Configuration

Configure Active Discovery in Docker Sensor

Once the sensor connects, you can modify the Active Discovery network interface configuration to:

  • Add multiple network interfaces for the sensor to perform Active Discovery on several subnetworks simultaneously.

  • Delete an Active Discovery network interface.

  • Change the configuration of an Active Discovery network interface.

Procedure

Step 1

From the main menu, choose Admin > Sensors > Sensor Explorer.

Step 2

Click the sensor to configure and click the Active Discovery button on its right side panel.

The ACTIVE DISCOVERY CONFIGURATION appears with the interface currently set.

Step 3

To add a new network interface, click New network interface.

Step 4

Enter the following parameters to set dedicated network interfaces:

  • IP address

  • Prefix length

  • VLAN number

Step 5

Click Add.

You can add as many network interfaces as needed.

Step 6

Click Configure.

A message indicates that the configuration applies successfully.

Configure Sensor Configuration Template

Templates

This page allows you to create and set templates with protocol configurations and assign them to specific sensors.

Sensor templates contain protocol configurations which allow you:

  • To enable or disable protocol DPI (Deep Packet Inspection) engines.

  • To map UDP and TCP ports for each protocol’s packet received by the sensor.

Enable or disable a protocol DPI engine to choose which protocols to analyze.

Disable a protocol DPI engine to avoid false positives in Cisco Cyber Vision. This occurs when a protocol appears on the user interface but is not present because the same UDP/TCP ports can be used by other non-standardized protocols.

The Default template disables some protocols because they are not commonly used or are specific to fields like transportation. The Default template applies to all compatible sensors.

Although UDP/TCP port configurations are mostly standardized, conflicts still occur with field-specific or with limited usage. Map UDP/TCP port numbers to ensure packets are sent to the correct DPI engine for accurate analysis and representation in the user interface.

Sending the protocol’s packet to the wrong port results in related information appearing in Security Insights/Flows without a tag.

A sensor associates with only one template. Template deployment fails

  • if the sensor is disconnected,

  • if there is connection issues, or

  • if the sensor version is too old.

Create Templates

Procedure

Step 1

From the main menu, choose Admin > Sensors > Templates.

Step 2

Click the Add sensor template button.

The CREATE SENSOR TEMPLATE window appears.

Step 3

Add a name to the template.

(Optional) You can add a description.

Step 4

Click Next.

The list of protocol DPI engines with their basic configurations appears.

Step 5

In the search bar, type the protocol you want to configure.

Step 6

To edit its settings, click the pen icon under the Port Mapping column, .

The protocol's port mapping window appears.

Step 7

Enter the port numbers you want to add.

Note

 

If you have continuous port numbers, you can enter a port range. For example, type 15000-15003 for ports 15000, 15001, 15002, and 15003.

Step 8

Click OK.

The port number is added to the protocol's default settings.

Step 9

Enable the toggle button Displayed modified only to quickly find the protocol.

Step 10

Click Next.

Step 11

Select the checkboxes for the sensors to which you want to apply the template.

Step 12

Click Next.

Step 13

Check the template configurations and click Confirm.

The configuration is sent to the sensors. Configuration deployment will take a few moments.

The OPCUA template appears in the template list with its two assigned sensors.

Export Templates

You can use this feature to define the template at one center and then migrate it to another. To export the template, follow these steps:

Procedure

Step 1

From the main menu, choose Admin > Sensors > Templates.

Step 2

Locate the template and hover over the ellipsis (…) in the Actions column.

Step 3

Click Export from the drop-down list.

Your system downloads the template to its local location.

Import Templates

To import the template, follow these steps:

Procedure

Step 1

From the main menu, choose Admin > Sensors > Templates.

Step 2

Click Import sensor template.

The system’s local folder will opens.

Step 3

Select the template and click Open.

The system displays the imported template on the Configuration Template page.

Step 4

Locate the template and hover over the ellipsis (…) in the Actions column.

Step 5

Click Edit from the dropdown list.

Step 6

From the Select sensors tab, check the checkboxes of the sensors to which you want to apply the template.

Step 7

Click Next.

Step 8

Check the details and click Update.

The template recovers all the changes made in the previous center, and will be applied to the selected sensors.

Set a Capture Mode

The Capture Mode feature allows you to select which network communications will be analyzed by the sensors. To access the Capture Mode feature, follow these steps:

  1. From the main menu, choose Admin > Sensors > Sensor Explorer.

  2. Click the name of the sensor from the label column.

    The right side panel appears with the sensor details.

  3. Click Capture mode.

    The CAPTURE MODE window appears.

  4. Click the radio button to select Capture Mode.

The aim is mainly to focus the monitoring on relevant traffic but also to reduce the load on the Center.

For example, a common filter in a firewall can consist of removing the network management flows (SNMP). This can be done by setting a filter like "not (port 161 and host 10.10.10.10)" where "10.10.10.10" is the network management platform.

By using Capture Mode, Cisco Cyber Vision performance can be improved on large networks.

Capture modes operate because of filters applied on each sensor. Filters are set to define which types of incoming packets are to be analyzed by the sensors. You can set a different filter on each sensor according to your needs.

You can set the capture mode in the installation wizard when enrolling the sensors during the Center installation. This option is recommended if you already know which filter to set. Otherwise, you can change it at any time on the Sensor Explorer page in the GUI (provided that the SSH connection is allowed from the Center to the sensors).

The different capture modes are:

  • ALL: The sensor analyzes all incoming flows without applying a filter. It stores all flows in the Center database.

  • OPTIMAL (Default): The filter selects the most relevant flows based on Cisco Cyber Vision expertise. It does not record multicast flows. Use this capture mode for long-term capture and monitoring.

  • INDUSTRIAL ONLY: The filter selects only industrial protocols like Modbus, S7, and EtherNet/IP. This means that the sensor does not analyze IT flows of the monitored network, and they do not appear in the GUI.

  • CUSTOM (advanced users): Use this capture mode to fully customize the filter. Use the tcpdump syntax to define the filtering rules.