Before You Deploy

Before you deploy Security Analytics and Logging (OnPrem), please review the Getting Started with Security Analytics and Logging Guide and the Security Analytics and Logging On Premises: Firewall Event Integration Guide.


Important

We support installing the app on a Manager as a standalone appliance (Manager only), or a Manager that manages a Cisco Secure Network Analytics Flow Collector NetFlow and Cisco Secure Network Analytics Data Nodes (Data Store). You cannot install the app on an Manager if it manages one or more Flow Collectors without managing Data Nodes.

Version Compatibility

The following tables provide a high-level overview of the solution components required to use Secure Network Analytics to store Firewall event data in a Security Analytics and Logging (OnPrem) deployment.

Firewall Appliances

You must deploy the following Firewall appliances:

Solution Component

Required Version

Licensing for Security Analytics and Logging (OnPrem)

Notes

Secure Firewall Management Center (hardware or virtual)

v7.2+

For the management center running earlier versions, see https://cisco.com/go/sal-on-prem-docs.

none

  • can deploy one Manager per management center, and optionally multiple Flow Collectors and Data Nodes

Secure Firewall managed devices

v7.0+ using the wizard

Threat Defense v6.4 or later using syslog

NGIPS v6.4 using syslog

none

ASA devices

v9.12+

none

Secure Network Analytics Appliances

You have the following options for deploying Secure Network Analytics:

  • Manager only - Deploy only a Manager to ingest and store events, and review and query events

  • Data Store - Deploy Flow Collector(s) to ingest events, Data Store to store events, and Manager to review and query events

Table 1. Manager only

Solution Component

Required Version

Licensing for Security Analytics and Logging (OnPrem)

Notes

Manager

Secure Network Analytics v7.4.0+

none

  • can receive events from multiple threat defense devices, all managed by one management center

  • must install the Security Analytics and Logging (OnPrem) app for event ingest, and for viewing Firewall events in the Manager Web App

Security Analytics and Logging (OnPrem) app

Security Analytics and Logging (OnPrem) app v3.1+

Logging and Troubleshooting Smart License, based on GB/day

  • Install this app on the Manager and configure to enable event ingest

Table 2. Data Store

Solution Component

Required Version

Licensing for Security Analytics and Logging (OnPrem)

Notes

Manager

Secure Network Analytics v7.4.0+

none

  • must install theSecurity Analytics and Logging (OnPrem) app for event ingest, and for viewing Firewall events in the Manager Web App

  • Secure Network Analytics v7.4.1 is required for Single Node Data Store and multi-telemetry

Flow Collector

Secure Network Analytics v7.4.0+

none

  • can deploy up to 5 Flow Collectors that are configured for Data Store

  • can receive events from multiple threat defense devices, all managed by one management center

  • can receive ASA events from multiple ASA devices

  • Secure Network Analytics v7.4.1 is required for Single Node Data Store and multi-telemetry

Data Store

Secure Network Analytics v7.4.0+

none

  • can deploy either 1, 3, or more (in sets of 3) Data Nodes

  • can store Firewall events received by Flow Collector(s)

  • Secure Network Analytics v7.4.1 is required for Single Node Data Store and multi-telemetry

Security Analytics and Logging (OnPrem) app

Security Analytics and Logging (OnPrem) app v3.1+

Logging and Troubleshooting Smart License, based on GB/day

  • Install this app on the Manager and configure to enable event ingest

In addition to these components, you must make sure that all of the appliances can synchronize time using NTP.

If you want to remotely access the Secure Firewall or Secure Network Analytics appliances' consoles, you can enable access over SSH.

Software Download

Note the following:

  • Patches: Make sure you install the latest rollup patch on your appliances before you upgrade. You can download the files from your Cisco Smart Account on Cisco Software Central at https://software.cisco.com.

  • Downloading Files:

    1. Log in to your Cisco Smart Account at https://software.cisco.com or contact your administrator.

    2. In the Download and Upgrade section, select Software Download.

    3. Select Security > Network Visibility and Segmentation > Secure Analytics (Stealthwatch) > Secure Network Analytics Virtual Manager > App - Security Analytics and Logging On Prem.

    4. Download the Security Analytics and Logging On Prem app file, app-smc-sal-3.1.0-v2.swu.

Third-party Applications

We do not support installing third-party applications on appliances.

Browsers

Secure Firewall and Secure Network Analytics both support the latest version of Google Chrome and Mozilla Firefox.