

Review the prechecks and click Get Started.

Step 6

Review the flow destination set up for the selected site or fabric. If you want to change the flow destination, click Change Settings. Set a new flow destination and restart the workflow.

If you see the error Select a flow destination for the site to proceed, click Update Settings to set a flow destination. Restart the workflow.

Step 7

Click Next.

Step 8

Ensure that the Ready tab is selected in the device table.

Step 9

Review the list of devices that will be enabled.

From here, use the toggle switch to exclude all or specific devices from being enabled.

Step 10

Select the corresponding radio button to deploy the application immediately (Now), or at a later time (Later).

Note

For deployments scheduled for a later time, you can edit the scheduled time from the Notifications list in the upper-right corner of the screen, by clicking Edit.

A series of prechecks will be run close to the time of the deployment, including a precheck on the CPU of the device at that time. Any prechecks that fail will be listed in the task manager.

Step 11

Click Enable.

Step 12

To view the deployment status, click View Deployment Status. Alternatively, navigate to Activity > Scheduled Tasks from the Cisco DNA Center main menu to view the deployment status.

After your task is complete, the status of the deployment changes from In Progress to Success. To ensure that you're viewing the updated status, click the Refresh button in the upper-right corner of the Notifications list.

Note

Prior to the provisioning action, whether it is run immediately or at a later time, an additional set of prechecks is run. The task will fail if:

The device's CPU exceeds 70% at that point in time.
NBAR is enabled on the access switches
There are no Stealthwatch Security Analytics applicable interfaces on the switch.
There is no route information for routers.

Stealthwatch Security Analytics Prechecks

The Stealthwatch Security Analytics service conducts an automatic precheck of the devices in your sites and fabrics to ensure they meet the criteria for deployment.

The following checks are conducted:

Required Software: The software running on your devices must meet the minimum requirements.
Required Device Role: The device role must support the deployment of the service. If you're using ASR and ISR series routers, then ensure that their Device Role is set to Border Router. If you're using 9300 and 9400 series switches, then ensure that their Device Role is set to Access.
Required Hardware: The device hardware must support the deployment of the service.
Required Licenses: The active license on the devices in your site must meet the minimum requirements.

No Conflicts with Other Services: There should be no compatibility issues with other services. This check will fail if:

The device is managed by vManage.

NBAR is enabled on the device.

Note

NBAR conflict is applicable to devices for Enable Flexible NetFlow as well as Catalyst 9300 and Catalyst 9400 switches running versions prior to 17.3.1.

One or more interfaces on this device already have existing netflow monitors enabled.

The total number of devices that meet all of these criteria are considered to be Ready.

Note

See Stealthwatch Security Analytics Supported Devices for hardware, software, and license requirements.

View Not Ready Devices

Devices that have failed one or more of the software, compatibility, and license checks are considered to be not ready for the enablement of Stealthwatch Security Analytics. To view the list of devices that are Not Ready, complete the following steps:

Procedure

Step 1	From the Cisco DNA Center main menu, navigate to Provision > Stealthwatch Security Analytics.
Step 2	In the left pane, drill down to the site or fabric for which you want to view the devices that are not ready for Stealthwatch Security Analytics enablement. Alternatively, you can search for the site or fabric using the search bar.
Step 3	Select the site or fabric for which you want to view the not ready devices by clicking the appropriate site card.
Step 4	Click Get Started.
Step 5	Click Next.
Step 6	In the device table, click Not Ready. The list of devices that are not ready for Stealthwatch Security Analytics enablement is displayed, along with the status of each check for each device.
Step 7	Hover your cursor over the red icon to view more information about any failed checks.

Stealthwatch Security Analytics Service on Cisco DNA Center User Guide, Release 2.2.1

Bias-Free Language

Book Title

Stealthwatch Security Analytics Service on Cisco DNA Center User Guide, Release 2.2.1

Chapter Title