Getting Started with Security Analytics and Logging (On Premises) for Secure Network Analytics 7.5.1


Note

If you want to store Firewall event data in the Cisco cloud, as opposed to on-premises, see the Cisco Security Analytics and Logging (SaaS) documentation for more information.

Concepts and Architecture

In a Security Analytics and Logging (OnPrem) deployment, you can use a Secure Network Analytics appliance to store data from another Cisco product deployment. In the case of the Secure Firewall deployment, you can export your Security Events and data plane events from your Secure Firewall Threat Defense devices managed by the management center to a Manager to store that information.

You can deploy Secure Network Analytics as follows:

  • Data Store - Deploy Cisco Secure Network Analytics Flow Collectors (up to 5) to receive events, a Cisco Secure Network Analytics Data Store containing 1, 3, or more (in sets of 3) Cisco Secure Network Analytics Data Nodes to store events, and a Manager from which you can review and query events

Data Store

See the following diagram for an example of a Data Store deployment with a Manager, Data Nodes, and Flow Collector(s):

In this deployment, the threat defense and Secure Firewall ASA devices send Firewall events to the Flow Collector. The Flow Collector sends the events to the Data Store for storage. From the management center UI, users can cross-launch to the Manager to view more information about the stored events. They can also query remotely the events from the management center.

Reference Documentation

The following table describes relevant reference documentation for Security Analytics and Logging (OnPrem) appliance compatibility, deployment, and use:

Table 1.

Document

Description

Secure Firewall Release Notes

Review the Secure Firewall Release Notes to understand the latest information about the current Secure Firewall release, including last-minute information.

Secure Network Analytics Smart Licensing Guide

Review the Secure Network Analytics Smart Licensing Guide to understand how to register your Secure Network Analytics product instance and license your Secure Network Analytics appliances.

Secure Network Analytics Installation Guide

Review the Secure Network Analytics Installation Guide to understand how to deploy your Secure Network Analytics appliances.

Secure Network Analytics Configuration Guide

Review the Secure Network Analytics Configuration Guide to understand how to configure your Secure Network Analytics appliances.

Secure Network Analytics Release Notes

Review the Secure Network Analytics Release Notes to understand the latest information about the current Secure Network Analytics release, including last-minute information.

If you have not already deployed Secure Firewall or configured your Secure Firewall deployment to generate the expected connection, intrusion, file, and malware events, see the following:

Table 2.

Document

Description

Secure Firewall Compatibility Guide

Review the Secure Firewall Compatibility Guide to understand the version support for Secure Firewall Management Center and Secure Firewall Threat Defense device appliance models.

Secure Firewall Installation and Configuration Guides

Review the Secure Firewall Installation and Configuration Guides to understand how to install and configure your Secure Firewall appliances.

Secure Firewall Management Center Configuration Guide

Review the Secure Firewall Management Center Configuration Guide to understand Secure Firewall appliance licensing and configuration of your Secure Firewall Threat Defense devices managed by your Secure Firewall Management Center, access control policies, intrusion policies, and file policies.

Requirements

The following lists the appliance requirements for deploying Security Analytics and Logging (OnPrem) to store your Firewall event data.

Firewall Appliances

You must deploy the following Firewall appliances:

Solution Component

Required Version

Licensing for Security Analytics and Logging (OnPrem)

Notes

Secure Firewall Management Center (hardware or virtual)

v7.2+

For the management center running earlier versions, see https://cisco.com/go/sal-on-prem-docs.

none

  • You can deploy one Manager per management center, and optionally multiple Flow Collectors and Data Nodes.

Secure Firewall managed devices

v7.0+ using the wizard

Threat Defense v6.5 or later using syslog

NGIPS v6.5 using syslog

none

ASA devices

v9.12+

none

Secure Network Analytics Appliances

You can deploy Secure Network Analytics as follows:

  • Data Store - Deploy Flow Collector(s) to ingest events, Data Store to store events, and Manager to review and query events

Table 3. Data Store

Solution Component

Required Version

Licensing for Security Analytics and Logging (OnPrem)

Notes

Manager

Secure Network Analytics v7.5.1

none

  • Secure Network Analytics v7.5.1 is required for Single Node Data Store and multi-telemetry,

Flow Collector

Secure Network Analytics v7.5.1

none

  • You can deploy up to 5 Flow Collectors that are configured for Data Store.

  • The Flow Collector can receive events from multiple threat defense devices, all managed by one management center.

  • The Flow Collector can receive ASA events from multiple ASA devices.

  • Secure Network Analytics v7.5.1 is required for Single Node Data Store and multi-telemetry.

Data Store

Secure Network Analytics v7.5.1

none

  • You can deploy either 1, 3, or more (in sets of 3) Data Nodes.

  • Stores Firewall events received by Flow Collector(s).

  • Secure Network Analytics v7.5.1 is required for Single Node Data Store and multi-telemetry.

In addition to these components, you must make sure that all of the appliances can synchronize time using NTP.

If you want to remotely access the Secure Firewall or Secure Network Analytics appliances' consoles, you can enable access over SSH.

Secure Network Analytics Licensing

You can use Security Analytics and Logging (OnPrem) for 90 days without a license in Evaluation Mode. To continue using Security Analytics and Logging (OnPrem) after the 90 day period, you must obtain a Logging and Troubleshooting Smart License for Smart Licensing, based on the GB per day you anticipate sending in syslog data from your Firewall deployment to your Secure Network Analytics appliance.


Note

For license calculation purposes, the amount of data is reported to the nearest whole GB, truncated. For example, If you send 4.9 GB in a day, it is reported as 4 GB.

See the Secure Network Analytics Smart Software Licensing Guide for more information on licensing your Secure Network Analytics appliances.

Firewall Event Logs for Network Detections

We have added network detections based on Cisco Security Analytics and Logging (On Premises) data. If you enable this configuration, you will have more insight into your traffic patterns, risks, and the scope of an attack.

You can enable or disable the ingest of Firewall event logs using the sal_to_flow_cache toggle in the advanced setttings in the Flow Collector Admin UI. This is used to enable or disable network detections when you already have Firewall logs ingest enabled. For more information about editing advanced settings on the Flow Collector, refer to the Advanced Settings Help topic.

Configuration: Follow the instructions in the Cisco Security Analytics and Logging (On Premises) for Secure Network Analytics 7.5.1: Firewall Event Integration Guide.

Queries: You can query Firewall Logs in flow searches, custom security events, and Report Builder.

Secure Network Analytics Resource Allocation

Secure Network Analytics offers the following ingest rates when deployed for Security Analytics and Logging (OnPrem):

  • a virtual edition (VE) Data Store deployment, with 3 Data Nodes, can ingest up to roughly 50k EPS on average, with short bursts of up to 175k EPS

  • a hardware Data Store deployment, with 3 Data Nodes, can ingest up to roughly 150k EPS on average with Security Analytics and Logging (OnPrem) and sal_to_flow_cache ON

Based on the allocated hard drive storage, you can store the data for several weeks or months. These estimates are subject to various factors, including network load, traffic spikes, and information transmitted per event.


Note

At higher EPS ingest rates, the Security Analytics and Logging (OnPrem) may drop data. In addition, if you send all event types, instead of only connection, intrusion, file, and malware events, Security Analytics and Logging (OnPrem) may drop data as your overall EPS rises. Review the log files in this case.

Data Store Recommendations

For optimum performance, allocate the following resources if you deploy a Manager VE, Flow Collector VE, and Data Store VE:


Note

If you are using a Single Node Data Store or if you have enabled multi-telemetry in Secure Network Analytics, your resource allocation and storage capacity may be different from the following recommendations. For more information, refer to the Secure Network Analytics Appliance Installation Guide (Hardware or Virtual Edition) and the System Configuration Guide v7.5.1.

Table 4. Manager VE

Resource

Recommendation

CPUs

8

RAM

64 GB

Hard drive storage

480 GB
Table 5. Flow Collector VE

Resource

Recommendation

CPUs

8

RAM

70 GB

Hard drive storage

480 GB
Table 6. Data Nodes VE (as part of a Data Store)

Resource

Recommendation

CPUs

12 per Data Node

RAM

32 GB per Data Node

Hard drive storage

5 TB per Data Node VE, or 15 TB total across 3 Data Nodes

Hardware Specifications

For hardware specifications, refer to the appliance specification sheets.

Estimated Retention (3 Data Nodes)

Based on the storage space that you allocate for your Data Store VE or if you have a hardware deployment, you can store your data for roughly the following time frames on your Data Store deployment:

Average EPS

Average Daily Events

Virtual

Hardware

1,000

86.5 million

1,500 days

3,000 days

5,000

430 million

300 days

600 days

10,000

865 million

150 days

300 days

20,000

1.73 billion

75 days

150 days

25,000

2.16 billion

60 days

120 days

50,000

4.32 billion

30 days

60 days

75,000

6.48 billion

Not supported

40 days

100,000

8.64 billion

Not supported

30 days

When the Data Store reaches maximum storage capacity, it deletes the oldest data first to make room for incoming data. To increase your storage capacity, add more Data Nodes using the Secure Network Analytics System Configuration Guide.


Note

We have tested the virtual appliances with these resource allocations for this estimated ingest and storage period. You may note unanticipated errors due to insufficient resource allocation if you do not assign enough CPUs or RAM to the virtual appliance. If you increase the Data Node storage allocation beyond 5 TB, you may note unanticipated errors due to insufficient resource allocation.

Communication Ports

The following table lists the communication ports you must open for the Security Analytics and Logging (OnPrem) integration for a Data Store deployment. In addition, see the x2xx Series Hardware Appliance Installation Guide or the Virtual Edition Appliance Installation Guide for the ports you must open for your Secure Network Analytics deployment.

Table 7. Data Store

From (Client)

To (Server)

Port

Protocol or Purpose

Management Center, Threat Defense devices, Manager, Flow Collector, and Data Store

External internet (NTP server)

123/UDP

NTP time synchronization, all to the same NTP server

user workstations

Management Center and Manager

443/TCP

Logging into the appliances' web interfaces over HTTPS using a web browser

Threat Defense devices managed by a management center

Flow Collector

8514/UDP

Syslog export from the threat defense devices, ingest to Flow Collector

ASA devices

Flow Collector

8514/UDP

Syslog export from ASA devices, ingest to Flow Collector
Management Center Manager

443/TCP

Remote query from the management center to the Manager

Configuration Overview

The following describes the high-level steps for configuring your deployment to store firewall event data.

Review these tasks before starting your deployment.

Component and Task

Steps

Deploy Data Store

Configure the Secure Firewall Management Center to send events to Security Analytics and Logging (OnPrem)

You have the following options:

Configure ASA devices to send events to Security Analytics and Logging (OnPrem)

Review Next Steps

Review the Next Steps:

Next Steps

After you configure your Firewall devices to send event data to your Secure Network Analytics appliance as part of Security Analytics and Logging (OnPrem), you can take the following steps:

  • Review the management center online help.

  • Review the Manager online help to learn more about Secure Network Analytics. Go to Investigate > Security Analytics and Logging (OnPrem).