Task 4: Configure the Cisco Flow Collector and the

Cisco SMC for ETA and Generating Reports

In this task, you will inspect and perform the following tasks:
 Verify that the StealthWatch Flow Collector for NetFlow VE Administration Interface is configured
properly for ETA.
 Verify that the StealthWatch Management Console (SMC) VE Administration Interface is
configured properly for ETA.
 Configure the SMC Web Client GUI for the ETA reports.

Activity Procedure
Complete the following steps:
Step 1 Connect to the Admin-PC console and browse to the StealthWatch Flow
Collector for NetFlow VE GUI at the https://192.168.2.29.
Login using the username admin with the password ISEisC00L.

Step 2 From the StealthWatch Flow Collector for NetFlow VE GUI, verify that it is
already configured with the following parameters:
 StealthWatch FC IP address: 192.168.2.29/24
 Hostname: fcfn-01

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 1

  Domain name: isesda.com
In the StealthWatch Flow Collector for NetFlow VE GUI, click the Home icon and
inspect the web page that opens up.

This web page reports the System IP address is 192.168.2.29, the hostname is
fcfn-01, and the domain name is isesda.com.
Step 3 Open another Chrome web browser, an additional tab within Chrome. Access the
appliance web administration interface by typing https://192.168.2.35/ into the
address bar or by choosing the SMC bookmark and login using the username
admin with the password ISEisC00L. Then click Sign In.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 2

 From the Stealthwatch Appliance configuration, Flow Collector for NetFlow VE
GUI Naming and DNS web page, verify that the preconfigured system
parameters are the following:
 Hostname: fcfn-01
 Domain name: isesda.com
 DNS Server IP address: 192.168.2.14
On the SMC’s Security Insight Dashboard page, locate the gear icon in the
upper-right corner, click it and select Central Management from the menu.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 3

 A new tab will open, and the Stealthwatch Central Management page will load.

Locate the fcfn01 in the appliance Inventory list and click the ellipsis (...) in the
Actions column and select Edit Appliance Configuration from the menu.

On the Appliance tab, scroll down and locate the panel for Host Naming.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 4

 On the Network Services tab, scroll down and locate the panel for DNS Server.

Step 4 From the Stealthwatch Appliance Manager, Appliance configuration - Flow

Collector GUI, verify that the NTP setting is the following:
 NTP IP address: 192.168.2.14
Click the Configuration Menu at the upper-right side of the screen and choose
the NTP Server menu item.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 5

 Verify that the NTP server IP address configured is 192.168.2.14. If a different
NTP IP address is used, then enable the NTP Delete check box and then enter a
new NTP server IP address 192.168.2.14. Then click Add New.

Step 5 Enable Global Threat Analytics on the Flow Collector.

To configure the Cognitive Intelligence component on the Stealthwatch
Management Console. Click the Configuration Menu at the upper-right side of
the screen and choose the External Services menu item.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 6

 Mark the check box for Enable Cognitive Analytics and Automatic Updates.

Click Apply Settings to commit the configuration change.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 7

 A verification dialog will be displayed. Click Apply Changes.
Step 6 From Stealthwatch Central Management Appliance Manager, locate the
smc01 in the Appliance Inventory list and click the ellipsis (...) in the Actions
column and select Edit Appliance Configuration from the menu.
Open the Admin-PC console and click on the Google Chrome icon.

Step 7 From the Appliance Configuration – SMC, Click the Configuration Menu at
the upper-right side of the screen, and choose the Host Naming menu item and
verify that the following SMC System settings are configured:
 SMC IP address: 192.168.2.35
 SMC hostname: smc-01
 Domain Name: isesda.com

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 8

 The following System web page will be loaded, where you can review the System
IP address, hostname and domain name configured.

Step 8 From the Stealthwatch Appliance Configuration – SMC GUI, verify that the
DNS and NTP setting is the following:
 NTP IP Address: 192.168.2.14
 DNS IP address: 192.168.2.14
Click the Configuration Menu at the upper-right side of the screen and choose
the NTP Server menu item.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 9

 Verify that the NTP server IP address configured is 192.168.2.14. If a different
NTP IP address is used, then enable the NTP Delete check box and then enter a
new NTP server IP address 192.168.2.14. Then click Add New.

The DNS Server table above reports that this SMC System is configured with
DNS Server IP address 192.168.2.14.
Step 9 Verify Global Threat Analytics enabled on the SMC.
To verify the Cognitive Intelligence component enabled on the SMC. Click the
Configuration Menu at the upper-right side of the screen, and choose the
External Services menu item.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 10

 Verify that the Enable Cognitive Analytics and Automatic Updates enabled.

Step 10 Open SMC Desktop Client Application on the Desktop.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 11

 Note If the Stealthwatch Desktop Client is not installed, please follow the below instructions.

Return to your SMC’s Security Insight Dashboard page if you already have it
open. If not, you can access it by entering https://192.168.2.35 in the URL field
or by selecting the SMC bookmark. Login using the username admin with the
password ISEisC00L. Then click Sign In.

Click the Desktop Client button in the top right of the screen. Your web browser
will now download the Stealthwatch_Desktop_Client-v7.1.3.exe file.
In the Security Warning pop-up window, click Run.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 12

 Once the installation is complete, it will prompt for authentication, login with
below credentials:
 Username: admin
 Password: ISEisC00L
 SMC Server name: 192.168.2.35

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 13

 The following SMC Desktop Client GUI will open.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 14

 Step 11 In the SMC (Client Interface GUI) on the Admin-PC VM, verify that the Flow
Collector under the isesda.com domain, using the following parameters, is
preconfigured and has synchronized the data with it:
 FC Name: fcfn-01
 IP address: 192.168.2.29
 Manager Username: admin
 Manager Password: ISEisC00L
 Event Username: admin
 Password: ISEisC00L
On the Admin-PC, open the StealthWatch Management Console window and
navigate within the left window to the Enterprise > rscat9k.local > Flow
Collectors and expand the FlowCollectors folder.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 15

 Note If the flow collector is already configured, move on to the next step.

Step 12 Return to your SMC’s Security Insight Dashboard page, find the HTTPS flows
using the Flow Search feature that you generated using the following
parameters:
 Search Type: flow
 Time Range: Last 30 Days
 Applications: HTTPS
 Port/Protocol: 443/tcp
From the SMC VE GUI landing page, navigate to the Analyze > Flow Search
web page.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 16

 Configure the following flow search parameters in the Flow Search window.
Then, click Search.
 Search Type: flow
 Time Range: Last 30 Days
 Applications: HTTPS and HTTPs (unclassified)

After you click Search, the SMC VE GUI should report the following results of the
discovered HTTPS flow between the Web Server 192.168.8.200 and the Web
Client 192.168.2.111.

Note You can switch between the two views, the listing or the iconized view of the the Flow Search
Results, by using the switch on the right side of the Flow Search Result window.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 17

 Step 13 From the Admin-PC console, open the SMC (Client Interface GUI) and make
sure that the following host subnets are included in the Host Groups under the
Inside Hosts for the Enterprise domain rscat9k.local:
 192.168.8.0/24
 192.168.2.0/24
From the Admin-PC console, open the SMC (Web Client GUI) window and
navigate to the Enterprise > rscat9k.local > Inside Hosts. Right-click the Inside
Hosts and select the Configuration > Edit Host Groups from the associated
menu options.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 18

 If you are asked to re-enter the admin password, then provide the password
ISEisC00L and click Login.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 19

 Step 14 In the left window of the Host Group Editor, navigate to the Inside Hosts >
Catch All. Right-click the Catch All and select the Configuration > Edit Host
Groups from the associated menu options.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 20

 Verify that the subnets, in the window on the right side, cover the subnets
192.168.2.0/24 and 192.168.8.0/24.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 21

Task 5: Inspect ETA Results and Reports in the SMC
(Web Client GUI)
In this task, you will perform the following actions:
 Generate the HTTPS traffic for ETA.
 Generate the suspicious ICMP traffic for ETA.
 Inspect the ETA reports and results in SMC (Web Client GUI) related to the generated HTTPS
and the ICMP traffic.

Activity Procedure
Complete the following steps:
Step 1 From the Admin-PC, download the web page at the
https://192168.8.200/indexy.html URL a few times to generate HTTPS traffic
from the 192.168.8.200 Web Server to the 192.168.2.111 Web Client for your
later inspection.
Connect to the Admin-PC console and click on the Google Chrome browser icon
on the Ubuntu Desktop.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 22

 Step 1 From the AdminPC, download the webpage at the https://192168.8.200 URL a
few times to generate HTTPS traffic from the 192.168.8.200 Web Server to the
192.168.2.111 Web Client for your later inspection.
Connect to AdminPC console and click on the Google Chrome browser icon on
the Ubuntu desktop.

From the Google Chrome browser Tools menu, select the Clear browsing
data... option.

In the new window, select All time value from the Time range drop-down menu.
Make sure all boxes are checked. Click the Clear data button again.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 23

 From the Google Chrome browser menu, navigate to the Tools > Developer
Tools.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 24

 In the new Developer tools window menu, select the Network tab and select
the Disable cache checkbox. The disable caching is only enabled as long as the
Developer Tools window is open. You can shrink the tools to the right side of the
browser.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 25

 Now you will download, a few times, the same webpage from this Web Server
across the POD-9300 and Peer-POD-9300 switch network. So, open the Chrome
browser and navigate to the https://192.168.8.200.
If the Your connection is not private webpage is loaded, click on the
Advanced link.

Then click on the Proceed to 192.168.8.200 (unsafe) in the new webpage that is
loaded.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 26

 Finally, you should see the following webpage download from the Web Server
192.168.8.200:

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 27

 Transfer the same using the Chrome browser https://192.168.8.200 link a few
times by pressing on the refresh button several times to generate some more
HTTP traffic flows across the POD-9300 and Peer-POD-9300 Gig1/0/4 interface.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 28

 Step 2 On the POD-9300 switch console, trigger the ping command to the remote Peer-
POD-9300 switch interface Gi1/0/4 IP address using the following ping
parameters:
 Protocol [ip]: ip
 Target IP address: <Peer-POD GigabitEthernet 1/0/4 IP>
 Repeat count [5]: 20000
 Datagram size [100]:1500
 Timeout in seconds [2]: 2
Connect to the POD-9300 switch console and start the ping command using the
following parameters:
 Protocol [ip]: ip
 Target IP address: <Peer-POD GigabitEthernet 1/0/4 IP>
 Repeat count [5]: 20000
 Datagram size [100]:1500
 Timeout in seconds [2]: 2

9300#ping Protocol [ip]: ip

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 29

Target IP address: <Peer-POD GigabitEthernet 1/0/4 IP>
Repeat count [5]: 20000
Datagram size [100]: 1500
Timeout in seconds [2]:2
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 150-byte ICMP Echos to 192.168.7.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Let this pinging process remain in progress so that it can be completed.

Step 3 On the Admin-PC, open the SMC and inspect the Flow table for the following
flows:
 Domain name: isesda.com
 Host Group: Inside Host
 Present flows from the following time interval: Last 1 day
Open the Admin-PC Console and click on the SMC icon from the left menu bar,
to open the SMC.

Navigate to the Enterprise > isesda.com > Inside Hosts > Catch All. Right-
click on the Catch All folder and then select Flows > Flow Table.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 30

 Click the Flow Table Filter icon.

In the Filter—Flow Table dialog box, choose the Ports and Protocols parameter
and filter by protocol:

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 31

  Date/Time: For the last 1 day, 0 hours, 0 minutes
Then click OK.

Inspect the Flow Table generated, you should see that the last flows correspond
to the following two-application traffic flows reported:
 HTTPS packets from the Web Server (192.168.8.200) to the Admin-PC
Client (192.168.2.111)
 ICMP Echo Reply packets from the POD-9300 switch interface
GigabitEthernet 1/0/4 to the Peer-POD-9300 switch interface GigabitEthernet
1/0/4

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 32

 Note The Start Active Time reported for these two flows may not exactly match the time on the switch
when the flow was initiated, because not all NTP clients in this lab are using the same NTP server in
the same time zone.

Step 4 In the SMC, generate the Transaction Report for the 192.168.2.111 Admin-PC
Host.
In the SMC, right-click the Client Host field for one of the 192.168.7.1 and
192.168.7.2 Client Host and from the menu select the Quick View This Row.

The following two windows will show a visual presentation of flow packet
directions in the Quick View window for each of the two flows:

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 33

 Step 5 In the SMC, generate the traffic reports for the Top Applications of the
rscat9k.local group of Inside Hosts for the last one day period.
In the SMC, navigate to the Enterprise > rscat9k.local > Inside Hosts > Catch
All and right-click the Catch All. From the associated menu, select the Top >
Application > Total.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 34

 You should see the following Table reports using Filter for the period of the last 2
days.

Step 6 In the SMC, generate the daily security events and reports for the traffic flows
detected and analyzed by the Flow Collector and SMC for the rscat9k.local
Inside Hosts group.
In the SMC, navigate to the Reports > Daily Report (Today) and view the
resulting report.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 35

 You should see the following report, that is warning you that there was a ping-
oversized packet flow detected. Security Events are reported under this table.
This output reports that there was an ICMP flooding, from the 20,000 pings that
you generated earlier.

If you had more traffic flow generated, then you could view the detailed alarm
reports here for the last day.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 36

 Note The following two SMC GUI reports are not generated in this lab topology, but are just an example
of what Alarm records and reports could be generated by SMC in a more complex network
environment.

In the SMC GUI, you can generate the Summary or Alarms for the traffic flows
detected and analyzed for a specific group of hosts in a specific domain. The
SMC Alarm Reports such as this one in the example of a production system
Alarm Report below, lists many alarms related to the suspicious traffic types, mail
rejects, port scans, fake applications, and so on.
Following is an example of the SMC GUI graphical Alarm reports for the traffic in
a lab environment where more diverse traffic types are generated and thus,
analyzed.

The SMC GUI supports also more detailed Alarm Reports for each selected
alarm, such as the one below, where the source host IP address and Target host
IP addresses are provided along with the associated detailed description of the
Alarm.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 37

Task 6: Perform a Crypto Audit Using the SMC VE
(Optional)
In this task, you will use SMC Virtual Edition (VE) to perform a Crypto Audit for the flows that are
traversing your network. The SMC VE can perform deep analysis of encrypted data of these flows, to
detect events that are possibly initiated by these flows and represent a security threat for your enterprise
network.
HTTPS protocol uses the HTTP protocol encrypted by the Transport Layer (TLS), or its predecessor,
Secure Sockets Layer (SSL). The benefit of using HTTPS over HTTP is that HTTPS is providing
authentication of the accessed websites and the protection, privacy, and integrity of the exchanged data
while in transit. It protects data against the main-in-the-middle attacks, eavesdropping, and tampering of
communication.
Crypto Audit is the capability of SMC VE of viewing/reporting and eventually alerting and alarming on
the crypto fields in the Stealthwatch database. The crypto audit functionality provides detailed
information about the ciphers suites used for HTTPS communications, including the encryption version,
key exchange, key length, cipher suite, authentication algorithm, and hash used. With the crypto audit
functionality enabled by ETA, the unencrypted metadata in the client Hello and client Key Exchange
messages provides information that can be used to make inferences about the client’s TLS library and
the cipher suites used.
The collection of this information begins with the initial data packet (IDP), or first packet of the flow, and
continues through subsequent messages comprising the TLS handshake. This data is then exported by
the device via NetFlow and collected at the Stealthwatch FlowCollector (FC). Once collected, these
records can be queried by Stealthwatch Management Console (SMC) for analysis. These flow records
can be collected by a Stealthwatch Flow Collector over time and then filtered, searched through, and
reported on at the Stealthwatch Management Console for auditing purposes ensuring that the most

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 38

secure cipher suites are used to secure confidential information as well as providing evidence of
regulatory compliance.
Both switches to which servers are attached, and traffic flows through, support Flexible NetFlow.
However, all communications are encrypted using HTTPS for transport. The information collected via
NetFlow shows that the application is HTTPS and information related to source and destination
addressing and other characteristics of the flow, but nothing further. The only means to check to if TLS
and not SSL is being used, and what version of either has been negotiated, is through a packet capture.
This is used to collect the IDP and subsequent handshake messages at the switch and additional
confirmation of the settings at the endpoint itself.
You can enable ETA on switch interfaces and passively monitor the encrypted flows. During the initial
conversation between the servers the client’s IDP initiating the TLS handshake and several subsequent
unencrypted messages are collected. Once exported to the NetFlow Collector, the unencrypted
metadata can be used to collect information regarding the cipher suite, version, and client’s public key
length as reported by the cipher suite. Also,
all traffic destined to cloud-based services can be analyzed in the Cognitive Threat Analytics Cloud for
any suspicious activity.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 39

Activity Procedure
Complete the following steps:
Step 1 Return to your SMC’s Security Insight Dashboard page if you already have it
open. If not, you can access it by entering https://192.168.2.35 in the URL field
or by selecting the SMC bookmark and search for the HTTPS flow that you
generated today using the following flow parameters.
 Time Range: Last 1 day
 Subject–Host IP Address or Range: 192.168.8.200
 Port/Protocol: 443/TCP
 Applications: HTTPS (unclassified)
In the SMC’s Security Insight Dashboard, navigate to Analyze > Flow Search.

In the Flow Search window, select the Time Range Today drop-down and click
Applications.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 40

 The new Application Selector window on the right will open.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 41

 In the Application Selector window, select the HTTPS and HTTPS (unclassified)
application type, then click Apply.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 42

 With search criteria defined, click Search. The search begins.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 43

 After the search is completed, the following screen appears showing HTTPS
flows and information derived from the IDP and TLS handshake. Notice that the
ETA-specific data elements are not presented. To enable the display of that
information, click Manage Columns.

A pop-up appears. Scroll down and select the encryption fields to be added to
the columns displayed. After selecting all encryption fields, scroll down and click
Set.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 44

 Once the settings have been saved, the following screen now appears with all
the encryption fields selected, and reported for the searched HTTPS flow.

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 45

 This table reports that your HTTPS flow uses the following encryption protocols
and parameters:
 TLS/SSL version: TLS 1.2
 Encryption key: ECDHE
 Encryption key: AES 128-bit long option
 Authentication Algorithm: RSA
 Encryption MAC: RSA

Discovery Lab 5 | © 2025 Cisco Systems, Inc. Lab Guide 46