SW 7 2 Installation and Configuration Guide DV 3 0
SW 7 2 Installation and Configuration Guide DV 3 0
SW 7 2 Installation and Configuration Guide DV 3 0
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -2-
Stealthwatch Management Console VE 2000 19
Stealthwatch Management Console VE Models and Capacities 20
Flow Collector VE 21
Flow Sensor VE 22
Flow Sensor VE Network Environments 23
Flow Sensor VE Traffic 23
UDP Director VE 25
Endpoint Concentrator 25
Data Storage 26
Quick Reference Workflows 28
Stealthwatch Hardware 28
Stealthwatch Virtual Edition (VE) 28
1. Installing a Virtual Appliance: Configuring your Firewall and Ports 29
Overview 29
Placing the Appliances 29
Stealthwatch Management Console 29
Stealthwatch Flow Collector 29
Stealthwatch Flow Sensor 30
Important Considerations for Integration 30
TAPs 31
Using Electrical TAPs 31
Using Optical TAPs 32
Using TAPs Outside Your Firewall 32
Placing the Flow Sensor VE Inside Your Firewall 33
SPAN Ports 34
Stealthwatch UDP Director 35
Configuring Your Firewall for Communications 36
Open Ports 36
Stealthwatch Management Console (SMC), Flow Collector, Flow Sensor, 36
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -3-
and UDP Director
Endpoint Concentrator 36
Communication Ports and Protocols 37
Optional Communication Ports 39
2. Downloading VE Installation Files 41
Installation Files 41
1. Log in to Cisco Software Central 41
2. Download Files 42
3a. Installing a Virtual Appliance using VMware vCenter (OVF) 43
Overview 43
Before You Begin 43
Installing a Virtual Appliance Using vCenter (OVF) 44
Process Overview 44
1. Logging in to the VMware Web Client 44
2. Configuring the Flow Sensor to Monitor Traffic 45
Monitoring External Traffic with PCI Pass-Through 45
Monitoring a vSwitch with Multiple Hosts 46
Configuration Requirements 46
Monitoring a vSwitch with a Single Host 49
Configuration Requirements 49
Configure the Port Group to Promiscous Mode 49
3. Installing the Virtual Appliance 52
4. Defining Additional Monitoring Ports (Flow Sensors only) 56
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO) 59
Overview 59
Before You Begin 59
Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO) 60
Process Overview 60
1. Logging in to the VMware Web Client 60
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -4-
2. Booting from the ISO 62
3c. Installing a Virtual Appliance on a KVM Host (ISO) 64
Overview 64
Before You Begin 64
Installing a Virtual Appliance on a KVM Host (ISO) 65
Process Overview 65
1. Installing a Virtual Appliance on a KVM Host 65
Monitoring Traffic 65
Configuration Requirements 65
Installing a Virtual Appliance on a KVM Host 65
2. Adding NIC and Promiscuous Port Monitoring on an Open vSwitch (Flow
Sensors Only) 72
4. Configuring the IP Addresses 74
Configure the IP Addresses 74
Troubleshooting 78
Certificate Error 78
Accessing the Appliance 78
5. Configuring Your Stealthwatch System 80
Preparation 80
Appliance Setup Tool Requirements 80
Managed 80
SMC Failover 80
Best Practices 81
Configuration Order 82
1. Log In 83
2. Configure the Appliance 83
3. Register the Stealthwatch Management Console 88
4. Add Appliances to Central Management 89
5. Confirm Appliance Status 91
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -5-
6. Finishing Appliance Configurations 93
UDP Director 94
Configuring Forwarding Rules 94
Configuring High Availability 95
Primary Node and Secondary Node 96
Requirements 96
1. Configure the Primary UDP Director HA 96
2. Configure the Secondary UDP Director HA 98
Flow Sensor 99
1. Configure the Application ID and Payload 99
2. Configure the Flow Sensor to Identify Applications (optional) 102
3. Restart the Appliance 102
Endpoint Concentrator 103
Troubleshooting the Endpoint Concentrator 105
7. Installing the Stealthwatch Desktop Client 106
Install the Desktop Client Using Windows 106
Change the Memory Size 107
Install the Desktop Client Using macOS 108
Change the Memory Size 109
8. Verifying Communications 110
Verify NetFlow Data Collection 110
9. Licensing 113
Evaluation Mode 113
Defining an SMC Failover Relationship 114
Enabling the Threat Intelligence Feed 115
License 115
Enable 115
Review Alarms and Security Events 115
Configuring SAML SSO 117
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -6-
1. Prepare for Configuration 117
2. Upload Certificates to the Trust Store 117
3. Configure the Service Provider 118
4. Enable SSO 119
5. Configure the Identity Provider 120
6. Add an SSO User 120
7. Test SAML Login 121
Troubleshooting 122
Getting Started with Stealthwatch 123
Overview 123
Managing Your Environment 123
Investigating Behavior 123
Responding To Threats 124
Central Management 125
Central Management and Appliance Administration Interface 125
Opening Central Management 126
Opening Appliance Admin 126
Opening Appliance Admin through Central Management 126
Opening Appliance Admin through Direct Login 126
Editing Appliance Configuration 126
Viewing Appliance Statistics 128
Removing an Appliance from Central Management 128
Adding an Appliance to Central Management 129
Enable/Disable SSH 130
Open SSH 130
Enable SSH 130
Disable SSH 131
Installing Patches and Updating Software 132
Troubleshooting 133
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -7-
Config Channel Down 133
Opening Appliance Administration Interface 133
Replacing the Appliance Identity 134
Changing Appliances After Configuration 134
Changing the Host Name 134
Changing the Network Domain Name 135
Changing IP Address 135
Opening the Appliance Setup Tool 136
System Configuration Overview 136
Changing the Trusted Hosts 137
Resetting Factory Defaults 137
Enabling/Disabling Admin Users 138
Enabling or Disabling Password Reset 138
Resetting Passwords to Default Settings 139
Resetting the Admin Password on the SMC 139
Resetting Admin, Root, Sysadmin Passwords to Default 139
Changing Passwords 141
Changing the Sysadmin Password 142
Changing the Root Password 142
Changing the Admin Password on the SMC 142
Changing the Admin Password on All Other Appliances 143
Contacting Support 144
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -8-
Introduction
Introduction
Overview
Use this guide to configure the following Cisco Stealthwatch® Enterprise hardware and
Virtual Edition (VE) appliances:
For more information about Stealthwatch, refer to the following online resources:
l Overview:
https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html
l Appliances:
https://www.cisco.com/c/en/us/products/security/stealthwatch/datasheet-
listing.html
Hardware
If you are configuring Stealthwatch hardware, install your physical appliances using the
Stealthwatch x210 Series Hardware Installation Guide before you start this
configuration.
Audience
The intended audience for this guide includes network administrators and other
personnel who are responsible for installing and configuring Stealthwatch products.
If you are configuring virtual appliances, we assume you have basic familiarity with
VMware or KVM.
If you prefer to work with a professional installer, please contact your local Cisco Partner
or Cisco Stealthwatch Support.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. -9-
Introduction
Process
Please note that we have a process for installing and configuring your Stealthwatch
appliances. The configuration includes the following:
l Configuration Order: Make sure you install and configure the appliances
following the instructions in this guide and using the configuration order.
l Certificates: Appliances are installed with a unique, self-signed appliance
identity certificate.
l Central Management: You can manage your appliances from the primary
SMC/Central Manager.
Terminology
This guide uses the term “appliance” for any Stealthwatch product, including virtual
products such as the Stealthwatch Flow Sensor Virtual Edition (VE).
A "cluster" is your group of Stealthwatch appliances that are managed by the
Stealthwatch Management Console (SMC).
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 10 -
Introduction
Abbreviations
The following abbreviations may appear in this guide:
Abbreviations Definition
GB Gigabyte
IT Information Technology
TB Terabyte
VE Virtual Edition
VM Virtual Machine
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 11 -
Before You Begin
Hardware
l Installation: Make sure you install your appliance hardware (physical appliances)
using the Stealthwatch x210 Series Hardware Installation Guide before you
configure them using this guide.
l Specifications: Hardware specifications are available on Cisco.com.
l Supported Platforms: To view the supported hardware platforms for each
system version, refer to the Hardware Version and Support Matrix on Cisco.com.
l Work Flow: See Quick Reference Workflows to review the instructions you'll
need to configure your hardware.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 12 -
Before You Begin
Virtual Appliances
You can use a VMware environment or KVM (Kernel-based Virtual Machine) for the
virtual appliance installation.
Before you start the installation, review the compatibility information and
resource requirements.
Installation Methods
Use the following table to choose an installation method. Also, make sure you review
the compatibility and resource requirements before you start the installation.
Installation
Installation
Method Instructions Details
File
(for reference)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 13 -
Before You Begin
Compatibility
Whether you plan to install your virtual appliances in a VMware environment or KVM
(Kernel-based Virtual Machine), make sure you review the following compatibility
information:
VMware
l Compatibility: VMware v6.5 or v6.7.
l OVF Deployment: We validated VMware v6.5 using update 2 and the vSphere
flash web client. There may be issues using other clients from vSphere. You can
use the ESXi 6.5 update 2 HTML5 client, but you may encounter system time-
outs.
l VMware Upgrades: We do not support VMware v6.0 with Stealthwatch v7.2.x. If
your Stealthwatch appliances are installed on VMware v6.0, upgrade your VMware
vCenter and ESXi hosts to v6.5 or v6.7 before you upgrade Stealthwatch to v7.2.x.
For instructions, refer to the Stealthwatch Update Guide v7.1.x to 7.2.1 and the
VMware documentation for vSphere 6.0 End of General Support.
l Live migration (for example, with vMotion) from host to host is not supported.
l Snapshots: Virtual machine snapshots are not supported.
KVM
l Compatibility: using any compatible Linux distribution.
l KVM Host Versions: There are several methods used to install a virtual machine
on a KVM host. We tested KVM and validated performance using the following
components:
l libvirt 3.0.0
l qemu-KVM 2.8.0
l Open vSwitch 2.6.1
l Linux Kernel 4.4.38
l Virtualization Host: For minimum requirements and best performance, review the
Virtual Edition (VE) Resource Requirements section and see the hardware
specification sheet for your appliance at Cisco.com.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 14 -
Before You Begin
Downloading Software
Use Cisco Software Central to download virtual appliance (VE) installation files, patches,
and software update files. Log in to your Cisco Smart Account at
https://software.cisco.com or contact your administrator. Refer to 2. Downloading VE
Installation Files for instructions.
Licensing
For licensing Stealthwatch, you will use your Smart Account to register your product
instance, manage licenses, run reports, and configure notifications. Log in to your Cisco
Smart Account at https://software.cisco.com or contact your administrator.
When you use Stealthwatch in Evaluation mode, you can use selected features for 90
days. To use Stealthwatch with maximum default functionality, and to add licenses and
features to your account, register your product instance for Smart Software Licensing.
Refer to 9. Licensing for more information.
Make sure you register your product instance before the 90-day evaluation
period expires. When the evaluation period expires, flow collection will stop.
To start flow collection again, register your product instance.
TLS
Stealthwatch requires v1.2.
Browsers
l Compatible Browsers: Stealthwatch supports the latest version of Chrome,
Firefox, and Edge.
l Microsoft Edge: There may be a file size limitation with Microsoft Edge. We do
not recommend using Microsoft Edge to install the VE OVF or ISO files.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 15 -
Before You Begin
Host Name
A unique host name is required for each appliance. We cannot configure an appliance
with the same host name as another appliance. Also, make sure each appliance host
name meets the Internet standard requirements for Internet hosts.
Domain Name
A fully qualified domain name is required for each appliance. We cannot install an
appliance with an empty domain.
NTP Server
l Configuration: At least 1 NTP server is required for each appliance.
l Problematic NTP: Remove the 130.126.24.53 NTP server if it is in your list of
servers. This server is known to be problematic and it is no longer supported in our
default list of NTP servers.
Time Zone
All Stealthwatch appliances use Coordinated Universal Time (UTC).
l Virtual Host Server: Make sure your virtual host server is set to the correct time.
Make sure the time setting on the virtual host server (where you will be
installing the virtual appliances) is set to the correct time. Otherwise, the
appliances may not be able to boot up.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 16 -
Hardware Resource Requirements
Host Name
Subnet Mask
Gateway
DNS Server(s)
NTP Server(s)
Mail Relay
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 17 -
Virtual Edition (VE) Resource Requirements
Make sure you reserve the required resources for your system. This step is
critical for system performance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 18 -
Virtual Edition (VE) Resource Requirements
Required Required
Concurrent
Flow Collectors Reserved Reserved
Users*
Memory CPUs
1 2 24 GB 3
3 5 32 GB 4
5 10 32 GB 4
*Concurrent users include scheduled reports and people using the SMC client at the
same time.
Required
Minimum Hardware
OVF or ISO
Reserved Equivalent*
Memory
RAM 64 GB 64 GB 128 GB
CPU 8 8 28
*These figures are based on the SMC 2010 appliance and physical (non hyper-threaded)
cores.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 19 -
Virtual Edition (VE) Resource Requirements
SMC VE ≤ 63 GB up to 7
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 20 -
Virtual Edition (VE) Resource Requirements
Flow Collector VE
To determine your resource requirements for the Flow Collector VE, you should
determine the flows per second expected on the network, and the number of exporters
and hosts it is expected to monitor. Refer to the following specifications to determine
your resource requirements:
Up to
Up to 4,500 Up to 250 16 GB 2 FCVE
125,000
Up to Up to
Up to 500 24 GB 3 FCVE
15,000 250,000
Up to Up to Up to
32 GB 4 FCVE
22,500 1000 500,000
Up to Up to Up to
32 GB 5 FCVE
30,000 1000 500,000
Up to Up to Up to
64 GB 6 2000
60,000 1500 750,000
Up to Up to Up to
128 GB 7 4000
120,000 2000 1,000,000
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 21 -
Virtual Edition (VE) Resource Requirements
Flow Sensor VE
Stealthwatch offers various types of Flow Sensor VEs depending upon the number of
NICs for the Flow Sensor VE.
l Cache: The Flow Cache Size column indicates the maximum number of active
flows that the Flow Sensor can process at the same time. The cache adjusts with
the amount of reserved memory, and flows are flushed every 60 seconds. Use the
Flow Cache Size to calculate the amount of memory needed for the amount of
traffic being monitored.
l Requirements: Your environment may require more resources depending on a
number of variables, such as average packet size, burst rate, and other network
and host conditions.
Flow Cache
NICs - Required Size
Required
monitoring Minimum (maximum
Reserved Estimated Throughput
ports Reserved number of
CPUs
(1 Gb) Memory concurrent
flows)
1,850 Mbps
3,700 Mbps
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 22 -
Virtual Edition (VE) Resource Requirements
These figures are based on tests with Cisco UCS C220 M4, which contains the
following:
Ethertype Protocol
0x8909 SXP
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 23 -
Virtual Edition (VE) Resource Requirements
0x8100 VLAN
0x88a8
0x9100
VLAN QnQ
0x9200
0x9300
The Flow Sensor saves the top-level MPLS label or VLAN ID and exports it. It
bypasses the other labels when it is processing packets.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 24 -
Virtual Edition (VE) Resource Requirements
UDP Director VE
The UDP Director VE requires that the virtual machine meets the following
specifications:
l 8 GB RAM
l Thick or Thin Provisioning: We recommend thick provisioning although thin
provisioning can be used if disk space is limited.
Endpoint Concentrator
These are the requirements for the Endpoint Concentrator 1000:
Required Required
Maximum FPS Rate
Reserved CPU Reserved Memory
2 8 GB 20,000
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 25 -
Virtual Edition (VE) Resource Requirements
Data Storage
The appliance data storage expands automatically when the appliance reboots. Also,
you may want to expand the appliance resource allocations to improve performance.
Use the following information to allocate storage for each appliance.
Make sure you reserve the required resources for your system. This step is
critical for system performance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 26 -
Virtual Edition (VE) Resource Requirements
Maximum
Required Addressable
Stealthwatch VE Model Minimum Storage/
Data Storage Hardware
Equivalent
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 27 -
Quick Reference Workflows
Stealthwatch Hardware
Use the following workflow to configure your Stealthwatch hardware so it is managed
and communicating with your other appliances.
1. Use the Stealthwatch x210 Series Hardware Installation Guide to install your
Stealthwatch physical appliances.
2. Review the Introduction section and Hardware Resource Requirements to
plan for the configuration.
3. Go to 5. Configuring Your Stealthwatch System, and follow the instructions to
the end of this guide.
1. Review the Introduction section and Virtual Edition (VE) Resource
Requirements to plan for the VE installation and configuration.
2. Install your virtual appliances using the following instructions in this guide:
3. Continue with 5. Configuring Your Stealthwatch System, and follow the
instructions to the end of this guide.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 28 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 29 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
The Flow Sensor VE appliance is most effective when placed at critical segments of your
corporate network as follows:
l Inside your firewall to monitor traffic and determine if a firewall breach has
occurred
l Outside your firewall, monitoring traffic flow to analyze who is threatening your
firewall
l At sensitive segments of your network, offering protection from disgruntled
employees or hackers with root access
l At remote office locations that constitute vulnerable network extensions
l On your business network for protocol use management (for example, on
your transaction services subnet to determine if a hacker is running Telnet or FTP
and compromising your customers' financial data)
The Stealthwatch Flow Sensor VE is versatile enough to integrate with a wide variety of
network topologies, technologies, and components. Before you install a Flow Sensor
VE, you must make several decisions about your network and how you want to monitor
it. It is important to review the following:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 30 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
l TAPs
l SPAN Ports
While not all network configurations can be discussed here, the examples may help you
determine the best setup for your monitoring needs. These examples provide physical
network scenarios, and the virtual host can be configured in a similar way.
TAPs
When a Test Access Port (TAP) is placed in line with a network connection, it repeats
the connection on a separate port or ports. For example, an Ethernet TAP placed in line
with an Ethernet cable will repeat each direction of transmission on separate ports.
Therefore, use of a TAP is the most reliable way to use the Flow Sensor. The type of
TAP you use depends on your network.
In a network using TAPs, the Flow Sensor VE can capture performance monitoring data
only if it is connected to an aggregating TAP that is capturing both inbound and
outbound traffic. If the Flow Sensor VE is connected to a unidirectional TAP that is
capturing only one direction of traffic on each port, then the Flow Sensor VE will not
capture performance monitoring data.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 31 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
Two splitters are required for fiber-optic–based systems. You can place a fiber-optic
cable splitter in line with each direction of transmission and use it to repeat the optical
signal for one direction of transmission.
If the connection between the monitored networks is an optical connection, then the
Stealthwatch Flow Sensor VE appliance is connected to two optical splitters. The
management port is connected to either the switch of the monitored network or to
another switch or hub.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 32 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
If your firewall is performing network address translation (NAT), you can observe only
the addresses that are on the firewall.
To monitor traffic inside your firewall by using a TAP, insert the TAP or optical splitter
between your firewall and the main switch or hub. A TAP configuration is shown below.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 33 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
SPAN Ports
You can also connect the Flow Sensor VE to a switch. However, because a switch does
not repeat all traffic on each port, the Flow Sensor VE will not perform properly unless
the switch can repeat packets transmitted to and from one or more switch ports. This
type of switch port is sometimes called a mirror port or Switch Port Analyzer (SPAN).
The following illustration shows how you can achieve this configuration by connecting
your network to the Stealthwatch Flow Sensor VE through the management port.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 34 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
In this configuration, you must configure a switch port (also called a mirror port), to
repeat all traffic to and from the host of interest to the mirror port. The Flow Sensor VE
Monitor Port 1 must be connected to this mirror port. This allows the Flow Sensor to
monitor traffic to and from the network of interest and to other networks. In this
instance, a network may be made up of some or all of the hosts connected to the switch.
A common way of configuring networks on a switch is to zone them into virtual local area
networks (VLANs), which are logical rather that physical connections of hosts. If the
mirror port is configured to mirror all ports on a VLAN or switch, the Flow Sensor VE can
monitor all traffic to, from, and within the network of interest, as well as other networks.
If you are deploying the UDP Director in an environment where Cisco's ACI is
being utilized and Unicast Reverse Path Forwarding (uRPF) or Limit IP
learning to subnet is enabled, the local network may block the forwarded
traffic leaving the UDP Director. You need to spoof the UDP traffic as part of the
forwarding rules so tools collecting the log data are able to know the original
source of traffic.
To ensure a successful operation of the UDP Director in this case, deploy your
UDP Director on a portion of your network where you can disable uRPF or Limit
IP learning to subnet (typically internally). You can place the UDP Director in
an L3 out (no IP learning). If on 4.0+, you can disable endpoint learning on a per
VRF basis.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 35 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
Open Ports
Stealthwatch Management Console (SMC), Flow Collector, Flow Sensor, and
UDP Director
Consult with your network administrator to ensure that the following ports are open and
have unrestricted access:
l TCP 22
l TCP 25
l TCP 389
l TCP 443
l TCP 2393
l TCP 5222
l UDP 53
l UDP 123
l UDP 161
l UDP 162
l UDP 389
l UDP 514
l UDP 2055
l UDP 6343
Endpoint Concentrator
Use the port information in this section to configure your network so the appliances can
communicate on the network:
l TCP 22
l TCP 443
l UDP 53
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 36 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
l UDP 123
l UDP 161
l UDP 162
l UDP 514
l UDP 2055
l UDP 3514
TCP/389,
Active Directory SMC LDAP
UDP/389
Endpoint
Flow Collector UDP/2055 NetFlow
Concentrator
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 37 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
*This is the default NetFlow port, but any UDP port could be configured on
the exporter.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 38 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 39 -
1. Installing a Virtual Appliance: Configuring your Firewall and Ports
The following diagram shows the various connections used by Stealthwatch. Some of
these ports are optional.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 40 -
2. Downloading VE Installation Files
Installation Files
Appliance
Virtual Machine Details
Installation File
3. Scroll down until you see the Select a Product field.
4. You can access Stealthwatch files in two ways:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 41 -
2. Downloading VE Installation Files
2. Download Files
1. Select an appliance type.
4. Download: Locate the OVF or ISO installation file. Click the Download icon or
Add to Cart icon.
5. Repeat these instructions to download the files for each appliance type.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 42 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 43 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
Process Overview
Installing a virtual appliance involves completing the following procedures, which are
covered in this chapter:
Some of the menus and graphics may vary from the information shown here.
Please refer to your VMware guide for details related to the software.
2. Flow Sensors: If the appliance is a Flow Sensor, go to 2. Configuring the Flow
Sensor to Monitor Traffic.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 44 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 45 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
Configuration Requirements
This configuration has the following requirements:
l Distributed Virtual Port (dvPort): Add a dvPort group with the correct VLAN
settings for each VDS that the Flow Sensor VE will monitor. If the Flow Sensor VE
monitors both VLAN and non-VLAN traffic on the network, you need to create two
dvPort groups, one for each type.
l VLAN Identifier: If your environment uses a VLAN (other than VLAN trunking or a
private VLAN), you need the VLAN identifier to complete this procedure.
l Promiscuous Mode: enabled
l Promiscuous Port: configured to the vSwitch
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 46 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
4. Use the New Distributed Port Group dialog box to to configure the port group,
including the specifications in the following steps.
5. Select Name and Location: In the Name field, enter a name to identify this
dvPort group.
6. Configure Settings: In the Number of Ports field, enter the number of Flow
Sensor VEs in your cluster of hosts.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 47 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
9. In the Networking tree, right-click the new dvPort group. Select Edit Settings.
l If yes, repeat the steps in this section Monitoring a vSwitch with Multiple
Hosts
l If no, continue to the next step.
14. Is there another VDS in the VMware environment that the Flow Sensor VE will
monitor?
l If yes, repeat the steps in this section Monitoring a vSwitch with Multiple
Hosts for the next VDS.
l If no, go to 3. Installing the Virtual Appliance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 48 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
This section applies only to non-VDS networks. If your network uses a VDS, go
to Monitoring a vSwitch with Multiple Hosts.
Configuration Requirements
This configuration has the following requirements:
l Promiscuous Port Group: Add a promiscuous port group for each virtual switch
that the Flow Sensor VE will be monitoring.
l Promiscuous Mode: enabled
l Promiscuous Port: configured to the vSwitch
4. You can create a new port group or edit a port group.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 49 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
5. Use the dialog box to configure the port group. Configure the VLAN ID or VLAN
Trunking:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 50 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
8. Will the Flow Sensor VE be monitoring another virtual switch in this VMware
environment?
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 51 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
Some of the menus and graphics may vary from the information shown here.
Please refer to your VMware guide for details related to the software.
1. Locate the virtual appliance software file (OVF.TGZ) that you downloaded from
Cisco Software Central.
2. Unzip or open the file, and then untar it.
l To untar the file, select all the files in the folder and extract them.
l Unzipping TGZ file is a two-step process, and the steps may vary depending
on the software you use.
5. Select an OVF template: Choose the virtual appliance OVF and VMDK files.
6. Select a name and folder: Change the name so it is unique. Select the location
to save your appliance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 52 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
8. Review details: Review the details for the OVF deployment. You will adjust the
resources in the following steps.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 53 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
9. License agreements: Review and accept the End User License Agreement.
10. Select storage: Select a location to store the data files.
Use the Thin Provision format only if your disk space is limited. For more
information, refer to your VMware guide.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 54 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
Flow Sensors: If the appliance is a Flow Sensor, select the port you created.
Refer to 2. Configuring the Flow Sensor to Monitor Traffic for details.
12. Ready to complete: Review the summary of settings. If they are correct, click
Finish.
13. The deployment starts in the background. Monitor the deployment progress in the
Recent Tasks section. Make sure the deployment is completed and shown in the
Inventory tree before you go to the next steps.
14. Flow Sensors: If the appliance is a Flow Sensor and will be monitoring more than
one virtual switch in the VMware environment, or more than one VDS in a cluster,
continue with the next section 4. Defining Additional Monitoring Ports (Flow
Sensors only).
15. Repeat all of the procedures in 3a. Installing a Virtual Appliance using VMware
vCenter (OVF) for the next virtual appliance in your system.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 55 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
1. In the Inventory tree, right-click the Flow Sensor VE. Select Edit Settings.
2. Use the Edit Settings dialog box to configure the following specified settings.
3. Click Add New Device. Select Network Adapter.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 56 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
4. Locate the new network adapter. Click the arrow to expand the menu, and
configure the following:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 57 -
3a. Installing a Virtual Appliance using VMware vCenter (OVF)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 58 -
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 59 -
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Process Overview
Installing a virtual appliance involves completing the following procedures, which are
covered in this chapter:
1. Logging in to the VMware Web Client
2. Booting from the ISO
Some of the menus and graphics may vary from the information shown here.
Please refer to your VMware guide for details related to the software.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 60 -
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
l Name: Enter a name for the appliance so you can identify it easily.
l Compatibility: Select the version you are using (v6.5 or v6.7).
l Guest OS family: Linux.
l Guest OS version: Select Debian GNU/Linux 10 64-bit.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 61 -
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
If the appliance is a Flow Sensor, you can click Add Network Adapter to
add another management or sensing interface. Refer to Stealthwatch Flow
Sensor for details.
10. Review your configuration settings and confirm they are correct.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 62 -
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 63 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 64 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
Process Overview
Installing a virtual appliance involves completing the following procedures, which are
covered in this chapter:
1. Installing a Virtual Appliance on a KVM Host
2. Adding NIC and Promiscuous Port Monitoring on an Open vSwitch
(Flow Sensors Only)
Monitoring Traffic
The Flow Sensor VE has the ability to provide visibility into KVM environments,
generating flow data for areas that are not flow-enabled. As a virtual appliance installed
inside each KVM host, the Flow Sensor VE passively captures Ethernet frames from
traffic it observes and creates flow records containing valuable session statistics that
pertain to conversational pairs, bit rates, and packet rates. For details, refer to
Stealthwatch Flow Sensor: Integrating the Flow Sensor VE into your network.
Configuration Requirements
This configuration has the following requirements:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 65 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
1. Use Virtual Machine Manager to connect to the KVM Host and configure the
appliance as specified in the following steps.
3. Select Local install media (ISO image or CDROM). Click Forward.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 66 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
7. Under Choose an operating system type and version, select Linux from the
OS type drop-down list.
8. From the Version drop-down list, select Debian Jessie. Click Forward.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 67 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
9. Increase the Memory (RAM) and CPUs to the amount shown in the Virtual Edition
(VE) Resource Requirements section.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 68 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
12. Assign a Name for the virtual machine. This will be the display name, so use a
name that will help you find it later.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 69 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 70 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 71 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
1. In the Configuration Menu, click Add Hardware. The Add New Virtual Hardware
dialog box displays.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 72 -
3c. Installing a Virtual Appliance on a KVM Host (ISO)
3. Click the Portgroup drop-down list to select an unassigned promiscuous port
group you want to monitor. Click the Device Model drop-down list to select
e1000.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 73 -
4. Configuring the IP Addresses
If the virtual machine does not power on, and you receive an error message about
insufficient available memory, do one of the following:
l Login: sysadmin
l Default Password: lan1cope
l You will change the default password when you configure the system.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 74 -
4. Configuring the IP Addresses
You may need to enable the Full Screen Mode to view the entire screen.
6. Click on the page. Enter the IP address for the virtual appliance.
7. Select OK. Press Enter.
8. Review the IP network mask address.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 75 -
4. Configuring the IP Addresses
Make sure the host name is unique and meets the Internet standard requirements
for Internet hosts.
l Select OK.
l Press Enter to continue.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 76 -
4. Configuring the IP Addresses
l Select OK.
l Press Enter to continue.
14. Follow the on-screen prompts to finish the virtual environment and restart the
appliance.
18. Repeat all the steps in 4. Configuring the IP Addresses for the next virtual
appliance in your system.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 77 -
4. Configuring the IP Addresses
Troubleshooting
Certificate Error
If your VM environment usage is high, there may be a timing error and some events
occur out of order. If you receive the following error that permission is denied due to a
certificate error (.crt), do the following:
1. Log in to the appliance console as sysadmin. The default password is lan1cope.
You will change the default password in a later procedure. For more information,
refer to Change Default Password.
/lancope/admin/plugins/update/.98-FIX-SECRET-PERMS.sh
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 78 -
4. Configuring the IP Addresses
l docker ps
l systemctl list-units --failed
l systemd-analyze critical chain
3. Once all docker containers and services are up and running, try the login again. If
you cannot access the appliance, please contact Cisco Stealthwatch Support.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 79 -
5. Configuring Your Stealthwatch System
Preparation
Before you start the configuration, review the instructions so you understand the
appliance configuration order, best practices, and additional requirements.
l appliance
l subnet mask
l default and broadcast gateways
l NTP and DNS servers
l SMC IP address for Central Management
Managed
As part of the Appliance Setup Tool, you will configure your appliance to be managed by
your primary Stealthwatch Management Console (SMC).
When your appliances are managed by your Stealthwatch Management Console (SMC),
you can use Central Management to edit appliance configurations, update software,
reboot, shut down, and more.
SMC Failover
If you have more than one Stealthwatch Management Console (SMC), you can set up an
SMC failover pair so that one of them serves as backup console to the other.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 80 -
5. Configuring Your Stealthwatch System
Best Practices
To configure your system successfully, make sure you follow the instructions in this
guide.
We recommend the following:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 81 -
5. Configuring Your Stealthwatch System
Configuration Order
Configure your appliances in the following order, and note the details for each
appliance:
UDP Directors
2. (also known as
FlowReplicators)
7. Endpoint Concentrator
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 82 -
5. Configuring Your Stealthwatch System
to Defining an SMC Failover
Relationship for details.
Your system might not have all the appliances shown here.
1. Log In
Use the following instructions to configure each appliance using the Appliance Setup
Tool.
1. In the address field of your browser, type https:// followed by the IP address of
the appliance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 83 -
5. Configuring Your Stealthwatch System
1. Change Default Password: Enter new passwords for admin, root, and sysadmin.
Click Next to scroll to each user.
admin lan411cope
root lan1cope
sysadmin lan1cope
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 84 -
5. Configuring Your Stealthwatch System
The sysadmin and root menus are unavailable if you've already changed the
default passwords during the hardware installation. Refer to the Stealthwatch
x210 Series Hardware Installation Guide for details.
2. Management Network Interface: Review the IP address and network interface
fields. Confirm the default settings are correct. Click Next.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 85 -
5. Configuring Your Stealthwatch System
3. Host Name and Domains: Enter the host name and network domain name. Click
Next.
l Host Name: A unique host name is required for each appliance. If you
assign the same host names to your appliances, they will not install
successfully.
Also, make sure each appliance host name meets the Internet standard
requirements for Internet hosts.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 86 -
5. Configuring Your Stealthwatch System
4. DNS Settings: Confirm the default is correct, or enter your domain server IP
address. Click Next.
5. NTP Settings: Confirm the default is correct, or click the Menu icon to select
your network time protocol (NTP) server. Click Next.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 87 -
5. Configuring Your Stealthwatch System
Wait a few minutes for your new system settings to take effect. You may need to
refresh the page.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 88 -
5. Configuring Your Stealthwatch System
8. Review the inventory. Confirm the SMC appliance status is shown as Up.
Make sure the primary SMC and each appliance is shown as Up before you start
configuring the next appliance in your cluster using the configuration order
and details.
9. To configure the next appliance in your system, go to 1. Log In, and complete the
procedures through 5. Confirm Appliance Status .
1. On the Central Management tab, enter the IP address of your primary SMC.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 89 -
5. Configuring Your Stealthwatch System
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 90 -
5. Configuring Your Stealthwatch System
Make sure the primary SMC and each appliance is shown as Up before you start
configuring the next appliance in your cluster using the configuration order
and details.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 91 -
5. Configuring Your Stealthwatch System
3. To configure the next appliance in your system, go to 1. Log In, and complete the
procedures through 5. Confirm Appliance Status .
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 92 -
6. Finishing Appliance Configurations
1. Click the link for the appliance you are configuring:
Required Optional
Appliance
Configurations Configurations
High Availability
UDP Director (available on hardware
only)
Application ID and
Flow Sensor Identifying Applications
Payload
Connecting to a NetFlow
Endpoint Concentrator
Collector
2. When you are finished configuring and restarting each appliance in the table, go to
7. Installing the Stealthwatch Desktop Client.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 93 -
6. Finishing Appliance Configurations
UDP Director
Use the following instructions to finish configuring the UDP Director.
l Forwarding Rules: Configure at least one forwarding rule if you're planning to set
up High Availability. Refer to Configuring Forwarding Rules
l High Availability: If you have more than one UDP Director, you can set up a High
Availability pair. Configure at least one forwarding rule if you're planning to set up
High Availability (go to Configuring High Availability).
3. Click the Actions menu for the appliance. Select Configure Forwarding Rules.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 94 -
6. Finishing Appliance Configurations
l All: You can type "All" to accept data from any source IP address on this port.
Examples:
l 10.11.16.38:5322
l 192.168.0.0/16:9000
l All:2055
7. Destination IP Address: Enter the IP address of the device receiving data from
the UDP Director.
8. Destination Port Number: Enter the port number for the receiving device.
9. Click Save.
10. Optional: To sync your changes, click Sync.
The UDP Director High Availability allows a user to configure settings for redundant UDP
Directors. Both nodes are fully redundant, however only one node is online at a time.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 95 -
6. Finishing Appliance Configurations
Requirements
l Forwarding Rules: Configure at least one forwarding rule for the UDP Director in
the HA system.
l Save the Rules Configuration File: If the UDP Director has already been
configured with rules, export (save the rules configuration file) the UDP Director
rules. Then, import the file to the second UDP Director to ensure that the rules for
each match.
l Order: Configure the Primary UDP Director and then repeat the configuration on
the Secondary one.
l New or Established: If the both UDP Directors are new, make sure you follow the
procedures for each in this guide. However, if the secondary is already configured
as an appliance on the Stealthwatch system, log in to the secondary UDP Director
and configure its HA components as described here.
3. Check the Enable High Availability Service check box for the High Availability
Settings.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 96 -
6. Finishing Appliance Configurations
4. In the Virtual IP Address field, enter an unused IP adddress that is on the same
subnet as the eth0 interface. Set the subnet mask value to the value of the subnet
mask used on the eth0 interface.
5. In the Shared Secret field, type a string for both UDP Directors. (This will be
encrypted for secure transfer.)
6. In the fields for Sync Ring 1 (Eth2) Unicast IP Address, enter the IP address and
the subnet mask. (A Unicast IP Address identifies a single network destination.)
7. In the fields for Sync Ring 2 (Eth3) Unicast IP Address, enter the IP address and
the subnet mask.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 97 -
6. Finishing Appliance Configurations
8. After reviewing the setting, click Apply to set the configuration.
9. Continue to the next section to configure the second UDP Director of the cluster.
3. Configure all of the parameters on this screen (including any Advanced Parameters
that you may have changed on the first appliance) exactly as you did on the first
appliance with exactly same values for every field except for the following:
l Sync Ring 1 (Eth2) Unicast IP Address: Enter a different IP address from what
you configured in this field on the primary, but it must be in the same subnet
as the Sync Ring 1 Unicast address given on the primary.
l Sync Ring 2 (Eth3) Unicast IP Address: Enter a different IP address from what
you configured in this field on the primary, but it must be in the same subnet
as the Sync Ring 2 Unicast address given on the primary.
4. Click Apply to save your changes and to start the clustering services on this
appliance.
5. Click Promote to designate the primary appliance.
6. Restart: Select Operations > Restart Appliance.
7. Return to 6. Finishing Appliance Configurations.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 98 -
6. Finishing Appliance Configurations
Flow Sensor
1. Configure the Application ID and Payload
The configuration of a Flow Sensor requires an additional step of configuring the
application ID and payload.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 99 -
6. Finishing Appliance Configurations
Item Description
Export Packet Allows you to specify whether the Flow Sensor includes the first 26
Payload bytes of binary payload data in the data that it sends to the collector.
Enable X- Allows you to specify whether the Flow Sensor uses X-Forwarded-
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 100 -
6. Finishing Appliance Configurations
Item Description
Allows you to specify whether the Flow Sensor uses ETA processing
to generate and transmit IDP and SPLT fields to your SMC.
Flow Export Allows you to specify whether the Flow Sensor uses IPFIX or NetFlow
Format v9 to send flow data to the collector.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 101 -
6. Finishing Appliance Configurations
Item Description
4. If you have more than 1 monitoring NIC, select one of the following options in the
Cache Mode section:
l Use single, shared, cache for all monitoring ports: typically used for
systems that monitor flows using the TAP method.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 102 -
6. Finishing Appliance Configurations
Endpoint Concentrator
The Endpoint Concentrator has the following configuration requirements:
3. In the Assign NetFlow Collector fields, type the IP Address and the port number of
the Flow Collector or UDP Director that you want the Endpoint Concentrator to
send the data to.
Port Default: 2055.
4. Click Add. This will validate the IP address and port and move the entry to the
table.
5. If the information is correct, click Apply. This will restart the services with the new
information.
This field will only accept one value. If you need to add recipients, consider using
a Cisco UDP Director.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 103 -
6. Finishing Appliance Configurations
The NetFlow Collector settings appear in the table at the top of the page.
If you need to change the setting for the Collector, first delete the current
Collector by clicking the Delete check box, and then clicking Apply. Then you can
configure a new Collector.
6. In the main menu, click Home. Check the Docker Services table:
7. If all docker services are shown as "Running," restart the Appliance. Select
Operations > Restart Appliance. Then, return to 6. Finishing Appliance
Configurations.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 104 -
6. Finishing Appliance Configurations
1. Validate that the Endpoint Concentrator is receiving flows from the AnyConnect
Agents to the Collector.
l Enable SSH access to the Endpoint Concentrator via the web admin page.
l Validate that there are four entries that contain kafka, netflow-parser,
zookeeper, and netflow-generator. Note that the Container IDs and Image
versions will differ.
l If not they are not running, restart the Services from the appliance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 105 -
7. Installing the Stealthwatch Desktop Client
1. Click the Download icon in the upper right corner of any page in the
Stealthwatch Web App.
3. Follow the steps in the wizard to install the Stealthwatch Desktop Client.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 106 -
7. Installing the Stealthwatch Desktop Client
7. Follow the on-screen prompts to open the Desktop Client and trust the appliance
identity certificate.
3. In the Stealthwatch directory, open the folder that contains the desired
Stealthwatch version.
4. Open the application.vmoptions file using an appropriate editing application to
begin editing. (This file is created after you open the Stealthwatch Desktop Client
for the first time.)
Minimum Memory Size (Xms): We recommend that you allocate no less than
512 MB. This number is listed in the third line of the file.
For editors that display the content in one continuous line, refer to the number
highlighted in the image below to see which number represents the minimum
memory size.
Maximum Memory (Xmx): You can allocate up to half the size of your computer's
RAM for the maximum memory size. This number is listed in the fourth line of the
file.
For editors that display the content in one continuous line, refer to the number
highlighted in the image below to see which number represents the maximum
memory size.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 107 -
7. Installing the Stealthwatch Desktop Client
1. Click the Download icon in the upper right corner of any page in the
Stealthwatch Web App.
3. Drag the Stealthwatch Desktop Client icon ( ) into the Application folder.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 108 -
7. Installing the Stealthwatch Desktop Client
Minimum Memory Size (Xms): We recommend that you allocate no less than
512 MB. This number is listed in the third line of the file.
For editors that display the content in one continuous line, refer to the number
highlighted in the image below to see which number represents the minimum
memory size.
Maximum Memory Size (Xmx): You can allocate up to half the size of your
computer's RAM for the maximum memory size. This number is listed in the fourth
line of the file.
For editors that display the content in one continuous line, refer to the number
highlighted in the image below to see which number represents the maximum
memory size.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 109 -
8. Verifying Communications
8. Verifying Communications
Use the following instructions to confirm the Stealthwatch Management Console is
receiving NetFlow data.
2. On the NetFlow Collection Status page, look at the Current NetFlow Traffic field
located at the top of the document. This statistic shows the amount of NetFlow
traffic being observed.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 110 -
8. Verifying Communications
Add Column: To add this column to your dashboard, right-click a column heading
and select Longest Duration Export from the menu.
5. Congratulations! You are finished with your Stealthwatch system configuration.
6. Next Steps: Review 9. Licensing, and register your product instance in your
Cisco Smart Account before the evaluation period expires.
Make sure you register your product instance before the 90-day evaluation
period expires. When the evaluation period expires, flow collection will stop.
To start flow collection again, register your product instance.
7. To add more services and features to Stealthwatch, refer to the following
resources:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 111 -
8. Verifying Communications
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 112 -
9. Licensing
9. Licensing
Use Cisco Smart Software Licensing to license your Stealthwatch appliances and
features. For more information, refer to Smart Licensing on cisco.com.
l Online: To use Smart Licensing and Stealthwatch online, please refer to the
Stealthwatch Smart Software Licensing Guide. You need Internet access for this
configuration.
l Offline: To discuss your licensing options for closed/airgap networks, contact
Cisco Stealthwatch Support.
l Cisco Smart Account: To set up a Cisco Smart Account, register at
https://software.cisco.com or contact your administrator.
Evaluation Mode
When you use Stealthwatch in Evaluation mode, you can use selected features for 90
days. To use Stealthwatch with maximum default functionality, and to add licenses and
features to your account, register your product instance for Smart Software Licensing.
Make sure you register your product instance before the 90-day evaluation
period expires. When the evaluation period expires, flow collection will stop.
To start flow collection again, register your product instance.
l Admin User: To review Smart Licensing status and usage details in your
Stealthwatch Management Console, log in as the admin user.
l Days Remaining: To review the days remaining in Evaluation Mode, log in to the
Stealthwatch Management Console as the admin user. Go to Central
Management > Smart Licensing. Review the License Authorization Status.
l Product Instance: The Product Instance Name is the identifier we use for your
Stealthwatch product instance, which includes your Stealthwatch Management
Console and managed appliances.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 113 -
Defining an SMC Failover Relationship
l Configure the secondary SMC first, so the primary SMC can recognize it and
communicate with it.
l Licensing: Refer to the Stealthwatch Smart Software Licensing Guide for
information.
l Trust Store Certificates: As part of this procedure, you will add appliance
identity certificates to the required Trust Stores. Make sure you follow the
instructions.
l Adding/Removing Appliances: Do not add or remove appliances from Central
Management until you've finished the failover configuration and confirmed the
secondary SMC Appliance Status is shown as Up in Central Management.
1. Plan which SMC will be primary and which SMC will be secondary.
2. Log in to the
3. Before you configure the failover roles in the system, review and follow the
instructions in Stealthwatch Online Help.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 114 -
Enabling the Threat Intelligence Feed
License
Add the Threat Intelligence Feed License to your Cisco Smart Account. For instructions,
refer to the Stealthwatch Smart Software Licensing Guide.
Enable
To enable the feed in Central Management, follow the instructions in the online help.
Please note that you will configure the DNS server and firewall as part of the
instructions.
Online Help: To access the Online Help, right-click the Stealthwatch Labs
Intelligence Center branch and select Configuration > SLIC Threat Feed
Configuration. Click Help.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 115 -
Enabling the Threat Intelligence Feed
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 116 -
Configuring SAML SSO
Requirement Details
If the IDP URL does not start with HTTPS, you can skip this step and go to the
next section, 3. Configure the Service Provider.
Use the following instructions to add the root CA certificate to the SMC Trust Store.
1. On the Central Management Appliance Manager page, click the Actions menu for
the SMC.
2. Select Edit Appliance Configuration.
3. On the Appliance Manager > General tab, locate the Trust Store section.
4. Click Add New.
5. In the Friendly Name field, enter a name for the certificate.
6. Click Choose File. Select the new certificate.
7. Click Add Certificate. Confirm the new certificate is shown in the Trust Store list.
8. Click Apply Settings. Follow the on-screen prompts.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 117 -
Configuring SAML SSO
9. Up: On the Appliance Manager page, make sure the SMC finishes the
configuration changes and the Appliance Status returns to Up.
Do not force the appliance to reboot while configuration changes are pending.
10. If you have a secondary SMC, repeat this procedure to add the root CA certificate
to the secondary SMC Trust Store.
11. If you have added the root CA certificate to the SMC Trust Stores, go to the next
section.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 118 -
Configuring SAML SSO
4. Enable SSO
1. Select ssoEnable/Disable.
2. Follow the on-screen prompts to enable SSO.
3. Select CredentialDescription. Click Continue.
4. Enter a description of the SSO service credentials users need to log in.
5. Click OK.
6. Select DownloadIDP. Disable DownloadIDP until you need to save a new SSO
configuration.
l Click Continue.
l Follow the on-screen prompts to disable DownloadIDP.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 119 -
Configuring SAML SSO
l For example: If the Attribute store is the Active Directory, set the outgoing
claim type to the email address for the LDAP Attribute type user ID.
l Microsoft Active Directory File Server (ADFS): If the IDP type is ADFS,
confirm the following custom rule is shown:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] =
"http://<IDP FQDN>/adfs/com/adfs/service/trust", Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] =
"https://<SMC FQDN>/fedlet");
For instructions, click the User icon. Select Stealthwatch Online Help. For
details about adding users, refer to "Configuring Users."
5. Complete the fields to create a new user. Configure the user as follows:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 120 -
Configuring SAML SSO
l User Name: Enter the first part of the email address for the IDP account.
Make sure the ID is identical to the one that will be used for SSO at login. For
example, for [email protected], enter "name" in this field.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 121 -
Configuring SAML SSO
Troubleshooting
Scenario Notes
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 122 -
Getting Started with Stealthwatch
Overview
For an overview of Stealthwatch, review the information in Stealthwatch Online Help.
Investigating Behavior
For information about investigating alarms, events, hosts, and more, review the
information in Stealthwatch Online Help.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 123 -
Getting Started with Stealthwatch
Responding To Threats
For policy information, review the information in Stealthwatch Online Help.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 124 -
Central Management
Central Management
Use Central Management to manage your appliances from your primary SMC. We've
included an overview of Central Management here, and details for each section are
available in Stealthwatch Online Help.
Appliance-specific configurations
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 125 -
Central Management
https://<IPAddress>
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 126 -
Central Management
3. Click the Configuration menu. Select an item from the list.
or
Click each tab to review each configuration category.
4. Make changes to each configuration section as needed. You can edit more than
one configuration category on each configuration tab.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 127 -
Central Management
5. Click Apply Settings. Follow the on-screen prompts to save your configuration
changes.
Some changes require a system reboot. If you prefer to wait, you can revert your
changes and edit your configuration settings and reboot later.
The appliance reboots automatically. Do not force the appliance to reboot while
configuration changes are pending. To confirm the appliance status is Up,
review Central Management > Appliance Manager inventory.
6. Up: On the Appliance Manager page, make sure the appliance finishes the
configuration changes and the Appliance Status returns to Up.
1. On the Central Management Appliance Manager page, click the Actions menu for
the appliance.
2. Select View Appliance Statistics.
3. Log in to the Appliance Administration interface.
1. On the Central Management Appliance Manager page, click the Actions menu for
the appliance.
2. Select Remove This Appliance.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 128 -
Central Management
If your appliance has custom certificates, make sure you save the identity
certificate and certificate chain (root and intermediate) to the SMC Trust Store
before you add the appliance to Central Management. Refer to the Trust Store
procedure in Stealthwatch Online Help.
l Custom Certificates: If your appliance has custom certificates, make sure you
save the identity certificate and certificate chain (root and intermediate) to its own
Trust Store and the SMC Trust Store before you add the appliance to Central
Management. Refer to the Trust Store procedure in Stealthwatch Online Help.
l SMC Administration Credentials: You need the SMC, user ID and password to
add an appliance to Central Management.
l RFD: If you reset the factory defaults on an appliance, you will enter the host
name, domain name, and additional configuration information as part of the
Appliance Setup Tool.
l New Installations: If this is a new installation and the appliance hasn't been
configured, go to Quick Reference Workflows.
If your appliance has custom certificates, make sure you save the identity
certificate and certificate chain (root and intermediate) to the SMC Trust Store
before you add the appliance to Central Management. Refer to the Trust Store
procedure in Stealthwatch Online Help.
2. In the appliance browser address bar, after the IP address, replace the end of the
URL with /lc-ast:
https://<IPAddress>/lc-ast
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 129 -
Central Management
8. For more information about the Appliance Setup Tool, refer to 5. Configuring
Your Stealthwatch System.
Enable/Disable SSH
Use this section to control the ability to access the appliance using SSH (secure shell).
Default: disabled
Open SSH
Use the following instructions to open SSH for a selected appliance.
Enable SSH
1. Locate the SSH section.
2. To allow SSH access on the appliance, check the Enable SSH check box.
3. To allow root access on the appliance, check the Enable Root SSH Access
check box.
4. Click Apply Settings.
5. Follow the on-screen prompts.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 130 -
Central Management
Disable SSH
1. To remove SSH access on the appliance, click the Enable SSH check box to clear
it.
2. To remove root access on the appliance, click the Enable Root SSH Access
check box to clear it.
3. Click Apply Settings.
4. Follow the on-screen prompts.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 131 -
Installing Patches and Updating Software
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 132 -
Troubleshooting
Troubleshooting
Config Channel Down
If your Appliance Manager shows Config Channel Down for the appliance status,
check the following:
1. In your browser address bar, type the appliance IP address as follows:
https://<IPAddress>
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 133 -
Troubleshooting
Your certificates are critical for your system’s security. Improperly modifying
your certificates can stop Stealthwatch appliance communications and cause
data loss.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 134 -
Troubleshooting
Changing IP Address
1. Open Central Management > Appliance Manager.
2. Click the Actions menu for the appliance.
3. Select Edit Appliance Configuration.
4. Select the Appliance tab.
5. In the Network Interfaces section, click the Info icon.
6. Click the Stealthwatch Online Help link.
7. Follow the instructions to change the network domain name.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 135 -
Troubleshooting
If you change the host name, network domain name, or IP address using the
Appliance Setup Tool, the appliance identity certificate is replaced
automatically.
1. In the appliance browser address bar, after the IP address, replace the end of the
URL with /lc-ast:
https://<IPAddress>/lc-ast
l Users: The available menus are determined by whether you log in as root,
sysadmin, or admin.
l SSH: You may need to enable SSH to access a menu.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 136 -
Troubleshooting
Please contact Cisco Stealthwatch Support before you change your trusted
hosts.
If you change the trusted hosts list from the defaults, make sure each Stealthwatch
appliance is included in the trusted host list for every other Stealthwatch appliance in
your deployment. Otherwise, the appliances will not be able to communicate with each
other.
l RFD twice: To completely erase data, make sure you reset factory defaults twice.
l Back up Configuration: If you plan to restore the appliance configuration, make
sure you save the backup configuration and database backup files. Refer to
Backup Configuration Files (in Central Management) and Backup/Restore
Database (Appliance Admin interface) topics in the Stealthwatch Online help
for details. To restore the backup after RFD, contact Cisco Stealthwatch Support.
If you reset factory defaults (RFD) on an appliance, all existing data and
configuration information will be deleted and can only be restored if you've
made a backup.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 137 -
Troubleshooting
Make sure you RFD each appliance twice to completely erase data.
If you disable the password reset, and you lose your passwords, you will lose
access to the data saved to your appliance. To access the appliance again,
reset factory defaults and reconfigure it.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 138 -
Troubleshooting
After you reset your appliance passwords to the default, make sure you change
them. This step is critical for security. Refer to Changing Passwords for
instructions.
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 139 -
Troubleshooting
The command line might look slightly different depending on your appliance
version.
5. Type resetpassword after c=off to make the command line look like the
following example:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 140 -
Troubleshooting
This will reset your admin, root, and sysadmin passwords to their default values.
7. Go to Changing Passwords to change the passwords from the default. This step
is critical for security.
Changing Passwords
Use the following instructions to change your passwords from the default password or
a previous password. Make sure you use the following criteria:
admin lan411cope
root lan1cope
sysadmin lan1cope
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 141 -
Troubleshooting
l URL: https://<IPAddress>
l Login: admin
l Default Password: lan411cope
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 142 -
Troubleshooting
l URL: https://<IPAddress>
l Login: admin
l Default Password: lan411cope
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 143 -
Contacting Support
Contacting Support
If you need technical support, please do one of the following:
© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 144 -
Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its
affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are
the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)