Contents
- Cisco Stealthwatch Learning Network License Quick Start Guide
- Learning Network License Introduction
- Installation Prerequisites
- Communication Ports
- Learning Network License and Licensing
- Controller Host Requirements
- Controller Installation Prerequisites
- Agent and ISR Interaction
- Agent Installation Prerequisites
- Agent Configuration Prerequisites
- ISR Platform Requirements
- ISR G2 Platform Requirements
- ISR 4000 Series Platform Requirements
- ISR Configuration Prerequisites
- ISR License Installation
- Downloading the OVA Files from Cisco
- Controller Deployment
- Deploying the OVA File
- Powering On the Virtual Machine
- Configuring the Controller with the Setup Script
- Verifying NTP Configuration on the Controller
- NTP Configuration
- Configuring NTP on the ISR
- NetFlow Configuration
- Configuring NetFlow
- Agent Deployment to a UCS E-Series Blade Server
- Configuring Virtual Switches
- UCS E-Series Blade Server Deployment
- Deploying the OVA File
- Powering On the Virtual Machine
- Agent Configuration Overview
- Configuring an Agent with the Setup Script
- Verifying NTP Configuration on the Agent
- Controller and Agent Communications Overview
- Pinging Agents from the Controller
- Agent Administrator Settings
- Enable Trust on First Use
- Storing ISR Authentication Information
- Restarting Agent Processes
- Controller Certificate Management
- Updating the Controller Configuration
- Restarting Controller Processes
- Smart Licensing Overview
- Logging into the Learning Network License System
- Registering the Controller Instance
- Restarting the Controller Processes
- Controller Management of Agents
- Adding an Agent to the Controller
- Agent Configuration Notes
- Initial Learning Phase Overview
- Next Steps
- For Assistance
Cisco Stealthwatch Learning Network License Quick Start Guide
The following details essential information on deploying and configuring your Cisco Stealthwatch Learning Network License system.
Learning Network License Introduction
The Learning Network License system is a hyper-distributed analytics architecture that inspects your network traffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system can identify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.
You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controller for additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporates into internal traffic models. This allows the system to better identify and report anomalies of interest.
You can also configure mitigations based on anomaly properties, such as hosts involved and application traffic transferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future. The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to address the threats specific to your network and better protect your users.
Installation Prerequisites
When you deploy the Learning Network License system, obtain or configure the following:
open ports for system functionality
an ESXi host for the controller
an ISR with a UCS E-Series blade server to run the agent
the proper licensing for your ISR
the controller and agent OVA files
Communication Ports
Learning Network License requires several open ports for functionality, to allow communication between the controller and agents, and to allow users to access the controller UI. If a firewall or other security appliance sits between the controller and agents, or between the user and the controller, open these ports.
The following diagram illustrates this system functionality.
Users, such as system administrators, can log into the controller web UI, and SSH login to agents.
The controller sends information, such as mitigations, to the agent, and contacts NTP servers to synchronize time.
The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to the controller, and contacts NTP servers to synchronize time.
The following diagram illustrates the open ports and directionality. See Table 1 for more information on these ports.
Table 1 Default Communication Ports for Learning Network License Features and Operation Port
Description
Direction
Is Open for any...
To...
22/TCP
SSH/SCP
outbound from agent eth0 interface Management IP, inbound to controller IP
IP associated with the controller, Management IP associated with the agent
transfer log files and configuration files
22/TCP
SSH
outbound from host IP, inbound to agent eth0 interface Management IP
host IP that wants to SSH login to the agent
optionally enable remote access to the agent shell
22/TCP
SSH
inbound from host IP to controller IP
host IP that wants to SSH login to the controller
optionally enable SSH login to the controller
123/UDP
NTP
outbound from the controller IP to an external NTP server
IP associated with the controller
synchronize time
123/UDP
NTP
outbound from an agent eth0 interface Management IP when deployed to a UCS E-Series blade server
IP associated with the agent
synchronize time
443/TCP
HTTPS
inbound from user IP to controller IP
host IP that wants to access the controller UI
access the controller UI
9091/TCP
TLS
outbound from controller IP to agent eth0 interface Management IP
IP associated with the controller
allow the controller to communicate with the agent
9092/TCP
packet buffer capture (PBC)
outbound from controller IP to agent eth0 interface Management IP
IP associated with the controller
enable PBC
Learning Network License and Licensing
To properly deploy your Learning Network License system, you must obtain the proper IOS Licenses for your ISRs, as well as the proper Smart Licenses for Learning Network License.
To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App (appxk9) IOS license. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.
You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.
Table 2 Smart License Entitlement Types Learning Network License Component
License Entitlement and Description
Associated File Downloads
controller
L-SW-SCA-K9 - Cisco Stealthwatch Learning Network License Centralized Agent Manager
sln-sca-k9-<ver>.ova
agent installed on a UCS E-Series blade server
L-SW-LN-UCS-1Y-K9 - Cisco Stealthwatch Learning Network License for UCS Series 1 Yr Term
sln-dla-ucse-k9-<ver>.ova
agent installed on a UCS E-Series blade server
L-SW-LN-UCS-3Y-K9 - Cisco Stealthwatch Learning Network License for UCS Series 3 Yr Term
sln-dla-ucse-k9-<ver>.ova
For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.
In addition, you must generate a registration token in the Cisco Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html), then use this to register your controller. Each time you manage and enable an agent with the controller, the controller automatically requests a license entitlement for the agent.
For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.
Controller Host Requirements
You can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You can also enable VMware tools on all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see the VMware ESXi documentation.
Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtual appliances in Open Virtual Appliance (OVA) format, an archive version of the OVF file.
The computer that serves as the controller ESXi host must meet the following requirements:
It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology (VT) or AMD Virtualization™ (AMD-V™) technology.
Virtualization must be enabled in the BIOS settings.
To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers (such as PRO 1000MT dual port server adapters or PRO 1000GT desktop adapters).
This host must have network connectivity to all ISRs where you will install your agents.
Users such as administrators and analysts should be able to establish a connection to this host, to access the controller user interface.
For more information, see the VMware website: http://www.vmware.com/resources/guides.html.
Note
Installing the controller on an ISR is not supported.
Controller Installation Prerequisites
Controller Download
Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
You must also download and install the latest version of VMware vSphere Client to install the virtual machine. Cisco recommends you also download and install VMware ESXi version 5.5 to run the virtual machine. Download the files at https://my.vmware.com/web/vmware/downloads.
Controller Virtual Appliance Settings
Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on the ESXi host. Do not decrease the default settings, as they are the minimum required to run the system software. The following table lists the default settings.
Cisco recommends you increase VM settings, depending on the size of your Learning Network License deployment. See the following table for recommendations.
Table 4 Recommended Controller VM Settings Learning Network License Deployment Size
Recommended VM Settings
1 to 50 agents
24576 MB (24 GB) of RAM
8 vCPU
400 GB of hard disk provisioned size
51 to 1000 agents
65536 MB (64 GB) of RAM
16 vCPU
4 TB of hard disk provisioned size
If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http://www.vmware.com/ for more information and best practices.
Information Needed During Installation
When you run the setup script, provide the following information to configure the controller:
Table 5 Controller Installation Settings Setting
Description
eth0 interface IPv4 address, netmask, and gateway
transfer management traffic with agent, and provide access to controller web UI
eth0 interface hostname
hostname for the controller
eth0 interface DNS servers and DNS search suffixes
DNS context for anomalies
NTP server IPv4 addresses
synchronize time in Learning Network License system
The setup script allows you the option of generating self-signed certificates. If you generate a certificate for the controller web UI server, you can define the following subject distinguished name components:
Table 6 Self-Signed Certificate Subject Distinguished Name Options Option
Description
Country Name
A two-letter ISO 3166-1 country code
State or Province Name
Full name of the state or province where your organization is located
Locality Name
The city where your organization is located
Organization Name
Your organization's name
Organizational Unit Name
Your organization's division's name
Common Name
A host and domain name associated with the certificate
Email Address
A contact email address
Learning Network License requires a server certificate to encrypt controller/agent communications, and a server certificate to encrypt user connections to the controller web user interface.
Agent and ISR Interaction
The following diagram illustrates the interaction between a agent and its host ISR.
The diagram shows an agent deployed to a UCS E-Series blade server on the host ISR. The agent contains three interfaces:
The eth0 interface, which connects to the UCS-E front panel GE2 port. This is the Management interface, which handles controller/agent communication, including mitigations and anomalies.
Configure eth0 with a routable IP address the controller can reach.
The eth1 interface, which connects to the UCS-E internal GE0 port, which connects to the router ucs.../0 interface. This is the Control interface, which handles agent/router communication, including passing NetFlow packets from the router to the agent, and passing mitigations from the agent to the router.
Traffic over the control connection does not leave the router. Configure the eth1 interface and the ucs.../0 interface using private IP addresses.
The eth2 interface, which connects to the UCS-E internal GE1 port, which connects to the router ucs.../1 interface. This is the Data Transfer interface, which handles raw packet data passed from the router to the agent. These raw packets are used for packet buffer capture and deep packet inspection.
Traffic over the data connection does not leave the router. Configure the eth2 interface and the ucs.../1 interface using private IP addresses.
Agent Installation Prerequisites
The agent runs as a virtual machine deployed to a UCS E-Series blade server. The server must run a VMware ESXi Version 5.5 hypervisor. You can also enable VMware tools on all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see the VMware ESXi documentation. See ISR 4000 Series Platform Requirements for more information.
Note
You must download the UCS E-Series blade server OVA file. You cannot install the virtual service OVA file on a UCS E-Series blade server.
Agent Configuration Prerequisites
Agent OVA Download
Cisco provides the agent as an OVA file: sln-dla-ucse-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
If you install the agent on a UCS E-Series blade server, you must also download and install the latest version of VMware vSphere Client to install the virtual machine. Download the file at https://my.vmware.com/web/vmware/downloads.
Agent Virtual Appliance Settings
Each agent you deploy to a UCS E-Series blade server requires a certain amount of memory, CPUs, and hard disk space. Do not decrease the default settings, as they are the minimum required to run the system software. However, to improve performance, you can increase the memory and number of CPUs, depending on your available resources. The following table lists the default settings.
Information Needed for the Setup Script
When you run the agent setup script, you must provide the following information to configure the agent:
Table 8 Agent on a UCS E-Series Blade Server Setup Script Settings Setting
Description
eth0 interface routable IPv4 address, netmask, and gateway
transfer management traffic with controller
optional eth0 interface DNS servers and DNS search suffixes
export files from the agent to other hosts
eth0 interface hostname
hostname for the agent
eth1 interface private IPv4 address and netmask
pass NetFlow packets to the agent, and pass mitigations and interface configuration to the agent
eth2 interface private IPv4 address and netmask
pass raw packets from ISR to agent for deep packet inspection (DPI) and packet buffer capture (PBC)
NTP server IPv4 addresses
synchronize time in Learning Network License system
Learning Network License requires a server certificate to encrypt controller/agent communications. The agent generates one automatically, but you can also upload one your organization generates.
ISR Platform Requirements
Several G2 ISRs (Cisco 2921, Cisco 2951, Cisco 3945, and Cisco 3945E), and the Cisco 4451 ISR, support hosting an agent on a UCS E-Series blade server. The UCS E-Series server must run a vSphere ESXi hypervisor. For more information on the G2 ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/1900/roadmap/ISRG2_roadmap.html
ISR G2 Platform Requirements
Table 9 ISR G2 Platform Requirements ISR Component
Required
Model
DRAM
2560 MB (2.5 GB) (Cisco 2921) or 1844 MB (1.8 GB) (Cisco 2951, 3945, 3945E)
Image
IOS Release 15.5(3)M1 or greater
NBAR2 Protocol Pack
Version 16.0 or greater
Licenses
Cisco 2921, 2951:
Cisco 3945, 3945E:
SL-39-IPB-K9 - IP Base license, and
SL-39-DATA-K9 - Data license
See http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001357 for more information.
UCS E-Series Blade Server
One of the following models with 8192 MB (8 GB) of RAM and 155 GB free storage space, running vSphere ESXi Hypervisor Version 5.0 or greater:
ISR 4000 Series Platform Requirements
Table 10 ISR 4000 Series Platform Requirements ISR Component
Required
Model
Cisco 4451
Control Plane DRAM
8192 MB (8 GB)
Complex Programmable Logic Device
Version 15010638 or greater
Image
IOS-XE Release 15.4(3)S1 through 15.5(3)Sx
NBAR2 Protocol Pack
Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through 15.5(3)S)
Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild 2 or greater
Licenses
See http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435 for more information.
UCS E-Series Blade Server
One of the following models with 8192 MB (8 GB) of RAM, 155 GB free storage space, running vSphere ESXi Hypervisor Version 5.0 or greater:
ISR Configuration Prerequisites
Information Needed for ISR Configuration
When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:
Table 11 ISR Configuration Settings Setting
Description
loopback interface IPv4 address or router management interface
configure NTP server connectivity. Use a loopback interface if you have one configured, or the router management interface if you do not.
NTP server IPv4 addresses
synchronize time in Learning Network License system
agent eth1 IPv4 address for NetFlow exporter
pass NetFlow packets from the ISR to the agent
ISR License Installation
To run a agent on an ISR-G2, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) IOS license. To run a agent on an ISR-G3, you must activate an IP base (ipbasek9) IOS license, and an App (appxk9) IOS license. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.
Downloading the OVA Files from Cisco
Procedure
Step 1 In your web browser, navigate to http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html. Enter your username and password when prompted. Step 2 Download the controller OVA file: sln-sca-k9-<ver>.ova Step 3 Download an agent OVA file:
- sln-dla-ucse-k9-<ver>.ova - contains the agent to be deployed on an ISR's UCS E-Series blade server
Controller Deployment
Cisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host running an ESXi hypervisor.
Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space in vSphere vCenter. If you increase the memory, you must start the VM, then run the setup-system script. After you run the script, the VM is updated with proper memory settings.
If your controller is already running, and you want to update the memory settings, run the setup-system script, stop the VM, update the memory settings, and start the VM. On restart, the VM is updated with proper memory settings.
See Controller Installation Prerequisites for more information on recommended controller VM settings, based on deployment size.
The first time you log into the virtual machine, the system prompts you to change the default administrator password.
Deploying the OVA File
Before You BeginProcedure
Download the OVA file.
Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and install it.
What to Do Next
Powering On the Virtual Machine
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine. Step 2 Select . Step 3 Select the virtual machine from the navigation tree. Step 4 Select . Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
Note To shift your focus from the virtual machine console to your local host, press Ctrl-Alt.
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted, change the default administrator password.
What to Do Next
Configuring the Controller with the Setup Script
ProcedureIf you need multiple interfaces on multiple subnets, when configuring networking, you can also configure eth1 and eth2.
Command or Action Purpose
Step 1 cd ~/
Example:user@host:~$ cd ~/Change directories. Step 2 sudo ./setup-system at the command prompt to run the setup script. Enter the administrator password if prompted.
Example:user@host:~$ sudo ./setup-systemRun the setup script. Step 3 y (configure networking)
Configure networking. Step 4 1 (configure eth0) Configure the eth0 interface. Step 5 hostname, then hostname, then y to confirm Configure the controller VM hostname. You must enter a full qualified domain name. Step 6 ipv4, then ipv4-address, then ipv4-netmask, then ipv4-gateway, then y to confirm Configure the interface's IPv4 address, along with a netmask and gateway. Step 7 dns, then dns-servers, then y to confirm Modify the virtual machine's list of DNS servers. Step 8 search, then domain-suffixes, then y to confirm If you want to configure the domain suffix search list, run the search command. Step 9 view
View the interface's network settings, hostname, and DNS settings. If any of these are missing or incorrect, repeat that configuration. Step 10 exit
Save your changes and continue with interface configuration. Step 11 4 (exit interface configuration) Exit interface configuration and continue. Step 12 y (enable SSH login) Enable SSH login. Step 13 y, then ntp-servers, then y to confirm
Configure NTP servers used to synchronize time between the controller and agent. Enter a space-delimited list of NTP server fully-qualified domain names (FQDNs) or IPv4 addresses. Step 14 y (generate certificate) Generate a controller self-signed certificate, used for encrypting controller/agent communication. Step 15 y (generate certificate) Generate a controller web UI self-signed certificate, used for encrypting user connections to the controller web user interface. Step 16 y (specify the distinguished name) Optionally, specify the certificate subject distinguished name (DN). Step 17 country-code, then state, then locality, then organization, then organizational-unit, then common-name, then email
Optionally, provide the DN information. Verifying NTP Configuration on the Controller
Before You BeginProcedure
Log into the controller VM console.
What to Do Next
Command or Action Purpose
Step 1 ntpq –n –p
Example:user@host:~$ ntpq –n –pDisplay configured NTP servers. If the system does not display configured NTP servers, repeat NTP configuration in Configuring the Controller with the Setup Script. NTP Configuration
To configure NTP server addresses on the ISR, associate the router management interface with the NTP servers. Alternatively, if you have a loopback interface already configured, you can use that instead to reference NTP servers.
Configuring NTP on the ISR
ProcedureYou can enter each command individually. You can also paste the commands from the example below into a text editor, update the variable, then paste all the updated commands into the command line.
enable ntp source GigabitEthernet0/0/0 ntp server <ipv4-addresses> exitIf you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the router management interface.
Command or Action Purpose
Step 1 enable
Example:Router> enableEnable privileged EXEC mode. Enter your password if prompted.
Step 2 ntp source GigabitEthernet0/0/0
Example:Router# ntp source GigabitEthernet0/0/0Use the GigabitEthernet0/0/0 interface to connect to an NTP server.
Step 3 ntp server ipv4-addresses
Example:Router# ntp server 209.165.202.129 209.165.202.130Use the GigabitEthernet0/0/0 interface to connect to an NTP server. Define multiple addresses to specify backup NTP servers.
Step 4 show ntp association
Example:Router# show ntp associationDisplay configured NTP servers. If the system does not display correctly configured NTP servers, repeat the configuration process. Step 5 exit
Example:Router# exitExit privileged EXEC mode.
NetFlow Configuration
To capture information about traffic traversing your network, you must configure the following Flexible NetFlow components in order:
SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fields to collect
SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent Control IP address to send NetFlow data to the agent
SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and output traffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER
The following diagram illustrates NetFlow operation on the ISR.
As input and output traffic passes over the branch facing interfaces, the SLN-NF-MONITOR flow monitor, referencing the SLN-NF-RECORD flow record, monitors the traffic for the key fields. It collects the non-key fields defined in the flow record. The flow monitor sends the flow record to the SLN-NF-EXPORTER flow exporter, which then sends it to the configured ISR ucs.../0 Control IP address.
Configuring NetFlow
Procedure
Command or Action Purpose
Step 1 Copy all the commands, paste them into a text editor, and update collect timestamp [absolute | sys-uptime] first and collect timestamp [absolute | sys-uptime] last. For supported G3 ISRs, use sys-uptime. For other ISRs, use absolute. After you update the commands, paste them into the command line and press Enter to configure the NetFlow record.
Example:configure terminal flow record SLN-NF-RECORD match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect datalink mac source address input collect datalink mac destination address output collect transport tcp flags collect interface input collect interface output collect flow direction collect counter bytes collect counter packets collect timestamp [absolute | sys-uptime] first collect timestamp [absolute | sys-uptime] last collect application name collect routing forwarding-status exitEnter global configuration mode, create the SLN-NF-RECORD flow record, and enter flow record configuration mode. Configure the flow record to match key fields and collect nonkey fields. Exit flow record configuration mode and return to global configuration mode.
Step 2 Copy the following commands into a text editor. Replace <dla-ip-address> with the IP address associated with the agent deployed to the UCS E-Series blade server. You configure this on the agent in a later step.
Example:configure terminal flow exporter SLN-NF-EXPORTER destination <dla-ip-address> transport udp 6666 template data timeout 300 exitUpdate the flow exporter commands with the IP address associated with the agent deployed to the UCS E-blade server. Step 3 Copy the updated commands from the text editor into the command line and press Enter to configure the NetFlow exporter. Enter global configuration mode, create the SLN-NF-EXPORTER flow exporter, and enter flow exporter configuration mode. Configure the flow exporter to send flow records to the destination IP address. Exit flow exporter configuration mode and return to global configuration mode. Step 4 Copy the following commands into the command line, and press Enter to configure the NetFlow flow monitor.
Example:flow monitor SLN-NF-MONITOR cache timeout active 60 cache entries 512000 record SLN-NF-RECORD endCreate the SLN-NF-MONITOR flow monitor, and enter flow monitor configuration mode. Configure the flow monitor to reference the SLN-NF-RECORD flow record, and configure cache settings. Exit flow monitor configuration mode and return to privileged EXEC mode. Step 5 Copy the following commands into a text editor. Replace <name> with the name of an ISR interface that faces the branch's users. Repeat this for all ISR interfaces that face the branch's users.
Example:configure terminal interface <name> ip flow monitor SLN-NF-MONITOR input ip flow monitor SLN-NF-MONITOR output endUpdate the interface commands with every interface name. Step 6 Copy the updated commands from the text editor into the command line and press Enter to assign the NetFlow flow monitor to the specified interface. Specify an ISR interface and enter interface configuration mode. Assign the SLN-NF-MONITOR flow monitor to the interface and monitor incoming and outgoing traffic on the interface. Exit interface configuration mode and return to privileged EXEC mode. Repeat for each ISR interface. Agent Deployment to a UCS E-Series Blade Server
Cisco provides the agent as a downloadable OVA file. You can deploy this OVA file to a UCS E-Series blade server running an ESXi hypervisor on a Cisco 2921, Cisco 3945, Cisco 3945E, or Cisco 4451 ISR.
Configure virtual switches on the blade server, then deploy the agent virtual machine. After you power on the virtual machine, when you first log in, the system prompts you to change the default administrator password.
Configuring Virtual Switches
ProcedureWhen you deploy the ESXi hypervisor on the UCS E-Series blade server, the system automatically creates a virtual switch using the vmnic2 physical adaptor. This is associated with the GE2 external interface.
Configure two additional virtual switches, using the vmnic0 and vmnic1 physical adaptors. The vmnic0 virtual switch connects to the UCS-E GE0 internal interface, and this connects to the ISR UCS...1/0 interface. The vmnic1 virtual switch connects to the UCS-E GE1 internal interface, and this connects to the ISR UCS...1/1 interface.
Step 1 Select Step 2 Select the blade server from the navigation tree. Step 3 Select the Configuration tab. Step 4 In the Hardware pane, click Networking. Step 5 In the View: vSphere Standard Switch pane, click Add Networking. Step 6 In the Connection Types pane, select Virtual Machine and click Next. Step 7 Select Create a vSphere standard switch, vmnic0, and click Next. Step 8 Enter a Network Label and, optionally, a VLAN ID and click Next. Step 9 Click Finish. Step 10 Repeat the procedure for vmnic1.
UCS E-Series Blade Server Deployment
Ensure you have completed the following before deploying the agent:
install the UCS E-Series blade server in the host ISR
configure the server's GE2 interface with a routable IP address
connect an ethernet cable to the server's GE2 interface front panel port, and connect the other end of the cable into a L2 top-of-rack switch or router connected to your network
configure a management network for ESXi using the vmnic2 network adapter
start the UCS-E server and make sure it boots into the ESXi boot menu. If the server does not boot into the ESXi boot menu, see http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/1-0/gs/guide/b_Getting_Started_Guide/b_Getting_Started_Guide_chapter_0111.html#concept_4F2D448A505A4EBBA1A626CDC3D4118C for information on configuring the boot order through CIMC. Configure the hard disk drive (HDD) as first in the boot order, save your changes, then reboot the server.
For more information on configuring ESXi, see https://www.vmware.com/files/pdf/ESXi_management.pdf.
For more information on configuring the UCS E-Series server, see the Getting Start Guide for Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute Engine, at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/3-0/gs/guide/b_3_x_Getting_Started_Guide.html. For more information on UCS E-Series servers, see the Documentation Guide for Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute Engine, at http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/1-0/roadmap/e_series_road_map.html
Deploying the OVA File
Before You BeginProcedure
Download the OVA file.
Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and install it.
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file. Step 2 Select . Step 3 Click Browse to select your OVA file, then click Next. Step 4 Review the OVF Template Details, then click Next. Step 5 Enter a Name, select an inventory location, then click Next. Step 6 Click the Thick Provision Lazy Zeroed radio button, then click Next. Step 7 Select a Destination Network from your inventory to map to a Source Network. You can map the following default networks, then click Next.
- eth0 to Main Network
- eth1 (disconnected) to Alt1 Network
- eth2 (disconnected) to Alt2 Network
Note If you only need to configure eth0, you can map eth1 and eth2 to the same network.
Step 8 Review your deployment settings and click Finish.
Note The deployment may take 30 minutes to an hour or longer, depending on your environment.
Step 9 Click Close after the deployment completes.
What to Do Next
Powering On the Virtual Machine
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine. Step 2 Select . Step 3 Select the virtual machine from the navigation tree. Step 4 Select . Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
Note To shift your focus from the virtual machine console to your local host, press Ctrl-Alt.
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted, change the default administrator password.
What to Do Next
Agent Configuration Overview
Agent configuration through the setup script is similar to the controller setup script. It allows you to define basic network settings and generate a certificate for controller/agent communications.
Configuring an Agent with the Setup Script
ProcedureRun the setup script to configure hostname, interfaces, and generate a public key certificate for the agent. The eth0 interface handles management traffic passed between the agent and controller, and requires a routable IP address. The agent passes anomalies to the controller for further analysis. The eth1 interface handles Netflow and other traffic passed between the ISR and agent, and requires a private IP address. The agent examines this traffic for anomalies. The eth2 interface is for packet buffer capture, passing raw packet data from ISR to agent, and requires a private IP address. The agent passes PCAP archive files to the controller through the management interface when the user requests them from the controller.
What to Do Next
Command or Action Purpose
Step 1 Connect to the ESXi hypervisor where you deployed the virtual machine. Step 2 Select . Step 3 Select the virtual machine from the navigation tree. Step 4 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
Note To shift your focus from the virtual machine console to your local host, press Ctrl-Alt.
Step 5 Log in with the administrator username (sln) and password (cisco). Update the administrator password when prompted. Step 6 cd ~/
Example:user@host:~$ cd ~/Change directories. Step 7 sudo ./setup-system at the command prompt to run the setup script. Enter the administrator password if prompted.
Example:user@host:~$ sudo ./setup-systemRun the setup script. Step 8 y
Configure network interfaces. Step 9 1) eth0
Example:Enter a number: 1Configure the eth0 interface. Step 10 ipv4, then routable-ipv4-address, then ipv4-netmask, then ipv4-gateway, then y to confirm Configure the interface's routable IPv4 address, along with a netmask and gateway. Step 11 hostname, then hostname, then y to confirm Configure the agent VM hostname. Step 12 dns, then dns-servers, then y to confirm If you want to add the virtual machine's list of DNS servers, run the dns command. Step 13 search, then domain-suffixes, then y to confirm If you want to configure the domain suffix search list, run the search command. Step 14 view
View the interface's network settings, hostname, and DNS settings. If any of these are missing or incorrect, repeat that configuration. Step 15 exit
Save your changes and continue with the setup script. Step 16 2) eth1
Example:Enter a number: 2Configure the eth1 interface. This interface is connected to the first UCS E-Series blade server interface. Step 17 ipv4, then private-ipv4-address, then ipv4-netmask, then optionally ipv4-gateway, then y to confirm Configure the interface's private IPv4 address, along with a netmask and gateway. Because traffic over this interface does not leave the router, you do not have to configure a gateway. Step 18 exit
Save your changes and continue with the setup script. Step 19 3) eth2
Example:Enter a number: 3If you want to use packet buffer capture, configure the eth2 interface. This interface is connected to the second UCS E-Series blade server interface. Step 20 ipv4, then private-ipv4-address, then ipv4-netmask, then optionally ipv4-gateway, then y to confirm Configure the interface's private IPv4 address, along with a netmask and gateway. Because traffic over this interface does not leave the router, you do not have to configure a gateway. Step 21 exit
Save your changes and continue with the setup script. Step 22 4) Exit
Example:Enter a number: 4Exit interface configuration. Step 23 y , if you want to enable SSH login
Example:Do you want to enable SSH service now? (y or n)[n] yEnable SSH login. Step 24 y, then ntp-servers
Example:Do you want to configure NTP servers now? (y or n)[n] yConfigure a space-delimited list of NTP server addresses. Step 25 y (generate self-signed certificate)
Generate an agent self-signed certificate, used for encrypting controller/agent communication. Step 26 y (specify the distinguished name) Optionally, specify the certificate subject distinguished name (DN). Step 27 country-code, then state, then locality, then organization, then organizational-unit, then common-name, then email
Specify the subject distinguished name (DN) on the certificate.
Verifying NTP Configuration on the Agent
ProcedureWhat to Do Next
Command or Action Purpose
Step 1 ntpq –n –p
Example:user@host:~$ ntpq –n –pDisplay configured NTP servers. If the system does not display configured NTP servers, repeat NTP configuration in Configuring an Agent with the Setup Script. Controller and Agent Communications Overview
Ensure that the controller can ping the agents and communicate. If you cannot ping the agents, check your network settings.
When you ran the agent and controller setup scripts, you also generated public key certificates. The Learning Network License system implements certificate pinning to identify public key certificates. If you enable TOFU, the agent trusts the first certificate it sees the first time it connects to the controller. It generates a certificate fingerprint, and on subsequent connections, compares the stored fingerprint to the passed certificate to verify the identity of the controller. If you do not enable TOFU, you can also generate a certificate fingerprint and upload that to the agent.
On the controller, you can also enable TOFU. On first connection, the controller adds the agent public key certificate to a trusted store. For future connections, when the agent connects to the controller, the controller compares the certificate to those stored in the trusted store. If the certificate matches a certificate in the store, the controller establishes the connection.
To configure the certificates, run the agent administrator script to:
configure the agent to trust the controller certificate
store an ISR login on the agent for communication between the ISR and agent
Then, restart the agent's processes.
After that, enable TOFU on the controller, and then restart the controller processes to ensure the controller recognizes and trusts these certificates.
Pinging Agents from the Controller
If you cannot ping the agents, check your network settings.
Before You BeginProcedure
Log into the controller VM console.
What to Do Next
Command or Action Purpose
Step 1 ping dla-mgmt-ip-address -c 5
Example:user@host:~$ ping 209.165.201.3 -c 5Ping the agent IP address with 5 packets.
Step 2 Repeat the previous step for all remaining agents.
Manage agent certificate trust settings, as described in the next section.
Agent Administrator Settings
The agent administrator script contains options to administrate and troubleshoot your agent, including public key certificate management, and log and debug file management options.
During initial agent installation, you must manage the certificate and trust model. The system uses certificate pinning and verifies a public key certificate against a previously generated certificate fingerprint. You can either enable TOFU, which Cisco recommends, or upload the controller certificate fingerprint.
No certificate fingerprint exists the first time the controller and agent establish a connection. If you enable TOFU, the first time the controller and agent establish a secure connection, the agent trusts the controller certificate, and generates a certificate fingerprint. On subsequent connections, the agent can verify the controller certificate against the pinned fingerprint.
Note
If you enable TOFU on your agent, either manage the agent with the controller soon after, or stop the agent processes until you are ready to continue.
You can also upload the controller certificate fingerprint to the agent before you establish a connection between the two. The agent, on first connection, uses the fingerprint to authorize the certificate.
After you enable TOFU or upload the controller certificate fingerprint, store an ISR login and password on the agent to enable communications between the ISR and agent. Finally, restart the agent processes so the changes can take effect.
Enable Trust on First Use
ProcedureWhat to Do Next
Command or Action Purpose
Step 1 cd ~/DLA
Example:user@host:~$ cd ~/DLAChange directories. Step 2 ./dla_admin
Example:user@host:~/DLA$ ./dla_adminRun the administrator script. Step 3 4) Certificate and trust management
Example:Enter a number: 4Enter the Certificate and trust management menu.
Step 4 1) Manage Certificate Pinning
Example:Enter a number: 1Enter the Certificate Pinning menu. Step 5 1) Enable Trust SCA Certificate on First Use
Example:Enter a number: 1Enable TOFU, to trust the controller certificate the first time it is detected.
Store the host ISR's login information on the agent, as described in Storing ISR Authentication Information.
Storing ISR Authentication Information
Provide the agent a login and password for the host ISR, to ensure proper communication between the agent and ISR.
Before You BeginProcedure
Log into the agent VM console, run the agent administrator script, and return to the Top Level menu.
What to Do Next
Command or Action Purpose
Step 1 5) Password management
Example:Enter a number: 5Access the Password Management menu options. Step 2 1) Change router credentials
Example:Enter a number: 1Update the stored host router login and password information. Step 3 Enter an ISR username and password, then confirm the password when prompted.
Example:Network Element Username: <router-username> Network Element Password: <router-username-password> Re-enter Network Element Password: <router-username-password>Update the stored host router login and password information.
Restart the agent processes, as described in Restarting Agent Processes.
Restarting Agent Processes
Before You BeginProcedure
Log into the agent VM console, run the agent administrator script, and return to the Top Level menu.
What to Do Next
Command or Action Purpose
Update the controller configuration file, as described in Updating the Controller Configuration.
Controller Certificate Management
After you export all the agent certificates to the controller, modify the controller configuration file. You can enable the controller to use self-signed agent certificates, and enable TOFU. After this, restart the controller processes.
Updating the Controller Configuration
The sca.conf configuration file contains several layers of nested brackets. When you update the file to add or update the dla node, make sure that you nest it within the sln bracket. See the following for an example.
sln { dla { security { allowSelfSignedCert = true trustCertOnFirstUse = true certRollover = true } } }
You can also reference ~/SCA/sample_sca.conf for an example of syntax.
Before You BeginProcedure
Log into the controller VM console.
What to Do Next
Command or Action Purpose
Step 1 cd ~/SCA
Example:user@host:~$ cd ~/SCAChange to the /SCA directory. Step 2 sudo vi sca.conf, then input your password when prompted
Example:user@host:~/SCA$ sudo vi sca.confEdit the sca.conf configuration file. Step 3 Update the configuration file to include or modify the dla node, as described above. Update the configuration file to include allowSelfSignedCert = true, trustCertOnFirstUse = true, and certRollover = true. Step 4 Press Esc, then enter :wq! and press Enter. Save your changes and exit the editor.
Restart the controller's processes, as described in the next section.
Smart Licensing Overview
To deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. If you do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10 managedagents, and disables new functionality when the 90 days expire.
Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.
In addition, Smart Licensing does not prevent you from deploying agents. You can deploy agent and purchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase order approval.
Logging into the Learning Network License System
ProcedureWhen you installed the controller, you defined an IP address for the controller web UI. If you are logging in for the first time, use the default login password (cisco) for the admin account. After you log in once, you must change the password and confirm the new password.
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and password when prompted.Registering the Controller Instance
Before You BeginProcedure
Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).
Log into the controller web UI.
Step 1 Select Dashboard. Step 2 Click Smart Licensing. Step 3 Click Register. Step 4 Paste your registration token into the Smart Software Licensing Product Registration field. Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it is already registered. Step 6 Click Register.
Controller Management of Agents
After you trust public key certificates on both the agent and controller, manage your agents with your controller. You can log into the controller web UI to add each agent.
Adding an Agent to the Controller
Procedure
Step 1 Select DLAS. Step 2 Click Add a DLA. Step 3 Enter the agent eth0 IP address in the DLA IP or hostname field, and an optional Description. Step 4 Click Submit. Step 5 Enter the ucs.../0 interface IPv4 address in the Network Element IP field. This IP address must be reachable by the controller. Step 6 Click Submit. Step 7 For an interface, choose from the Direction drop-down:
- Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)
- External if the interface faces the core (generally, if the interface is passing traffic)
- Unknown if you interface is unused, or the interface faces neither the branch nor the core
Step 8 Check the Enable mitigation checkbox to apply mitigation actions to this interface. Step 9 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:
- Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.
- Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the network element passes raw packets to the agent
- Select an agent interface from the Raw Packet Rx Interface (on DLA) drop-down on which the agent receives raw packets from the network element.
Step 10 If you want to enable the packet buffer capture (PBC) feature, check Enable PBC. You must enable capturing raw packet data. Step 11 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data. Step 12 Click Submit.
What to Do Next
Allow the system time to perform the initial learning phase, as described in Initial Learning Phase Overview.
Agent Configuration Notes
When configuring agents, note the following:
When configuring a Direction on your interface, choose Internal if the interface faces your branch, or if NetFlow is configured on the interface. Choose External if the interface faces the core, or passes traffic. Choose Unknown if the interface is unused, or it faces neither the branch nor the core.
If you want to enable packet buffer capture (PBC) or capture DNS query information, you must first check the Enable PBC/DPI checkbox.
You can only check the Enable PBC/DPI checkbox on parent interfaces that contain the word Ethernet in their name.
Subinterface configuration is not supported on 4000 Series ISRs.
The system automatically checks the Enable Mitigation checkbox for all Ethernet and tunnel interfaces.
You can check the Enable Mitigation checkbox for a parent interface or its subinterface, but not both.
Initial Learning Phase Overview
After you manage your agents with the controller, allow the system to run for seven days, inspect your network traffic, and build a baseline traffic model.
The Learning Network License system identifies anomalies by comparing detected traffic to the baseline model, and noting deviations. After system deployment, each agent inspects traffic traversing the router. During this initial learning phase, the agent builds a baseline traffic model. The model includes dynamically-generated clusters of hosts, and what types of application traffic are transmitted between clusters at what times of day.
If you log into the controller web UI while the system is learning about your network, you may see very few or no reported anomalies, as the system cannot compare against a baseline yet. Towards the end of the initial learning phase, the system may start reporting anomalies, but without a complete baseline, these anomalies may not be relevant. After the initial learning phase, when each agent completes its baseline model, the system can properly identify anomalous traffic that deviates from the baseline.
For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.
Next Steps
After you deploy the Learning Network License system, you can perform the following:
Configure audit and event logging. See the Cisco Stealthwatch Learning Network License UCS E-Series Blade Server Installation Guide for more information.
Integrate with an Identity Services Engine (ISE) server by configuring pxGrid integration. See the Cisco Stealthwatch Learning Network License UCS E-Series Blade Server Installation Guide for more information.
Log into the controller web UI to configure user display settings, view anomalies and assign relevance feedback, configure mitigations for an anomaly, and configure external system integration. See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.
For Assistance
Thank you for using Cisco products.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about the Firepower System, see What’s New in Cisco Product Documentation at http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system, please contact Cisco Support:
Visit the Cisco Support site at http://support.cisco.com.
Email Cisco Support at tac@cisco.com.
Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.
Copyright © 2016, Cisco Systems, Inc. All rights reserved.