Cisco Stealthwatch Learning Network License Virtual ... · StatusCode:HOSTLIMITINT 152...
Transcript of Cisco Stealthwatch Learning Network License Virtual ... · StatusCode:HOSTLIMITINT 152...
Cisco Stealthwatch Learning Network License Virtual ServiceInstallation Guide, Version 1.1First Published: 2016-11-14
Last Modified: 2017-03-15
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883
© 2016 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
C H A P T E R 1 Introduction 1
Learning Network License Introduction 1
Example Deployment 2
Example Learning Network License Deployment 3
System Performance 4
Security and Internet Access 4
Installing the Learning Network License System 5
C H A P T E R 2 Installation Prerequisites 7
Installation Prerequisites 7
Learning Network License and Licensing 7
ISE Server Requirements 9
Controller Host Requirements 9
Controller Installation Prerequisites 9
ISR Platform Requirements 12
ISR 4000 Series Platform Requirements 12
Verifying ISR Platform Requirements 13
Example ISR Platform Requirements 14
ISR Configuration Prerequisites 15
ISR License Installation 16
Agent and ISR Interaction 16
Communication Ports 17
Agent Installation Prerequisites 19
Agent Configuration Prerequisites 20
Downloading the OVA Files from Cisco 21
Obtaining a File's Checksum from cisco.com 21
C H A P T E R 3 Controller Installation 23
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 iii
Installing the Controller 23
Controller Deployment 24
Deploying the OVA File 24
Powering On the Virtual Machine 26
Controller Virtual Hard Disk Storage 26
Controller Virtual Hard Disk Allocation Expansion 26
Editing VM Settings to Increase Virtual Hard Disk Size 27
Extending a Virtual Hard Disk Partition 27
Updating the Filesystem for an Extended Virtual Hard Disk Partition 28
Adding a New Virtual Hard Disk Partition Larger than 2 TB 29
Updating the Filesystem for the New Virtual Hard Disk Partition 30
Controller Virtual Hard Disk Addition 31
Editing VM Settings for a New Hard Disk 32
Adding a New Hard Disk 32
Updating the Filesystem for the New Hard Disk 33
Custom Controller Web UI Certificates 34
Uploading a Private Key Password 35
Uploading Custom Controller Web UI Certificates 36
Controller Setup Script 37
Configuring the Controller with the Setup Script 38
Controller Setup Script Example 40
Resetting the Administrator Password 42
Disabling Host Time Synchronization 43
Logging into the Controller Web UI 44
Verifying NTP Configuration on the Controller 44
C H A P T E R 4 Controller and Agent Communications 47
Configuring Controller/Agent Communications 47
Controller and Agent Communications Overview 47
Controller Certificate Management 48
Updating the Controller Configuration 48
Restarting Controller Processes 49
Updating Administrator Credentials 49
C H A P T E R 5 Network Element Configuration 51
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1iv
Contents
Configuring a Network Element 51
NTP Configuration 51
Configuring NTP on the ISR 52
SSH Configuration 53
C H A P T E R 6 Virtual Service Install Script 55
Deploying Agents Using the Install Script 55
ISR Hardware Configuration 55
Install Script Overview 56
Install Script Deployment 56
Agent Properties File Overview 60
Agent Properties File Settings 60
Configuring VRF Forwarding on the ISR 68
Updating the Agent Properties File 69
Install Script Operation 70
Install Script Options 70
Running the Install Script 71
Script Logs 72
Accessing the Install Script Logs 72
C H A P T E R 7 Agent Management 75
Managing and Licensing Agents 75
Smart Licensing Overview 75
Smart Software Manager 76
Smart License Types 76
Smart Licensing Configuration 77
Smart Licensing Configuration File Settings 77
Updating the Smart Licensing Configuration File 78
Restarting the Controller Processes 80
Logging into the Controller Web UI 80
Registering the Controller Instance 80
Interface Configuration 81
Enabling Agents on the Controller 83
Configuring Agent Network Settings 83
Agent Configuration Templates 84
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 v
Contents
Applying a Template to an Agent 85
C H A P T E R 8 Initial Learning Phase 87
Initial Learning Phase Overview 87
C H A P T E R 9 Next Steps 89
Next Steps 89
For Assistance 89
A P P E N D I X A Logging Configuration 91
Logging Configuration Overview 91
The Controller Logging Configuration File 92
syslog Export to External Hosts 92
Updating a syslog Target Host 94
Logging Timestamps 96
Updating Logging Configuration Files for UTC Timestamps 96
Updating UTC Timestamps for the Controller Monitor Logs 97
Accessing Audit and Event Log Files 98
Audit Log Fields 98
Event Log Fields 100
Event Log Message Examples 101
Smart Licensing Log Fields 101
Accessing Controller General Log Files 101
Accessing Agent Log Files 102
Exporting Agent Troubleshooting Files 103
A P P E N D I X B pxGrid Integration 105
Integrating pxGrid 105
ISE pxGrid Demo 106
pxGrid Demo Properties Table 106
Configuring an ISE pxGrid Demo 107
Enable the pxGrid Demo 108
Controller pxGrid Client Certificates 108
Generating pxGrid Client Certificates 109
Exporting an ISE Identity Certificate 111
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1vi
Contents
Adding pxGrid Certificates to Stores 111
pxGrid Properties Configuration 113
pxGrid Properties Table 114
Configuring pxGrid 114
pxGrid Activation 115
Activating pxGrid Integration 115
Restarting Controller Processes 116
ISE Server Settings Update 117
Controller Process Restart 117
A P P E N D I X C Controller Database Cleanup 119
Controller Database Cleanup 119
Controller Database Cleanup Notes 120
Checking Disk Usage 120
A P P E N D I X D Database Backup Restore 123
Database Backup Restore 123
Reinstalling Failed Upgrade Packages 123
Restoring a Database from a Backup 125
A P P E N D I X E Additional Controller Configuration 129
Additional Controller Configuration 129
Restarting the Controller Processes 130
A P P E N D I X F NetFlow Configuration Overview 131
NetFlow Configuration 131
NetFlow Configuration Fields 132
A P P E N D I X G Troubleshooting 135
Time Synchronization 135
Initial Anomaly Display Issues 135
Maximum Managed Agents 136
Disabled Functionality 136
Controller Administrator Password Reset 136
Resetting the Controller Administrator Password 136
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 vii
Contents
Performance Issues 137
Certificate Fingerprint Retrieval 137
Viewing a Controller Client Certificate Fingerprint from the Agent 137
Viewing a Controller Client Certificate Fingerprint from the Controller 138
Viewing an Agent Server Certificate Fingerprint from the Agent 138
Viewing an Agent Server Certificate Fingerprint from the Controller Web UI 139
Connectivity Issues 139
Confirming Interface Connectivity 139
Agent Status Messages 139
Status Code: 2000 139
Status Code: 2001 140
Uploading an Agent Certificate Fingerprint 141
Enabling Support for Self-Signed Certificates 143
Status Code: 2002 144
Clearing a Pinned Controller Certificate from an Agent 144
Uploading a Controller Certificate Fingerprint 146
Enabling Trust on First Use 147
Status Code: 2003 148
Status Code: 2004 148
Status Code: 2005 149
Status Code: 2006 149
Status Code: 2010 150
Status Code: ALLOCFAIL 150
Status Code: DNSQEVENTSPERBINLIMIT 150
Status Code: DNSQKEYSPERBINLIMIT 151
Status Code: DNSREVENTSPERBINLIMIT 151
Status Code: DNSRKEYSPERBINLIMIT 151
Status Code: HOSTLIMITEXT 151
Status Code: HOSTLIMITINT 152
Status Code: HOSTSDROPPEDEXT 152
Status Code: HOSTSDROPPEDINT 152
Status Code: IPLOCCHANGED 152
Status Code: IPLOCINVAL 153
Status Code: NECONNFAIL 154
Status Code: NENOAUTH 155
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1viii
Contents
Status Code: NENOIP 155
Status Code: NFDRPFLD 156
Status Code: NFDRPNOINTF 157
Status Code: NFDRPSYNT 157
Status Code: NFDRPVER 158
Status Code: NFEVENTSPERBINLIMIT 159
Status Code: NFKEYSPERBINLIMIT 159
Status Code: NFNORCV 159
Status Code: SOLTCOLLECTIONSLIMIT1 160
Status Code: SOLTCOLLECTIONSLIMIT2 160
Status Code: TOPOFAIL 160
Status Code: VERSCOMPONENT 161
Status Code: WARMBADFILE 162
Status Code: WARMNOFILE 162
Status Code: WARMSTATEVAL 162
A P P E N D I X H Uninstallation 163
Uninstalling the Learning Network License System 163
Controller Web UI Uninstallation 164
Deleting All Mitigations 164
Disabling PBC/DPI on an Interface 165
Disabling All Agents 165
Deregistering a Controller from Smart Licensing 165
Agent Removal from a Virtual Service 166
Modifying the Install Properties File 166
Install and Update Properties File Storage 167
Renaming an Install Log File 167
Uninstalling Agents Using the Install Script 167
Controller Removal from an ESXi Host 168
Removing a VM from an ESXi Host 168
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 ix
Contents
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1x
Contents
C H A P T E R 1Introduction
The following provides an introduction to installing the Cisco Stealthwatch Learning Network License(Learning Network License) platform, installing a controller on an ESXi host, and deploying an agent as avirtual service.
If your Network Element supports installing an agent on a UCS E-Series blade server, see the CiscoStealthwatch Learning Network License UCS E-Series Blade Server Installation Guide.
• Learning Network License Introduction, page 1
• Example Deployment, page 2
• Example Learning Network License Deployment, page 3
• System Performance, page 4
• Security and Internet Access, page 4
• Installing the Learning Network License System, page 5
Learning Network License IntroductionThe Learning Network License system is a hyper-distributed analytics architecture that inspects your networktraffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system canidentify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.
You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies inreal-time to the controller for additional system and user analysis. Based on the anomalies, you can providerelevance feedback, which the system incorporates into internal traffic models. This allows the system tobetter identify and report anomalies of interest.
You can also configure mitigations based on anomaly properties, such as hosts involved and application traffictransferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future.The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to addressthe threats specific to your network and better protect your users.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 1
Example DeploymentFigure 1: Example Security Deployment, on page 2 illustrates an example security deployment within anenterprise network.
Figure 1: Example Security Deployment
To install the Cisco Stealthwatch Learning Network License system, the organization deploys:
• an ESXi host running a controller in the network core
• a Cisco ISR running an agent in each branch, between the hosts and the internet
The organization also deploys an optional Cisco SNS-3415 to collect ISE user identity data. Though notrequired for Learning Network License, the user identity data provides additional context to anomalies.
Though a Learning Network License controller can manage up to 1000 agents, the diagram only shows acontroller managing two agents.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.12
IntroductionExample Deployment
Example Learning Network License DeploymentFigure 2: Example Learning Network License Deployment, on page 3 illustrates the Learning NetworkLicense system, focusing on the interaction among Learning Network License components.
Figure 2: Example Learning Network License Deployment
Both agents transfer management traffic, including anomaly data, over a TCP connection to the controller.The controller transfers management traffic, includingmitigations, back to the agents over the same connection.
The controller integrates with other systems. It consumes threat intelligence from Talos to better identifytraffic anomalies and malicious behavior, as well as user identity information from ISE to provide detailsabout hosts involved in anomalies.
The controller implements a northbound RESTful API for mitigations. Other authorized security appliancescan use this API to take mitigation actions on traffic in the network.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 3
IntroductionExample Learning Network License Deployment
System PerformanceIt is not possible to accurately predict throughput and processing capacity for controller and agent virtualappliances. A number of factors heavily influence performance, such as the:
• amount of memory and CPU capacity of the ESXi host and router running the virtual service
• number of total virtual machines running on the ESXi host and router
• number of sensing interfaces, network performance, and interface speed
• amount of resources assigned to each virtual machine
• level of activity of other virtual appliances sharing the ESXi host and router
• complexity of mitigation policies applied to an agent
VMware provides a number of performance measurement and resource allocation tools. Use these toolson the ESXi host while you run your virtual appliance to monitor traffic and determine throughput. If thethroughput is not satisfactory, adjust the resources assigned to the virtual appliances that share the ESXihost.
You can enable VMware tools to improve the performance and management of your virtual appliances.Alternatively, you can install tools (such as esxtop or VMware/third-part add-ons) on the host or in thevirtualization management layer (not the guest layer) on the ESXi host to examine virtual performance.
Note
Security and Internet AccessManagement traffic sent from the agent to the controller includes health checks and anomaly data. Thebandwidth required varies based on multiple factors, including the nature of your network traffic and how thesystem learns and prioritizes detected anomalies. However, the system rate-limits the total amount of anomalydata sent by an agent per day, ensuring that they do not overwhelm your network by sending extraneousanomalies. The agent only reports anomalies of interest, based on user feedback and the machine learningalgorithms.
Encrypted management traffic sent from the controller to the agent includes:
• health check requests
• mitigations
• requests for anomaly-related PCAP files if packet buffer capture (PBC) is enabled
• startup files when managed agents restart and do not have certain local files
Each mitigation is relatively small, measured in kilobytes.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.14
IntroductionSystem Performance
Installing the Learning Network License SystemThe following provides a high-level overview to installing the Learning Network License system.
Step 1 Ensure your Network Elements support installing the Learning Network License system, and have the proper licensesand hardware. See Installation Prerequisites, on page 7 for more information.
Step 2 Deploy a separate ESXi host to run the controller. See Controller Host Requirements, on page 9 for more information.Step 3 Download the agent and controller OVA files at http://www.cisco.com/c/en/us/support/security/
stealthwatch-learning-network-license/tsd-products-support-series-home.html. See Downloading the OVA Files fromCisco, on page 21 for more information.
Step 4 Deploy the controller to the ESXi host. Log into the controller VM console. Run the setup script to configure the networkconnection, NTP servers, and generate public key certificates. See Installing the Controller, on page 23 for moreinformation.
Step 5 Update the controller configuration file to configure public key certificate management settings, then log into the controllerweb UI to update administrator credentials. See Controller and Agent Communications Overview, on page 47 for moreinformation.
Step 6 Configure NTP servers on your Network Element. See NTP Configuration, on page 51 for more information.Step 7 Deploy the agent as a virtual service to a Network Element. See Deploying Agents Using the Install Script, on page 55
for more information.Step 8 Log into the controller web UI, then enable and configure your agents with the controller as described in Enabling Agents
on the Controller, on page 83.Step 9 Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning Phase
Overview, on page 87 for more information.
What to Do Next
• Fine-tune your configuration, inspect anomalies, and mitigate anomalous traffic, as described in NextSteps, on page 89.
• Optionally, enable audit and event logging on the controller. See Logging Configuration Overview, onpage 91 for more information.
• Optionally, integrate your deployment with ISE by configuring pxGrid. See Integrating pxGrid, on page105 for more information.
• Optionally, configure a pxGrid integration demo to populate anomalies with sample user identity data.You do not need to have ISE deployed to your environment for the pxGrid integration demo. See ISEpxGrid Demo, on page 106 for more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 5
IntroductionInstalling the Learning Network License System
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.16
IntroductionInstalling the Learning Network License System
C H A P T E R 2Installation Prerequisites
The following describes Learning Network License installation prerequisites and system configurationprerequisites.
• Installation Prerequisites, page 7
• Learning Network License and Licensing, page 7
• ISE Server Requirements, page 9
• Controller Host Requirements, page 9
• ISR Platform Requirements, page 12
• Agent and ISR Interaction, page 16
• Communication Ports, page 17
• Agent Installation Prerequisites, page 19
• Downloading the OVA Files from Cisco, page 21
Installation PrerequisitesWhen you deploy the Learning Network License system, obtain or configure the following:
• open ports for system functionality
• an ESXi host for the controller
• a Network Element capable of running the agent as a virtual service (container)
• the proper licensing for your Network Element
• the controller and agent OVA files
Learning Network License and LicensingTo properly deploy your Learning Network License system, you must obtain the proper IOS Licenses foryour ISRs, as well as the proper Smart Licenses for Learning Network License.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 7
To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App(appxk9) IOS license. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.htmlfor more information on activating the licenses.
You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.
Table 1: Smart License Entitlement Types
Associated File Downloads andDescription
License Entitlement andDescription
Learning Network LicenseComponent
sln-sca-k9-<ver>.ova - singlecontroller OVA
L-SW-SCA-K9 - SCA VirtualManager
controller
sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's NIM-SSD
sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's bootflash
L-SW-LN-43-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 1 Yr Term
L-SW-LN-43-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 3 Yr Term
agent deployed as a virtual serviceon an ISR 43XX
sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's NIM-SSD
sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's bootflash
L-SW-LN-44-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4400 Series 1 Yr Term
L-SW-LN-44-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4400 Series 3 Yr Term
agent deployed as a virtual serviceon an ISR 44XX
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.
In addition, youmust generate a registration token in the Cisco Smart SoftwareManager (http://www.cisco.com/web/ordering/smart-software-manager/index.html), then use this to register your controller. Each time youmanage and enable an agent with the controller, the controller automatically requests a license entitlementfor the agent.
For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager UserGuide.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.18
Installation PrerequisitesLearning Network License and Licensing
ISE Server RequirementsIf you want to configure pxGrid integration and populate anomalies with Identity Services Engine (ISE) useridentity information, your ISE server must run Release 1.3 or greater. For more information on ISE, see http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-user-guide-list.html.
Controller Host RequirementsYou can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You canalso enable VMware tools on all supported ESXi versions. For information on the full functionality of VMwareTools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see theVMware ESXi documentation.
Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtualappliances in Open Virtual Appliance (OVA) format, an archive version of the OVF file.
The computer that serves as the controller ESXi host must meet the following requirements:
• It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology(VT) or AMD Virtualization™ (AMD-V™) technology.
• Virtualization must be enabled in the BIOS settings.
• To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers(such as PRO 1000MT dual port server adapters or PRO 1000GT desktop adapters).
• This host must have network connectivity to all Network Elements where you will install your agents.
• Users such as administrators and analysts should be able to establish a connection to this host, to accessthe controller user interface.
For more information, see the VMware website: http://www.vmware.com/resources/guides.html.
Installing the controller on a Network Element is not supported.Note
Controller Installation Prerequisites
Controller Download
Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 9
Installation PrerequisitesISE Server Requirements
Youmust also download and install the latest version of VMware vSphere Client to install the virtual machine.Cisco recommends you also download and install VMware ESXi version 5.5 to run the virtual machine.Download the files at https://my.vmware.com/web/vmware/downloads.
Controller Virtual Appliance Settings
Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on theESXi host. Do not decrease the default settings, as they are the minimum required to run the system software.The following table lists the default settings.
Table 2: Default Controller Virtual Appliance Settings
DefaultSetting
24576 MB (24 GB)memory
4virtual CPUs (vCPU)
• vNIC 0 - Main Network
• vNIC 1 (disconnected) - Alt1Network
• vNIC 2 (disconnected) - Alt2Network
virtual NICs
200 GBhard disk provisioned size
When you start the VM, the controller determines the amount of physical RAM available, and updates theconfiguration to allow use of up to half of that RAM.
Cisco recommends you increase VM settings, depending on the size of your Learning Network Licensedeployment. See the following table for recommendations.
Table 3: Recommended Controller VM Settings
Recommended VM SettingsLearning Network License Deployment Size
24576 MB (24 GB) of RAM
8 vCPU
400 GB of hard disk provisioned size
1 to 50 agents
65536 MB (64 GB) of RAM
16 vCPU
4 TB of hard disk provisioned size
51 to 1000 agents
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.110
Installation PrerequisitesController Installation Prerequisites
The number of vCPUs is determined by multiplying the number of virtual sockets by the number of coresper socket.
Note
If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http://www.vmware.com/ for more information and best practices.
Information Needed During Installation
When you run the setup script, provide the following information to configure the controller:
Table 4: Controller Installation Settings
DescriptionSetting
transfer management traffic with agent, and provideaccess to controller web UI
eth0 interface IPv4 address, netmask, and gateway
hostname for the controllereth0 interface hostname
DNS context for anomalieseth0 interface DNS servers and DNS search suffixes
synchronize time in LearningNetwork License systemNTP server IPv4 addresses
The setup script allows you the option of generating self-signed certificates. If you generate a certificate forthe controller web UI server, you can define the following subject distinguished name components:
Table 5: Self-Signed Certificate Subject Distinguished Name Options
DescriptionOption
A two-letter ISO 3166-1 country codeCountry Name
Full name of the state or province where your organization is locatedState or Province Name
The city where your organization is locatedLocality Name
Your organization's nameOrganization Name
Your organization's division's nameOrganizational Unit Name
A host and domain name associated with the certificateCommon Name
A contact email addressEmail Address
Learning Network License requires a server certificate to encrypt controller/agent communications, and aserver certificate to encrypt user connections to the controller web user interface.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 11
Installation PrerequisitesController Installation Prerequisites
ISR Platform RequirementsSeveral 4000 Series ISRs support hosting an agent in a service container. You can optionally install a solidstate drive (SSD) carrier and SSD network interface module (NIM-SSD) for the agent. For more informationon the 4000 Series ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html.
ISR 4000 Series Platform Requirements
Table 6: ISR 4000 Series Platform Requirements
RequiredISR Component
• Cisco 4331
• Cisco 4351
• Cisco 4431
• Cisco 4451
Model
8192 MB (8 GB)Control Plane DRAM
If you deploy your virtual service to bootflash, noadditional equipment is required.
If you want to deploy your virtual service to a harddisk, to achieve much larger storage capacities, youmust install:
• NIM-SSD(=) - NIM carrier card for SSD drives
• SSD-SATA-200G(=) - 200 GB SATA solidstate disk for NIM-SSD, 155 GB free
See Agent Installation Prerequisites, on page 19 formore information.
Disk Storage for Service Container Hosting
Version 15010638 or greaterComplex Programmable Logic Device
IOS-XE Release 15.4(3)S1 through 15.5(3)Sx
IOS-XE Release 15.4(3)S2 and prior do notsupport deploying a virtual service tobootflash. You must deploy a virtual serviceto a NIM-SSD for these releases, or upgradeto Release 15.5(3)S to deploy the virtualservice to bootflash.
Note
Image
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.112
Installation PrerequisitesISR Platform Requirements
RequiredISR Component
Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through15.5(3)S)
Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild2 or greater
NBAR2 Protocol Pack
Cisco 4331:
• SL-4330-IPB-K9 - IP Base license, and
• SL-4330-APP-K9 - AppX license
Cisco 4351:
• SL-4350-IPB-K9 - IP Base license, and
• SL-4350-APP-K9 - AppX license
Cisco 44XX:
• SL-44-IPB-K9 - IP Base license, and
• SL-44-DATA-K9 or SL-44-APP-K9 - Data licenseor AppX license
See http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435 for moreinformation.
Licenses
Verifying ISR Platform Requirements
Before You Begin
• Log into the ISR console.
SUMMARY STEPS
1. enable
2. show version
3. show platform
4. show ip nbar protocol-pack active
5. exit
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 13
Installation PrerequisitesISR 4000 Series Platform Requirements
DETAILED STEPS
PurposeCommand or Action
Enable privileged EXEC mode.enable
Example:
Step 1
Router> enable
Show version information, including image version,installed ISR licenses, and control plane DRAM.
show version
Example:
Step 2
Router# show version
Show the Complex Programmable Logic Device version.show platform
Example:
Step 3
Router# show platform
Show the NBAR2 protocol pack version.show ip nbar protocol-pack active
Example:
Step 4
Router# show ip nbar protocol-pack active
Exit privileged EXEC mode.exit
Example:
Step 5
Router# exit
Example ISR Platform Requirements
Issuing the show version command to your ISR allows you to view your image version, installed licenses,and the total control plane DRAM on the ISR. These are italicized below. Note that appxk9 corresponds tothe AppX license, and ipbasek9 corresponds to the IP Base license.Router> enable
Router# show versionCisco IOS XE Software, Version 2016-05-16_22.05.pajCisco IO Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)s2, RELEASESOFTWARE (fc2)
...
Technology Package License Information:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-Technology Technology-package Technology-package
Current Type Next reboot–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––--appxk9 appxk9 RightToUse appxk9 [AppX license]uck9 None None Nonesecurityk9 None None Noneipbase ipbasek9 Permanent ipbasek9 [IP Base license]
cisco ISR4431/K9 (1RU) processor with 7799569K/6147K bytes of memory.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.114
Installation PrerequisitesISR 4000 Series Platform Requirements
...
Issuing the show platform command to your ISR allows you to view the Complex Programmable LogicDevice (CPLD) version, italicized below.Router# show platformChassis type: ISR4431/K9
Slot Type State Insert time (ago)–––––––––- ––––––––––––––––– –––––––––––––––––––––––– –––––––––––––––––--
...
Slot CPLD Version Firmware Version–––––––––- –––––––––––––––––––––– –––––––––––––––––––––––––––––––––––––--0 15010638 15.4(2r)SR0 15010638 15.4(2r)SF0 15010638 15.4(2r)S
Issuing the show ip nbar protocol-pack active command to your ISR allows you to view the NBAR2protocol pack version, italicized below.Router# show ip nbar protocol-pack active
Active Protocol Pack:
Name: Advanced Protocol PackVersion: 17.0Publisher: Cisco Systems Inc.
...
ISR Configuration Prerequisites
Information Needed for ISR Configuration
When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:
Table 7: ISR Configuration Settings
DescriptionSetting
configure NTP server connectivity. Use a loopbackinterface if you have one configured, or the routermanagement interface if you do not.
loopback interface IPv4 address or routermanagementinterface
synchronize time in LearningNetwork License systemNTP server IPv4 addresses
pass NetFlow packets from the ISR to the agent andtraffic between the controller and the agent
agent eth0 IPv4 address for NetFlow exporter
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 15
Installation PrerequisitesISR Configuration Prerequisites
ISR License InstallationTo run an agent on an ISR 4000 Series, you must activate an IP base (ipbasek9) IOS license, and an App(appxk9) IOS license, on the ISR. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.
Agent and ISR InteractionThe following diagram illustrates the interaction between an agent and its host ISR.
Figure 3: ISR and Agent Deployed as a Virtual Service
You configure the install.yaml properties file, and run the installation_auto.py install script, to deployagents to your ISRs. For detailed information about the diagram, and how the install script deploys agents,see Install Script Deployment, on page 56. For more information on the installation process, see DeployingAgents Using the Install Script, on page 55.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.116
Installation PrerequisitesISR License Installation
Communication PortsLearning Network License requires several open ports for functionality, to allow communication between thecontroller and agents, and to allow users to access the controller UI. If a firewall or other security appliancesits between the controller and agents, or between the user and the controller, open these ports.
The following diagram illustrates this system functionality.
Figure 4: System Functionality Requiring Open Ports with an Agent Deployed as a Virtual Service
• Users, such as system administrators, can log into the controller web UI, and SSH login to agents.
• The controller sends information, such as mitigations, to the agent, and contacts NTP servers tosynchronize time.
• The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to thecontroller, and contacts NTP servers to synchronize time.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 17
Installation PrerequisitesCommunication Ports
The following diagram illustrates the open ports and directionality. See Table 8: Default CommunicationPorts for Learning Network License Features and Operation, on page 18 for more information on these ports.
Figure 5: Open Ports for System Functionality with an Agent Deployed as a Virtual Service
Table 8: Default Communication Ports for Learning Network License Features and Operation
To...Is Open for any...DirectionDescriptionPort
transfer log files andconfiguration files
IP associated withthe controller,Management IPassociated with theagent
outbound fromagent eth0 interfaceManagement IP,inbound tocontroller IP
SSH/SCP22/TCP
Optionally enableremote access to theagent administratorscript when theagent is deployed asa virtual service
host IP that wants toSSH login to theagent
outbound from hostIP, inbound to agenteth0 interfaceManagement IP
SSH22/TCP
optionally enableSSH login to thecontroller
host IP that wants toSSH login to thecontroller
inbound from hostIP to controller IP
SSH22/TCP
synchronize timewith agentsdeployed as virtualservices
IP associated withthe controller
outbound from thecontroller IP to anexternal NTP server
NTP123/UDP
access the controllerUI
host IP that wants toaccess the controllerUI
inbound from userIP to controller IP
HTTPS443/TCP
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.118
Installation PrerequisitesCommunication Ports
To...Is Open for any...DirectionDescriptionPort
allow the controllerto communicatewith the agent
IP associated withthe controller
outbound fromcontroller IP toagent eth0 interfaceManagement IP
TLS9091/TCP
enable PBCIP associated withthe controller
outbound fromcontroller IP toagent eth0 interfaceManagement IP
packet buffercapture (PBC)
9092/TCP
Agent Installation PrerequisitesThe agent runs as a virtual service on your ISR. You can deploy the virtual service either to the ISR's bootflash,or to an optional 200 GB NIM-SSD. In general, agents deployed to bootflash offer less storage space for fileretention than agents deployed to a NIM-SSD. See the following table for an overview of these differences.
Table 9: Agent Deployment as Virtual Service Comparison
Agent Deployed to NIM-SSDAgent Deployed to bootflashFeature
Higher hard disk provisioned sizesetting.
Lower hard disk provisioned sizesetting.
Default virtual service settings
Greater file storage allocation forPBC. PCAP file storage is stable;if the ISR restarts, PCAPs areretained.
Lesser file storage allocation forPBC. PCAP file storage is volatile;if the ISR restarts, PCAPs are lost.
packet buffer capture (PBC)
Greater file storage allocation forlog files. Log file storage is stable;if the ISR restarts, log files areretained.
Lower file storage allocation forlog files. Log file storage isvolatile; if the ISR restarts, log filesare lost.
log files
See ISR 4000 Series Platform Requirements, on page 12 for more information.
You must download the virtual service OVA file. You cannot install the UCS E-Series blade server OVAfile as a virtual service.
Note
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 19
Installation PrerequisitesAgent Installation Prerequisites
Agent Configuration Prerequisites
Agent OVA Download
Cisco provides the agent as one of two OVA files: sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova to installon the ISR's NIM-SSD, and sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova to install on the ISR's bootflash.Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
Agent Virtual Service Settings
Each agent you deploy as a virtual service requires a certain amount of memory, CPUs, and hard disk space.The following table lists the default settings.
Table 10: Default Agent as a Virtual Service Settings
DefaultSetting
3072 MB (3 GB)memory
2virtual CPUs
250 MB (when deployed to bootflash)
150 GB (when deployed to a NIM-SSD)
hard disk provisioned size
Agent Install Script
The controller contains an agent install script you can use to deploy the agents as virtual services. See InstallScript Deployment, on page 56 and Agent Properties File Settings, on page 60 for more information.
NTP Configuration
The agent deployed as a virtual service receives time from the host router. You must configure the router andthe controller with synchronized NTP server addresses to ensure synchronized time.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.120
Installation PrerequisitesAgent Configuration Prerequisites
Downloading the OVA Files from Cisco
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
Step 1 In your web browser, navigate to http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html. Enter your username and password when prompted.
Step 2 Download the controller OVA file: sln-sca-k9-<ver>.ovaStep 3 Download an agent OVA file:
• sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on anISR's NIM-SSD
• sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on anISR's bootflash
Obtaining a File's Checksum from cisco.com
Before You Begin
• Go to the file download page on cisco.com.
Step 1 Click the File Information file name to view the file's details, which includes the MD5 and SHA512 checksums.Step 2 Click the ellipsis (…) to view the full SHA512 checksum.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 21
Installation PrerequisitesDownloading the OVA Files from Cisco
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.122
Installation PrerequisitesObtaining a File's Checksum from cisco.com
C H A P T E R 3Controller Installation
The following describes the controller installation process.
• Installing the Controller, page 23
• Controller Deployment, page 24
• Controller Virtual Hard Disk Storage, page 26
• Custom Controller Web UI Certificates, page 34
• Controller Setup Script, page 37
• Resetting the Administrator Password, page 42
• Disabling Host Time Synchronization, page 43
• Logging into the Controller Web UI, page 44
• Verifying NTP Configuration on the Controller, page 44
Installing the ControllerThe controller acts as the management center of the Learning Network License system. It collates anomaliessent by all managed agents and performs a real-time analysis based on severity rating and internal relevanceto determine which are of most interest to the user. It then reports these for further user review and relevancefeedback, and displays various graphs and data to assist user analysis of anomalies. In response, the user canconfigure mitigations that match an anomaly's characteristics, including IP address or application, and takean action. The controller forwards these mitigation policies and actions to managed agents.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 23
You must deploy a single controller on your network.
Step 1 Deploy the controller OVA file to an ESXi host in your network, and activate it. See Controller Deployment, on page24 for more information.
Step 2 If you want to use a custom SSL certificate for the controller web UI, see Custom Controller Web UI Certificates, onpage 34 for more information.
Step 3 If you want to increase the hard disk storage size, see Controller Virtual Hard Disk Storage, on page 26 for moreinformation.
Step 4 Run the setup script to configure basic network settings, NTP server addresses, and public key certificates. See Configuringthe Controller with the Setup Script, on page 38 for more information.
Step 5 Reset the controller web UI administrator user account (admin) password. See Resetting the Administrator Password,on page 42 for more information.
Step 6 Disable time synchronization with the ESXi host. See Disabling Host Time Synchronization, on page 43 for moreinformation.
Controller DeploymentCisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host runningan ESXi hypervisor.
Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space invSphere vCenter. If you increase the memory, you must start the VM, then run the setup-system script. Afteryou run the script, the VM is updated with proper memory settings.
If your controller is already running, and you want to update the memory settings, run the setup-systemscript, stop the VM, update the memory settings, and start the VM. On restart, the VM is updated with propermemory settings.
See Controller Installation Prerequisites, on page 9 for more information on recommended controller VMsettings, based on deployment size.
For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.
Note
The first time you log into the virtual machine, the system prompts you to change the default administratorpassword.
Deploying the OVA FileAs youmap destination networks to interfaces, note that only eth0 is enabled by default. For many deployments,controller management traffic, agent traffic, and controller web UI user traffic are reachable from the samecontroller network interface. In this case, you can map that destination network to the eth0 interface. Youcan also leave the eth1 and eth2 interfaces disabled, and mapped to a separate destination network.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.124
Controller InstallationController Deployment
However, if these traffic types are reachable via different controller network interfaces, you can enable eth1,eth2, or both eth1 and eth2, then map them to the appropriate destination networks.
Before You Begin
• Download the OVA file.
• Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and installit.
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file.Step 2 Select File > Deploy OVF Template.Step 3 Click Browse to select your OVA file, then click Next.Step 4 Review the OVF Template Details, then click Next.Step 5 Enter a Name, select an inventory location, then click Next.Step 6 Click the Thick Provision Lazy Zeroed radio button, then click Next.Step 7 Select a Destination Network from your inventory to map to a Source Network. You can map the following default
networks, then click Next.
• eth0 to Main Network
• eth1 (disconnected) to Alt1 Network
• eth2 (disconnected) to Alt2 NetworkIf you only need to configure eth0, you canmap eth1 and eth2 to the same network.Note
Step 8 Review your deployment settings and click Finish.The deployment may take 30minutes to an hour or longer, depending on your environment.Note
Step 9 Click Close after the deployment completes.
What to Do Next
• Power on the virtual machine and login, as described in the next section.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 25
Controller InstallationDeploying the OVA File
Powering On the Virtual Machine
Before You Begin
• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.Step 2 Select Home > Inventory > VMs and Templates.Step 3 Select the virtual machine from the navigation tree.Step 4 Select Inventory > Virtual Machine > Power > Power On.Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
To shift your focus from the virtual machine console to your local host, pressCtrl-Alt.Note
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted,change the default administrator password.
Controller Virtual Hard Disk StorageBy default, the controller OVA ships configured with a 200 GB hard disk. Based on your deployment and therecommended settings, you can configure the deployed controller VM to expand the available hard disk storagespace by either:
• increasing the existing virtual hard disk storage allocation with an expanded partition or another partition,when the existing VMware storage area has sufficient space, or
• adding a new virtual hard disk, when the existing VMware storage area has insufficient space.
Follow the procedures carefully. Failure to follow them can result in corruption or loss of the controllerVM filesystem.
Note
Controller Virtual Hard Disk Allocation ExpansionTo add space to the controller VM hard disk, configure the VM's settings in VMware vSphere to increase thesize of the hard disk. Then, from the VM's command line, run parted to extend an existing virtual hard diskpartition. Finally, issue commands to expand the filesystem size for the new hard disk.
You can only extend a hard disk partition to 2 TB. If you need more space, you can use cfdisk to insteadadd another virtual hard disk partition.
Note
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.126
Controller InstallationPowering On the Virtual Machine
By default, the controller ships with one virtual hard disk, sda and up to partition number 5 (sda5). The firsttime you add a partition to this virtual hard disk, increment the name by one (sda6). If you want to add anotherpartition, increment the name of the most recent hard disk partition by 1 (sda7, sda8, and so on).
Editing VM Settings to Increase Virtual Hard Disk Size
Before You Begin
• Connect to the ESXi hypervisor using VMware vSphere.
Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, select Hard disk 1.Step 4 Enter a new Provisioned Size to update the virtual hard disk provision.Step 5 Click OK.Step 6 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 7 Right-click the controller VM and select Power > Power On.
Extending a Virtual Hard Disk PartitionUse parted to extend the sda5 virtual hard disk partition. The controller OVA contains one virtual hard diskby default, sda. This virtual hard disk contains partitions up to number five (sda5).
You can only extend the partition up to 2 TB. If you need more space, add another virtual hard diskpartition. See Adding a New Virtual Hard Disk Partition Larger than 2 TB, on page 29 for moreinformation.
Note
Before You Begin
• Use VMware vSphere to log into the controller VM console.
SUMMARY STEPS
1. sudo parted dev/sda resizepart 2 100%, then enter your password when prompted2. sudo parted dev/sda resizepart 5 100%, then enter your password when prompted
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 27
Controller InstallationController Virtual Hard Disk Allocation Expansion
DETAILED STEPS
PurposeCommand or Action
Run the parted partition resizer to resize thesda2 partition.
sudo parted dev/sda resizepart 2 100%, then enter your passwordwhen prompted
Example:
Step 1
user@host:~$ sudo parted dev/sda resizepart 2 100%
Run the parted partition resizer to resize thesda5 partition.
sudo parted dev/sda resizepart 5 100%, then enter your passwordwhen prompted
Example:
Step 2
user@host:~$ sudo parted dev/sda resizepart 5 100%
Updating the Filesystem for an Extended Virtual Hard Disk Partition
The controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The followingprocedures uses the LVM2 tools to register the extended partition as a physical volume, and extend the logicalvolume over the new physical volume while simultaneously resizing the Linux filesystem to recognize theadditional space.
Before You Begin
• Use VMware vSphere to log into the controller VM console.
SUMMARY STEPS
1. sudo partprobe -s
2. sudo pvresize /dev/sda5
3. sudo vgdisplay
4. sudo lvextend -r /dev/<volume-group>/root /dev/sda5
DETAILED STEPS
PurposeCommand or Action
Update the /dev filesystem to recognize the extended/dev/sda5 virtual hard disk partition.
sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Step 1
Resize the physical volume for the sda5 partition on thesda virtual hard disk.
sudo pvresize /dev/sda5
Example:user@host:~$ sudo pvresize /dev/sda5
Step 2
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.128
Controller InstallationController Virtual Hard Disk Allocation Expansion
PurposeCommand or Action
View the name of the volume group.sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
Step 3
Add the new volume to the root logical volume and resizethe root filesystem.
sudo lvextend -r /dev/<volume-group>/root
/dev/sda5
Example:user@host:~$ sudo lvextend -r
/dev/vg00/root /dev/sda5
Step 4
Adding a New Virtual Hard Disk Partition Larger than 2 TBUse cfdisk to create a new virtual hard disk partition larger than 2 TB. The controller OVA contains onevirtual hard disk by default, sda. This virtual hard disk contains partitions up to number five (sda5). Thefollowing task assumes you have not created another virtual hard disk partition, directing you to incrementthe highest virtual hard disk partition name by one to create the sda6 partition. If you have created other virtualhard disk partitions for the sda virtual hard disk, increment the new partition name based on the existingvirtual hard disk partitions (sda7, sda8, etc.).
Before You Begin
• Use VMware vSphere to log into the controller VM console.
SUMMARY STEPS
1. sudo cfdisk /dev/sda, then enter your password when prompted2. Move your cursor to the last line containing Free space, and verify the size column roughly matches the
amount of space you added.3. n to create a new partition4. Select Logical and press Enter.5. Press Enter to accept the default size.6. t to change the filesystem type to 8E
7. W to write the new partition table, then yes to confirm8. q to quit cfdisk
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 29
Controller InstallationController Virtual Hard Disk Allocation Expansion
DETAILED STEPS
PurposeCommand or Action
Run the cfdisk partition editor to create the sda6partition.
sudo cfdisk /dev/sda, then enter your password whenprompted
Example:
Step 1
user@host:~$ sudo cfdisk /dev/sda
Verify that the partition size is correct. If it is not,restart the controller VM and restart this procedurefrom the beginning.
Move your cursor to the last line containing Free space,and verify the size column roughly matches the amountof space you added.
Step 2
Create a new partition.n to create a new partitionStep 3
Create a logical partition.Select Logical and press Enter.Step 4
Create the partition with the free space displayed.Press Enter to accept the default size.Step 5
Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 6
Write the new partition table.W to write the new partition table, then yes to confirmStep 7
Quit cfdisk.q to quit cfdiskStep 8
Updating the Filesystem for the New Virtual Hard Disk Partition
The controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The followingprocedures uses the LVM2 tools to register the new partition as a physical volume, add the new physicalvolume to the existing volume group, and extend the logical volume over the new physical volume whilesimultaneously resizing the Linux filesystem to recognize the additional space.
Before You Begin
• Use VMware vSphere to log into the controller VM console.
SUMMARY STEPS
1. sudo partprobe -s
2. sudo pvcreate /dev/sda6
3. sudo vgdisplay
4. sudo vgextend <volume-group> /dev/sda6
5. sudo lvextend -r /dev/<volume-group>/root /dev/sda6
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.130
Controller InstallationController Virtual Hard Disk Allocation Expansion
DETAILED STEPS
PurposeCommand or Action
Update the /dev filesystem to include /dev/sda6 as anew virtual hard disk partition.
sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Step 1
Create a physical volume for a new partition on the sdavirtual hard disk.
sudo pvcreate /dev/sda6
Example:user@host:~$ sudo pvcreate /dev/sda6
Step 2
View the name of the volume group.sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
Step 3
Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sda6
Example:user@host:~$ sudo vgextend vg00
/dev/sda6
Step 4
Add the new volume to the root logical volume andresize the root filesystem.
sudo lvextend -r /dev/<volume-group>/root
/dev/sda6
Example:user@host:~$ sudo lvextend -r
/dev/vg00/root /dev/sda6
Step 5
Controller Virtual Hard Disk AdditionTo add a virtual hard disk on the controller VM, configure the VM's settings in VMware vSphere to recognizea new hard disk. Then, from the VM's command line, run cfdisk to create the new virtual hard disk, and issuecommands to expand the filesystem size for the new hard disk.
By default, the controller ships with one virtual hard disk, sda. The first time you add a virtual hard disk,increment the name by one (sdb). If you want to add another virtual hard disk, increment the name of the mostrecent hard disk by 1 (sdc, sdd, and so on).
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 31
Controller InstallationController Virtual Hard Disk Addition
Editing VM Settings for a New Hard Disk
Before You Begin
• Connect to the ESXi hypervisor using VMware vSphere.
Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, click Add.Step 4 Select Hard Disk and click Next.Step 5 Select Create a new virtual disk and click Next.Step 6 Enter a Disk Size and click Next.Step 7 Click Next to skip the Advanced Options screen.Step 8 Click Finish.Step 9 Click OK in the Virtual Machine Properties window.Step 10 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 11 Right-click the controller VM and select Power > Power On.
Adding a New Hard DiskUse cfdisk to create a disk partition on the new virtual hard disk. The controller OVA contains one virtualhard disk by default, sda. The following task assumes you have not created another virtual hard disk, directingyou to increment the existing virtual hard disk name by one to create the sdb virtual hard disk. If you havecreated other virtual hard disks for the controller, increment the new virtual hard disk name based on theexisting virtual hard disks (sdc, sdd, etc.).
Before You Begin
• Use VMware vSphere to log into the controller VM console.
SUMMARY STEPS
1. sudo cfdisk /dev/sdb, then enter your password when prompted2. n to create a new partition3. Select Primary and press Enter.4. Press Enter to accept the default size.5. t to change the filesystem type to 8E
6. W to write the new partition table, then yes to confirm7. q to quit cfdisk
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.132
Controller InstallationController Virtual Hard Disk Addition
DETAILED STEPS
PurposeCommand or Action
Run the cfdisk partition editor to create the sdb1 partitionon the sdb virtual hard disk. The table contains one line,with the free space equal to the total disk size.
sudo cfdisk /dev/sdb, then enter your passwordwhen prompted
Example:
Step 1
user@host:~$ sudo cfdisk /dev/sdb1
Create a new partition.n to create a new partitionStep 2
Create a virtual hard disk.Select Primary and press Enter.Step 3
Create the virtual hard disk with the free space displayed.Press Enter to accept the default size.Step 4
Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 5
Write the new partition table.W to write the new partition table, then yes to confirmStep 6
Quit cfdisk.q to quit cfdiskStep 7
Updating the Filesystem for the New Hard Disk
Before You Begin
• Use VMware vSphere to log into the controller VM console.
SUMMARY STEPS
1. sudo partprobe -s
2. sudo pvcreate /dev/sdb1
3. sudo vgdisplay
4. sudo vgextend <volume-group> /dev/sdb1
5. sudo reboot
6. Log into the controller VM console.7. sudo lvextend -r /dev/<volume-group>/root /dev/sdb1
8. sudo reboot
DETAILED STEPS
PurposeCommand or Action
Update the filesystem to include /dev/sdb as a newvirtual hard disk.
sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Step 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 33
Controller InstallationController Virtual Hard Disk Addition
PurposeCommand or Action
Create a physical volume for a new partition on thesdb hard disk.
sudo pvcreate /dev/sdb1
Example:user@host:~$ sudo pvcreate /dev/sdb1
Step 2
View the name of the volume group.sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
Step 3
Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sdb1
Example:user@host:~$ sudo vgextend vg00
/dev/sdb1
Step 4
Restart the controller VM.sudo reboot
Example:user@host:~$ sudo reboot
Step 5
Log into the controller VM console.Log into the controller VM console.Step 6
Add the new volume to the root logical volume andresize the root filesystem.
sudo lvextend -r /dev/<volume-group>/root /dev/sdb1
Example:user@host:~$ sudo lvextend -r
/dev/vg00/root /dev/sdb1
Step 7
Restart the controller VM.sudo reboot
Example:user@host:~$ sudo reboot
Step 8
Custom Controller Web UI CertificatesThe controller web server uses Transport Layer Security (TLS) to encrypt connections to the controller webUI. This requires the server to present a certificate to the client browser. Using the self-signed certificateinstalled by default does not allow the browser to validate the authenticity of the controller web UI, and leadsto browser warnings about an untrusted web server. Instead of using a self-signed certificate, you can uploadto the controller a custom public key server certificate and private key generated by your organization. Thisallows clients that connect to the controller web UI to properly validate the web server's authenticity. Notethe following:
• You must upload both a server certificate and associated private key. Both must be in PEM format.
• You can also upload a trust chain of issuing CA certificates for the server certificate, concatenated withthe server certificate in a single PEM file.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.134
Controller InstallationCustom Controller Web UI Certificates
• You can upload an encrypted private key file. You must also create an additional file (sln_ssl.pass)with the cleartext password required to unencrypt the private key file.
After you make these changes, restart the controller web UI processes.
When you run the setup-system script, do not generate a new controller web UI certificate, as this willoverwrite your custom certificate and private key. See Configuring the Controller with the Setup Script,on page 38 for more information.
Note
Uploading a Private Key PasswordIf your private key file is encrypted, you must create an sln_ssl.pass password file containing the cleartextpassword. After you create the file, you update the sln_ssl_certs.conf configuration file to point to thepassword file. See Uploading Custom Controller Web UI Certificates, on page 36 for more information.
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd /etc/ssl/private/
2. cat > sln_ssl.pass, then enter your password as cleartext, then press Ctrl + D.3. cat sln_ssl.pass to verify the password
DETAILED STEPS
PurposeCommand or Action
Change to the /etc/ssl/private/ directory.cd /etc/ssl/private/
Example:
Step 1
user@host:~$ cd /etc/ssl/private/
Create the sln_ssl.pass password file, containingthe private key cleartext password.
cat > sln_ssl.pass, then enter your password as cleartext,then press Ctrl + D.
Example:user@host:~/etc/ssl/private$ cat > sln_ssl.passprivate-key-password
Step 2
Verify that the sln_ssl.pass password file containsthe correct cleartext password.
cat sln_ssl.pass to verify the password
Example:user@host:~/etc/ssl/private$ cat sln_ssl.pass
Step 3
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 35
Controller InstallationUploading a Private Key Password
What to Do Next
• Continue updating the configuration for your custom certificate and private key, as described in the nextsection.
Uploading Custom Controller Web UI Certificates
Before You Begin
• Log into the controller VM console.
• Upload your custom controller web UI server certificate, and chain of issuing CA certificates if applicable,in PEM format to the controller at etc/ssl/certs.
• Upload your custom controller web UI server certificate private key in PEM format to the controller at/etc/ssl/private.
SUMMARY STEPS
1. cd /opt/cisco/sln/viz/conf/
2. sudo vi sln_ssl_certs.conf, then enter your password when prompted3. Modify the ssl_certificate filepath to point to the custom server certificate PEM file.4. Modify the ssl_certificate_key filepath to point to the custom server certificat private key PEM file.5. If you uploaded an sln_ssl.pass password file, add ssl_password_file and a corresponding filepath
after the ssl_certificate_key filepath.6. Press Esc, then enter :wq!.7. sudo service ciscosln-viz restart
DETAILED STEPS
PurposeCommand or Action
Change to the /opt/cisco/sln/viz/conf/directory.
cd /opt/cisco/sln/viz/conf/
Example:
Step 1
user@host:~$ cd /opt/cisco/sln/viz/conf/
Open ssln_ssl_certs.conf in the vi texteditor as a superuser.
sudo vi sln_ssl_certs.conf, then enter your password whenprompted
Example:
Step 2
user@host:~/opt/cisco/sln/viz/conf$ sudo vi
sln_ssl_certs.conf
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.136
Controller InstallationUploading Custom Controller Web UI Certificates
PurposeCommand or Action
Update sln_ssl_certs.conf to point to yourcustom server certificate.
Modify the ssl_certificate filepath to point to the custom servercertificate PEM file.
Example:ssl_certificate
/etc/ssl/certs/server-certificate.pem
Step 3
Update sln_ssl_certs.conf to point to yourcustom server certificate private key.
Modify the ssl_certificate_key filepath to point to the customserver certificat private key PEM file.
Example:ssl_certificate_key
/etc/ssl/certs/server-certificate-key.pem
Step 4
Update sln_ssl_certs.conf to point to yourprivate key password file.
If you uploaded an sln_ssl.pass password file, addssl_password_file and a corresponding filepath after thessl_certificate_key filepath.
Step 5
Example:ssl_certificate_key
/etc/ssl/certs/server-certificate-key.pemssl_password_file
/etc/ssl/private/sln_ssl.pass
Save your changes, then exit the vi text editor.Press Esc, then enter :wq!.
Example:
Step 6
:wq!
Restart the controller web UI service.sudo service ciscosln-viz restart
Example:
Step 7
user@host:~/opt/cisco/sln/viz/conf$ sudo service
ciscosln-viz restart
Controller Setup ScriptThe controller setup script directs you to configure the following controller settings:
Table 11: Controller Setup Script Settings
DescriptionRequired?Setting
basic interface configurationyeseth0 interface
IP address and hostname to accessthe controller web UI
yescontroller webUI IPv4 address andhostname
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 37
Controller InstallationController Setup Script
DescriptionRequired?Setting
enables SSH loginrecommended, but not requiredSSH service
synchronizes time amongcontroller, agent, and host NetworkElement
yesNTP server
encrypts managementcommunication between controllerand agent
yescontroller self-signed certificate,generated or provided
encrypts connections to thecontroller web UI
yescontroller web UI self-signedcertificate, generated or provided
provides additional DNS-relatedcontext for anomalies
recommended, but not requiredDNS server
provides additional DNS-relatedcontext for anomalies
recommended, but not requireddomain suffix search list
After you configure these settings, you can log into the controller web user interface to verify your settings.Note that the interface does not display anomalies, as the controller does not yet manage any agents.
Configuring the Controller with the Setup ScriptIf you need multiple interfaces on multiple subnets, when configuring networking, you can also configureeth1 and eth2.
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.138
Controller InstallationConfiguring the Controller with the Setup Script
SUMMARY STEPS
1. cd ~/
2. sudo ./setup-system at the command prompt to run the setup script. Enter the administrator passwordif prompted.
3. y (configure networking)4. 1 (configure eth0)5. hostname, then hostname, then y to confirm6. ipv4, then ipv4-address, then ipv4-netmask, then ipv4-gateway, then y to confirm7. dns, then dns-servers, then y to confirm8. search, then domain-suffixes, then y to confirm9. view
10. exit11. 4 (exit interface configuration)12. y (enable SSH login)13. y, then ntp-servers, then y to confirm14. y (generate a controller certificate)15. y (generate a controller web UI certificate), or n if you uploaded a custom certificate16. y (specify the distinguished name if you generated a new certificate)17. country-code, then state, then locality, then organization, then organizational-unit, then
common-name, then email if you generated a new certificate
DETAILED STEPS
PurposeCommand or Action
Change directories.cd ~/
Example:
Step 1
user@host:~$ cd ~/
Run the setup script.sudo ./setup-system at the command prompt torun the setup script. Enter the administratorpassword if prompted.
Step 2
Example:user@host:~$ sudo ./setup-system
Configure networking.y (configure networking)Step 3
Configure the eth0 interface.1 (configure eth0)Step 4
Configure the controller VM hostname. You must enter afull qualified domain name.
hostname, then hostname, then y to confirmStep 5
Configure the interface's IPv4 address, along with a netmaskand gateway.
ipv4, then ipv4-address, then ipv4-netmask, thenipv4-gateway, then y to confirm
Step 6
Modify the virtual machine's list of DNS servers.dns, then dns-servers, then y to confirmStep 7
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 39
Controller InstallationConfiguring the Controller with the Setup Script
PurposeCommand or Action
If you want to configure the domain suffix search list, runthe search command.
search, then domain-suffixes, then y to confirmStep 8
View the interface's network settings, hostname, and DNSsettings. If any of these are missing or incorrect, repeat thatconfiguration.
viewStep 9
Save your changes and continue with interface configuration.exitStep 10
Exit interface configuration and continue.4 (exit interface configuration)Step 11
Enable SSH login.y (enable SSH login)Step 12
Configure NTP servers used to synchronize time betweenthe controller and agent. Enter a space-delimited list of NTP
y, then ntp-servers, then y to confirmStep 13
server fully-qualified domain names (FQDNs) or IPv4addresses.
Generate a controller self-signed certificate, used forencrypting controller/agent communication.
y (generate a controller certificate)Step 14
Generate a controller web UI self-signed certificate, used forencrypting user connections to the controller web userinterface.
y (generate a controller web UI certificate), or n ifyou uploaded a custom certificate
Step 15
Optionally, specify the certificate subject distinguished name(DN).
y (specify the distinguished name if you generateda new certificate)
Step 16
Optionally, provide the DN information.country-code, then state, then locality, thenorganization, then organizational-unit, then
Step 17
common-name, then email if you generated a newcertificate
Controller Setup Script ExampleThe following displays excerpts from running the setup script, along with sample user inputs:It's best to set up networking for eth0, and also DNS servicesat this point.
Do you want to set up networking now? (y or n)[n]y
...
Enter an action (exit to exit): ipv4
Change IPv4 Address, Netmask, and Gateway
Interface eth0 is manually configured.It will be changed to a 'static' configurationusing with the parameters provided.A return (with no data) will cause the entry to remain unchanged.enter new IPv4 address (w/optional "/masklen") [ ]: 209.165.201.2enter new IPv4 netmask [ ]: 255.255.255.224enter new IPv4 gateway (or "-" to delete) [ ]: 209.165.201.1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.140
Controller InstallationConfiguring the Controller with the Setup Script
The following attributes will be changed:
new IPv4 address: 209.165.201.2new IPv4 netmask: 255.255.255.224new IPv4 gateway: 209.165.201.1new IPv4 network: 209.165.201.0new IPv4 broadcast: 209.165.201.255
is this correct? (y or n)[n] y
...
Enter new hostname [hostname]: newhostnameThe hostname will be set to: newhostname
is this correct? (y or n)[n] y
...
Enter an action (exit to exit): dns
Change DNS Servers
Enter multiple DNS server IP addresses separated by spaces.Enter new DNS Servers (or "-" to delete) []: 209.165.202.132 209.165.202.133
The DNS Servers will be set to: 209.165.202.132 209.165.202.133
is this correct? (y or n)[n] y
...
Enter an action (exit to exit): search
Change the DNS Suffix Search List
The DNS Search List is a list of one or more domain suffixes,such as 'sales.example.com example.com', to allow identifyinghosts using a relative name, instead of a fully-qualified name.
Enter new DNS Search List []: sales.example.com example.com
The DNS Search List will be set to: sales.example.com example.com
is this correct? (y or n)[n] y
...
Enter an action (exit to exit): view
The current network configuration for eth0:
Operating state: UPIPv4 Address: 209.165.201.2IPv4 Netmask: 255.255.255.224IPv4 Network: 209.165.201.0IPv4 Broadcast: 209.165.201.255
IPv4 gateway: 209.165.201.1
Hostname: newhostname
DNS Server 1: 208.67.222.222DNS Server 2: 208.67.220.220
Current interface: eth0
...
Enter an action (exit to exit): exit
...
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 41
Controller InstallationConfiguring the Controller with the Setup Script
Checking SSH service status
Do you want to enable SSH service now? (y or n)[n] y
...
Use of NTP synchronization between the SCA, DLAs, and Network Elementsis critical to the operation of SLN.
Do you want configure NTP servers now? (y or n)[n] y
Please enter a space-separated list of NTP serverFQDNs or IP addresses: 209.165.202.134 209.165.202.135
This will remove any configured NTP servers and add thespecified servers: 209.165.202.134 209.165.202.135
Do you want to proceed with this change? (y or n)[n] y
...
Do you want to make a self-signed certificate for the SCA?(y or n)[n] y
...
Do you want to generate a different Viz certificate?(y or n)[n] y
...
A simple Distinguished Name (DN) subject of "CN=Cisco_SLN_VIZ" will beused in the certificate unless you prefer to specify the DN components.Do you want to interactively specify the cert subject DN?(y or n)[n] y
...
Country Name (2 letter code) [AU]: USState or Province Name (full name) [Some-State]: StateLocality Name (eg, city) []: CityOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Example CorporationOrganizational Unit Name (eg, section) []: Example SectionCommon Name (e.g. server FQDN or YOUR name) []: www.example.comEmail Address []: [email protected]
...
Done. This script may be re-run to re-do basic setup if needed
Resetting the Administrator PasswordAfter you run the setup-system script, reset the controller webUI administrator user account (admin) password.When you reset the password, the system prints a temporary password to the console, valid for 72 hours. Youmust log into the controller web UI as the admin user account, then update your password.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.142
Controller InstallationResetting the Administrator Password
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca stop, then enter your password when prompted3. ./sca.sh reset-admin-password
4. sudo service ciscosln-sca start
DETAILED STEPS
PurposeCommand or Action
Change directories to ~/SCA.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Stop the controller processes.sudo service ciscosln-sca stop, then enter your password whenprompted
Step 2
Example:user@host:~/SCA$ sudo service ciscosln-sca stop
Reset the admin user account's password../sca.sh reset-admin-password
Example:user@host:~/SCA$ ./sca.sh reset-admin-passworduser@host:~/SCA$ Resetting the admin password in sln
Step 3
user@host:~/SCA$ New password is 'AbCd1234'user@host:~/SCA$ Admin password reset done.
Start the controller processes.sudo service ciscosln-sca start
Example:
Step 4
user@host:~/SCA$ sudo service ciscosln-sca start
Disabling Host Time SynchronizationAfter you reset the administrator password, configure the VM to disable host time synchronization. Thisensures the VM synchronizes time with the configured NTP servers, instead of the ESXi host.
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. vmware-toolbox-cmd timesync disable
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 43
Controller InstallationDisabling Host Time Synchronization
DETAILED STEPS
PurposeCommand or Action
Modifies the .vmx virtual machine configuration file todisable time synchronization with the ESXi host.
vmware-toolbox-cmd timesync disable
Example:user@host:~$ vmware-toolbox-cmd timesync disable
Step 1
Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset theadministrator user account (admin) password. Log in with the temporary password printed to the controllerVM console. After you log in once, you must change the password and confirm the new password.
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username andpassword when prompted.
Verifying NTP Configuration on the ControllerBefore You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. ntpq –n –p
DETAILED STEPS
PurposeCommand or Action
Display configured NTP servers. If the system does not display configuredNTP servers, repeat NTP configuration in Configuring the Controller withthe Setup Script, on page 38.
ntpq –n –p
Example:
Step 1
user@host:~$ ntpq –n –p
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.144
Controller InstallationLogging into the Controller Web UI
What to Do Next
• Update the controller certificate configuration settings, as described in the next section.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 45
Controller InstallationVerifying NTP Configuration on the Controller
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.146
Controller InstallationVerifying NTP Configuration on the Controller
C H A P T E R 4Controller and Agent Communications
The following describes how to configure public key certficate trust settings on your agent and controller,and how to manage agents with your controller.
• Configuring Controller/Agent Communications, page 47
• Controller and Agent Communications Overview, page 47
• Controller Certificate Management, page 48
• Updating Administrator Credentials, page 49
Configuring Controller/Agent CommunicationsThe controller and agent pass management traffic over a management connection. Enable public key certificatetrust settings on the controller. Then, log into the controller web UI to update the administrator credentials.
Step 1 Update the controller configuration file to manage certificate trust settings, including enabling TOFU and trustingself-signed agent certificates, and restart the controller processes. See Controller Certificate Management, on page 48for more information.
Step 2 Update the administrator credentials for the controller web UI. See Updating Administrator Credentials, on page 49 formore information.
Controller and Agent Communications OverviewWhen you ran the controller setup scripts, you also generated public key certificates. The Learning NetworkLicense system implements certificate pinning to identify public key certificates.
On the controller, you can enable TOFU. On first connection, the controller adds the agent public key certificateto a trusted store. For future connections, when the agent connects to the controller, the controller comparesthe certificate to those stored in the trusted store. If the certificate matches a certificate in the store, the controllerestablishes the connection.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 47
Enable TOFU on the controller, and then restart the controller processes to ensure the controller recognizesand trusts these certificates.
Controller Certificate ManagementModify the controller configuration file to update certificate management settings. You can enable the controllerto use self-signed agent certificates, and enable TOFU. After this, restart the controller processes.
Updating the Controller ConfigurationThe sca.conf configuration file contains several layers of nested brackets. When you update the file to addor update the dla node, make sure that you nest it within the sln bracket. See the following for an example.sln {dla {security {allowSelfSignedCert = truetrustCertOnFirstUse = truecertRollover = true
}}
}You can also reference ~/SCA/sample_sca.conf for an example of syntax.
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA
2. sudo vi sca.conf, then input your password when prompted3. Update the configuration file to include or modify the configuration.4. Press Esc, then enter :wq! and press Enter.
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Edit the sca.conf configuration file.sudo vi sca.conf, then input your password whenprompted
Step 2
Example:user@host:~/SCA$ sudo vi sca.conf
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.148
Controller and Agent CommunicationsController Certificate Management
PurposeCommand or Action
Update the configuration file to includeallowSelfSignedCert = true, trustCertOnFirstUse= true, and certRollover = true.
Update the configuration file to include or modify theconfiguration.
Step 3
Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 4
What to Do Next
• Restart the controller's processes, as described in the next section.
Restarting Controller Processes
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca restart
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Restart the controller processes.sudo service ciscosln-sca restart
Example:
Step 2
user@host:~/SCA$ sudo service ciscosln-sca restart
Updating Administrator CredentialsUpdate your administrator credentials to log into the controller web UI. In a later step, the install script, locatedon the controller, adds deployed agents to the controller using these updated administrator credentials.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 49
Controller and Agent CommunicationsRestarting Controller Processes
When you installed the controller, you defined an IP address for the controller web UI. Use the default loginpassword (cisco) for the administrator user account (admin). After you log in once, you must change thepassword and confirm the new password.
In your web browser, navigate to https://sca-ip-address, then enter your controller web username and passwordwhen prompted.
What to Do Next
• Configure your ISR's NTP settings, as described in the next section.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.150
Controller and Agent CommunicationsUpdating Administrator Credentials
C H A P T E R 5Network Element Configuration
The following describes how to configure Flexible NetFlow, NTP servers, and SSH on your ISR.
• Configuring a Network Element, page 51
• NTP Configuration, page 51
• SSH Configuration, page 53
Configuring a Network ElementConfigure NTP server addresses on the ISR to synchronize time between the controller, agent, and ISR.Whenyou deploy agents to your network using the install script, the install script also configures Flexible NetFlow.See NetFlow Configuration, on page 131 for more information.
NTP and DNS configuration are not required for deploying a virtual service. However, if you incorrectlyenter NTP or DNS domain names or IP addresses on your ISR, you cannot deploy virtual services to it.Correctly enter the NTP and DNS server domain names or IP addresses.
Note
Finally, make sure you configure outbound SSH on your ISR.
Step 1 Configure NTP on your ISR. See NTP Configuration, on page 51 for more information.Step 2 Configure outbound SSH on your ISR. See SSH Configuration, on page 53 for more information.
NTP ConfigurationTo configure NTP server addresses on the ISR, associate the router management interface with the NTPservers. Alternatively, if you have a loopback interface already configured, you can use that instead to referenceNTP servers.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 51
Configuring NTP on the ISRThe agents deployed as a virtual service receive time from the host router. You must configure NTP serverson the ISR to ensure Learning Network License timestamps match, and to ensure that the system properlydisplays anomalies.
NTP configuration is not required for deploying a virtual service. However, if you incorrectly configureNTP server domain names or IP addresses on the ISR, you cannot deploy virtual services to it. Correctlyenter the NTP server domain names or IP addresses.
Note
You can enter each command individually. You can also paste the commands from the example below intoa text editor, update the variable, then paste all the updated commands into the command line.enablentp source GigabitEthernet0/0/0ntp server <ipv4-addresses>exitIf you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the routermanagement interface.
DETAILED STEPS
PurposeCommand or Action
Enable privileged EXEC mode. Enter your password ifprompted.
enable
Example:
Step 1
Router> enable
Use the GigabitEthernet0/0/0 interface to connect to an NTPserver.
ntp source GigabitEthernet0/0/0
Example:
Step 2
Router# ntp source GigabitEthernet0/0/0
Use the GigabitEthernet0/0/0 interface to connect to an NTPserver. Definemultiple addresses to specify backupNTP servers.
ntp server ipv4-addresses
Example:
Step 3
Router# ntp server 209.165.202.129
209.165.202.130
Display configured NTP servers. If the system does not displaycorrectly configured NTP servers, repeat the configurationprocess.
show ntp association
Example:
Step 4
Router# show ntp association
Exit privileged EXEC mode.exit
Example:
Step 5
Router# exit
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.152
Network Element ConfigurationConfiguring NTP on the ISR
SSH ConfigurationEnsure that your Network Element has outbound SSH enabled for a username used to copy the agent OVA.When you configure the install.yaml install script properties file, you define dla_ova_copy: src_username
with this username. See http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.htmlfor more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 53
Network Element ConfigurationSSH Configuration
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.154
Network Element ConfigurationSSH Configuration
C H A P T E R 6Virtual Service Install Script
The following describes how to deploy agents to your ISRs using the install script.
• Deploying Agents Using the Install Script, page 55
• ISR Hardware Configuration, page 55
• Install Script Overview, page 56
Deploying Agents Using the Install ScriptAfter you install the controller, you can use an install script to deploy agents as virtual services on your ISRs.The install script references a properties file, which you update with deployment details. When you run theinstall script, it deploys multiple agents in parallel, if you defined multiple agents in the properties file. Youcan deploy multiple agents at once, depending on how you modify the properties file.
Step 1 Download the agent OVA file to the controller. See Downloading the OVA Files from Cisco, on page 21 for moreinformation.
Step 2 Update the install and upgrade properties file with details of your deployment. See Updating the Agent Properties File,on page 69 for more information.
Step 3 Run the install script. See Running the Install Script, on page 71 for more information.
ISR Hardware ConfigurationBefore you deploy your agents as virtual services, ensure that your ISRs have enough RAM and the properhardware installed, as described in ISR 4000 Series Platform Requirements, on page 12.
For more information on hardware installation, see theHardware Installation Guide for the Cisco 4000 SeriesIntegrated Services Router, at http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 55
Install Script OverviewThe controller includes an agent install and upgrade properties file (install.yaml), and an agent install script(installation_auto.py) . Running the agent install script requires configuring the agent install and upgradeproperties file with agent, ISR, and network settings. You can configure the file to deploy multiple agents atone time. This file contains global settings, which apply to all deployed agents, and branch-specific settings,which apply only to one ISR and agent.
For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.
Note
When you run the install script, it reads the properties file, and does the following for each agent:
• uploads the OVA file to the ISR
• configures flexible NetFlow for Learning Network License
• configures a virtual service named sln and deploys the agent
• configures ISR and agent network settings
• adds the new agent to the controller
Install Script Deployment
Install Script Diagram
An agent may be installed as a virtual-service (container) in an ISR 4331, 4351, 4431, or 4451 router byrunning the installation_auto.py install and upgrade script. The controller contains the script, which yourun from the controller command line. The script issues configuration commands on the router and thenewly-created agent. It also adds the agent to the controller, so the user can issue further configuration changesfrom the controller web UI.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.156
Virtual Service Install ScriptInstall Script Overview
The script references the install.yaml properties file, also located on the controller. The following diagramtracks the various properties in the deployment process.
Figure 6: ISR and Agent Deployed as a Virtual Service
Agent Copy
The arrow labeled copy (scp) demonstrates the install script copying the agent .ova file from a network locationof your choice to the Network Element (4331, 4351, 4431, or 4451 router). In this example, the script copiesthe file from the deployed controller using the SCP protocol to the ISR.
For all commands issued to the ISR, the script uses the configured credentials (ne_username, ne_password)to connect to the network element (ne_ctl_ip).
The following properties control how the script copies the file:
• src_host - the network location where the agent .ova file is copied from
• src_username - username used by the script to log into this network location
• src_password - password used by src_username
• src_ova_path - filepath and filename on the host where the agent .ova file is located
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 57
Virtual Service Install ScriptInstall Script Deployment
• dst_store - whether the script copies the .ova file to the branch router harddisk or bootflash
Cisco recommends you define the controller as the source host, upload the .ova to the controller, and copythe file to all branch routers.
Agent Virtual Service Creation
The center of the diagram shows the commands the script uses to create, install, and activate the agent as avirtual-service (container), and references the properties file to apply values to the variables.
The script creates the virtual-service with two virtual interfaces, using the interface VirtualPortGroup
commands:
• ctl/mgmt - The control and management interface, used for agent/controller communication, to installmitigation policies on the router, and to receive NetFlow records from the router. This isVirtualPortGroup 1 on the router, and eth0 on the agent.
The script configures the ctl/mgmt interface without an IP address, (using ip unnumbered), referencingthe name of a router interface (parent-if-name) whose IP address is reachable by the controller.
The script also configures an ip route on the agent with a routable IP address (dla_ctl_ip) so therouter forwards packets from the controller to the agent over the ctl/mgmt interface.
Note that you configure credentials for the agent to log into the router (dla_ne_login: username,dla_ne_login, password), to install mitigation policies, and collect information from the router.
• data xfer - The data transfer interface, used to send raw packet data from the router to the agent, whenpacket buffer capture (PBC) or DNS deep packet inspection (DNS/DPI) are enabled. This isVirtualPortGroup 2 on the router, and eth1 on the agent.
The script configures the data xfer interface with a private IP address (ne_ip) and netmask (ne_mask),since traffic across this interface never leaves the router.
After configuring the virtual interfaces, the script issues commands (virtual-service, vnic) to create thevirtual-service named sln with two virtual interfaces reachable by the VirtualPortGroup 1 andVirtualPortGroup 2 interfaces on the router.
The script then issues an install command to install the agent .ova into the virtual service, then an activatecommand to activate the virtual service.
Finally, the script issues the connect command to log into the virtual service console to configure the following:
• the agent hostname (dla_hostname) and default gateway (dla_ctl_gw)
• the eth0 interface with a routable IP address (dla_ctl_ip) and netmask (dla_ctl_mask). The controllermust be able to reach this address.
• the eth1 interface with a private IP address (dla_dat_ip) and netmask (dla_dat_mask
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.158
Virtual Service Install ScriptInstall Script Deployment
Learning Network License NetFlow Configuration
The install script also issues commands to configure Flexible NetFlow (Version 9), as required for LearningNetwork License. The following diagram illustrates this configuration.
Figure 7: NetFlow Operation on the ISR
The script creates the following:
• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fieldsto collect
• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent dla_ctl_ip IP address to sendNetFlow data to the agent
• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and outputtraffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER
The script also issues an interface command for each branch interface (branch-if1-names...) that youconfigure in the properties file. These branch interfaces are the router interfaces used to reach branch hosts.
Agent Addition to the Controller
The script adds each agent to the controller, if not already added, using the RESTful API. The script logs intothe controller using the configured credentials (sca_webui_login: username, sca_webui_login: password).
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 59
Virtual Service Install ScriptInstall Script Deployment
The script uses the agent hostname (dla_hostname) or the IP address (dla_ctl_host_sca) if the agent hostnameis not resolvable in DNS.
Each agent is added to the controller as Disabled. You must log into the controller web UI to enable the agent.If you register your deployment with Smart Licensing, enabling the agent also consumes a license entitlement.
Agent Properties File OverviewThe agent install and upgrade properties file (install.yaml), located on the controller, is in YAML format,and stores settings as key-value pairs. The install script uses these settings to deploy 1 or more agents. Thecontroller contains an install.yaml.example file, which contains the basic YAML format and sample settings.You can rename this file to install.yaml and update the settings for your deployment.
The file stores global settings, which apply to all agent deployments. The file also stores per-branch settings,each set of which are applied to a specific ISR and agent. Per-branch settings override global settings. If youdefine a setting both as global and as per-branch for certain branches, the install script selects the per-branchsetting when defined, and the global setting when the per-branch setting is not defined.
You define usernames and passwords in the properties file, which the install script uses to access ISRs, thecontroller, and agents. If you comment out a password property by placing a pound sign (#) at the beginningof that line, the script prompts you for that password while running. However, if you comment out thedla_password or ne_password property as a global setting, the script prompts you for the first agent wherethe property is not defined. It then uses the password you enter for every agent which does not have theproperty defined.
Usernames and passwords added to the properties file remain in the file after you finish deploying theagents. If this is a security concern, remove them after the deployment completes.
Note
Agent Properties File Settings
Global Property Settings
The following are the global property settings. You can define any of these per-branch, except for thesca_webui_login settings. If you define dla_ova_copy: src_host, dla_ova_copy: src_username, ordla_ova_copy: src_password per-branch, youmust also define each setting globally. Note that the per-branchsetting overrides the global setting.
When you run the script, it prompts you for any password you do not define.
The syntax below is presented as an example. Do not copy and paste this into the property file. Improperformatting and spacing in the property file will cause the script to fail.
Note
dla_ova_copy:src_host: <source-host-ip>src_username: <source-host-user>src_password: <source-host-password>src_ova_path: <source-host-ova-filepath>dst_store: <dest-store-location>
vir_portgroup_1:ip_unnum: <parent-interface>
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.160
Virtual Service Install ScriptAgent Properties File Overview
vrf_forwarding: <parent-interface-vrf>vir_portgroup_2:
ne_ip: <private-ip-1>ne_mask: <private-ip-1-mask>dla_dat_ip: <private-ip-2>dla_dat_mask: <private-ip-2-mask>
ne_username: <ne-user>ne_password: <ne-password>ne_port: <tcp-port>dla_password: <dla-password>dla_ne_login:
username: <dla-ne-user>password: <dla-ne-password>
sca_webui_login:username: <sca-user>password: <sca-password>
Table 12: dla_ova_copy Properties
Required?ValidationDescriptionProperty
n/an/agroup of properties usedto copy the agent OVAfrom a source host that iscapable of SCP filecopying, such as thecontroller, to the ISR
dla_ova_copy
yesIPv4 address or DNSname
IP address of the hostcontaining the agentOVA, from which thescript will copy the file
src_host
yesstringusername the script usesto log into the Linuxconsole of the hostcontaining the agent OVA
src_username
yesstring, cannot be NULLpassword forsrc_username
src_password
yesstring, must containfilepath and filename
filepath on the source hostwhere the agent OVA islocated, such as/home/sln/agent.ova, inquotation marks
src_ova_path
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 61
Virtual Service Install ScriptAgent Properties File Overview
Required?ValidationDescriptionProperty
yesbootflash or harddisk
Specify bootflash onlyif your ISR does not havea hard drive installed. Ifyour ISR has a hard drive,and you specifybootflash, the scriptignores the setting anduploads to the hard drive.
bootflash to upload theagent OVA to the ISR'sflash memory, orharddisk to upload theagent OVA to the ISR'shard drive
dst_store
Table 13: vir_portgroup_1 Properties
Required?ValidationDescriptionProperty
n/an/agroup of properties usedto create theVirtualPortGroup 1
virtual interface
vir_portgroup_1
yesstringname of an interface onyour ISR through whichthe controller can reachthe agent. The script usesthis to configure theNetwork Element side ofthe ctl/mgmt interface.
ip_unnum
no, see Configuring VRFForwarding on the ISR,on page 68 for moreinformation
stringname of the non-defaultVRF instance on yourISR that the ip_unnuminterface belongs to. Ifyou added the interface toa non-default VRFinstance, you mustconfigure this so thescript can properly copythe OVA file to therouter.
vrf_forwarding
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.162
Virtual Service Install ScriptAgent Properties File Overview
Table 14: vir_portgroup_2 Properties
Required?ValidationDescriptionProperty
n/an/agroup of properties usedto create theVirtualPortGroup 2
virtual interface
vir_portgroup_2
yesIPv4 addressNetwork Element IPaddress on thevirtual-service DataTransfer interface. Thescript uses this toconfigure the NetworkElement side of the DataTransfer interface.
Because traffic over thisinterface does not leavethe router, specify aprivate IP address.
ne_ip
nosubnet maskThe netmask for ne_ipne_mask
yesIPv4 addressAgent IP address on thevirtual-service DataTransfer interface. Thescript uses this toconfigure the agent sideof the Data Transferinterface.
Because traffic over thisinterface does not leavethe router, specify aprivate IP address.
dla_dat_ip
nosubnet maskthe netmask fordla_dat_ip
dla_dat_mask
Table 15: ne_username Property
Required?ValidationDescriptionProperty
yesstringa username with aprivilege level of 15 thatthe install script uses tolog into the ISR, toexecute CLI commands
ne_username
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 63
Virtual Service Install ScriptAgent Properties File Overview
Table 16: ne_password Property
Required?ValidationDescriptionProperty
no, the script prompts youif not defined
If you do not define thene_password property asa global property, thescript prompts you thefirst time it attempts todeploy an agent where theconfigured branchproperties also do notcontain ne_password.However, the scriptreuses that password forevery remaining agentdeployment for whichne_password is notdefined.
string, cannot be NULLthe password forne_username
ne_password
Table 17: ne_port Property
Required?ValidationDescriptionProperty
nointegerthe TCP port the upgradescript uses whenconnecting via SSH to theISR. If undefined, thisdefaults to 22.
ne_port
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.164
Virtual Service Install ScriptAgent Properties File Overview
Table 18: dla_password Property
Required?ValidationDescriptionProperty
no, the script prompts youif commented out
If you do not define thedla_password property asa global property, thescript prompts you thefirst time it attempts todeploy an agent where theconfigured branchproperties also do notcontain dla_password.However, the scriptreuses that password forevery remaining agentdeployment for whichdla_password is notdefined.
string, cannot be NULL,must be a minimum of 6characters
password configured forthe agent admin accountwhen the script deploysthe agent, to replace thedefault admin password
dla_password
Table 19: dla_ne_login Properties
Required?ValidationDescriptionProperty
n/an/agroup of properties usedto define agent credentialsto log into the NetworkElement
dla_ne_login
yesstringusername the agent usesto log into the ISR tolearn about interfaces andinstall mitigations.
username
no, the script prompts youif commented out
string, cannot be NULLpassword for the agentusername
password
Table 20: sca_webui_login Properties
Required?ValidationDescriptionProperty
n/an/agroup of properties usedto define install scriptcredentials to log into thecontroller web UI
sca_webui_login
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 65
Virtual Service Install ScriptAgent Properties File Overview
Required?ValidationDescriptionProperty
yesstringusername the script usesto log into the controllerweb UI to add agents tothe controller, andconfigure agent attributes.
username
no, the script prompts youif commented out
string, cannot be NULLpassword to log into thecontroller.
password
Branch-Specific Property Settings
The following are the branch-specific property settings. For each new set of branch settings, you must prefacethem with a dash (-).
The syntax below is presented as an example. Do not copy and paste this into the property file. Improperformatting and spacing in the property file will cause the script to fail.
Note
branches:-ne_ctl_ip: <parent-interface-ip>dla_ctl_ip: <control-ip>dla_ctl_mask: <control-ip-mask>dla_ctl_gw: <control-ip-gateway>dla_hostname: <dla-hostname>dla_description: <dla-description>ne_netflow_interfaces:ifnames: ['<branch-interface-1>','<branch-interface-2>','branch-interface-N>'......]
dla_ctl_host_sca: <dla-ip-for-sca>The dla_description and ne_ctl_ip properties can only be updated through the install script on initial agentinstallation. If you want to update the agent description after installation, modify it in the controller web UI.See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.
Table 21: branches Properties
Required?ValidationDescriptionProperty
n/an/agroup of settings used toconfigure a specific agenton a branch NetworkElement
branches
yes
You can only modify thison initial agentinstallation.
IPv4 addressIP address for thephysical interface definedfor vir_portgroup_1:ip_unnum that the scriptuses to connect to thenetwork element, and toadd an agent to thecontroller
ne_ctl_ip
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.166
Virtual Service Install ScriptAgent Properties File Overview
Required?ValidationDescriptionProperty
yesIPv4 addressa routable IP address forthe agent on the controlinterface that thene_ctl_ip can reach, sothe controller can reachthe agent
dla_ctl_ip
yessubnet maskmask for dla_ctl_ipdla_ctl_mask
yesIPv4 addressdefault gateway the agentuses for non-localdestinations, generally thesame IP address asne_ctl_ip
dla_ctl_gw
yesstringagent hostname, used bythe script to generateunique names forper-branch log files, usedby the controller toconnect to the dla_ctl_ip,and used by the controllerweb UI as the agent'sunique name
dla_hostname
no
if undefined, the scriptpopulates the descriptionwith the dla_hostnamevalue, or thedla_ctl_host_sca IPaddress if you defined it
You can only modify thison initial agentinstallation.
string, up to 256characters, surrounded bydouble quotation marks(")
agent descriptiondla_description
yesa comma-delimited array,surrounded by brackets([]), with each interfacename surrounded bysingle quotes (')
a list of ISRbranch-facing interfaceson which the scriptconfigures FlexibleNetFlow for LearningNetwork License
ne_netflow_interfaces:ifnames
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 67
Virtual Service Install ScriptAgent Properties File Overview
Required?ValidationDescriptionProperty
noIPv4 addressagent IP address used bythe controller to reach theagent if the agenthostname is notresolvable in DNS, or ifthe agent control IPaddress is behind a NATor PAT. If you do notdefine this, the script addsthe agent to the controllerusing the dla_hostnamevalue.
dla_ctl_host_sca
Configuring VRF Forwarding on the ISR
In the install.yaml properties file, if you added the vir_portgroup_1: ip_unnum interface to a non-defaultVPN routing and forwarding (VRF) instance on your ISR, you must define the vir_portgroup_1:vrf_forwarding property in the file. This allows the script to properly copy the .ova file to the router usingSCP.
On the ISR, you must also configure the vir_portgroup_1: ip_unnum interface as the source address for anSSH client device, so the script can properly copy the .ova file.
Before You Begin
• Define vrf_forwarding in the install.yaml properties file. See Agent Properties File Settings, on page60 for more information.
• Log into the ISR console.
SUMMARY STEPS
1. enable
2. config t
3. ip ssh source-interface <ip_unnum>
4. exit
DETAILED STEPS
PurposeCommand or Action
Enable privileged EXEC mode.enable
Example:Router> enable
Step 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.168
Virtual Service Install ScriptAgent Properties File Overview
PurposeCommand or Action
Enter global configuration mode.config t
Example:Router# config t
Step 2
Specify the ip_unnum interface as the source for an SSHclient device.
ip ssh source-interface <ip_unnum>
Example:Router(config)# ip ssh source-interfaceGigabitEthernet0/0/0
Step 3
Exit global configuration mode and return to privilegedEXEC mode.
exit
Example:Router(config)# exit
Step 4
Updating the Agent Properties File
Before You Begin
• Log into the controller VM console with the username sln.
SUMMARY STEPS
1. cd /opt/cisco/sln/install_upgrade/container
2. cp install.yaml.example install.yaml
3. vi install.yaml, then enter your password when prompted.4. Using Agent Properties File Settings, on page 60 as a guide, update the properties file with the necessary
settings.5. Press Esc, then enter :wq! and press Enter.
DETAILED STEPS
PurposeCommand or Action
Navigate to the /container directory.cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container
Step 1
Copy the install.yaml.example file toinstall.yaml.
cp install.yaml.example install.yaml
Example:user@host:/opt/cisco/sln/install_upgrade/container$ cpinstall.yaml.example install.yaml
Step 2
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 69
Virtual Service Install ScriptAgent Properties File Overview
PurposeCommand or Action
Open the install.yaml install and upgradeproperties file in the vi text editor.
vi install.yaml, then enter your password when prompted.
Example:user@host:/opt/cisco/sln/install_upgrade/container$ viinstall.yaml
Step 3
Update the properties file with the necessarysettings.
Using Agent Properties File Settings, on page 60 as a guide, updatethe properties file with the necessary settings.
Step 4
Save your changes and close the file.Press Esc, then enter :wq! and press Enter.Step 5
What to Do Next
• Run the install script, as described in Install Script Operation, on page 70.
Install Script OperationThe install script (installation_auto.py) deploys agents as virtual services based on settings in the agentinstall and upgrade properties file (install.yaml). You configure the properties file and run the install scriptfrom the controller, which contains both by default.
Based on the properties file settings and the script options you select, the script attempts to deploy agents inbatches, copying the .ova file to the ISR, then deploying it.
The script copies the .ova file to the ISR based on the properties file settings. However, if you copy the.ova file to the ISR, and configure the properties file setting to upload the .ova to the same filepath, thescript deploys the agent using the .ova file already on the ISR.
Note
As the script runs, it displays progress updates on the console every 10 seconds. These updates display thetotal number of agents to deploy, the number in progress, and the number that succeeded and failed.
If you commented out password properties in the install.yaml properties file, the script prompts you duringthe progress updates. For agent passwords, if you did not define a global password, the first time the scriptdeploys an agent without a password defined, it prompts you for the password, then uses this password forall remaining agents without a password defined. The script also logs its progress to several log files.
You can exit the script at any time by pressing Ctrl-C.
Install Script OptionsAppend the following options to the command line when running the script for the following functionality:
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.170
Virtual Service Install ScriptInstall Script Operation
Table 22: Install Script Options
DescriptionOption
Configure the script to deploy this number of agentsin a batch at one time.
The script defaults to deploying 50 agents in a batch.If you notice failed deployments when running thescript, try lowering the batch size.
-b <integer>
Reference the install.yaml properties file.-c install.yaml
Removes all LearningNetwork License configurationand the virtual service from the ISR. If you want toupgrade your agents to the same version, run the scriptusing --clean_only first, then run the script without--clean_only.
--clean_only
Copies the .ova file specified in the properties file tothe destination filepath on the ISR, even if an .ovafile with the same name is present at that destinationfilepath.
-f
Deploy all agents configured in the properties file,even if they have been previously installedsuccessfully.
If you do not define this option, the script onlydeploys agents that previously failed to deployproperly.
-i
Show help for options.-h
Perform local validation of the referenced propertiesfile.
-v
Perform validation of the referenced properties file,including connecting to the network element andvalidating interface names.
-V
Run a basic installation from the controller command line with the following command:installation_auto.py -c install.yaml
Running the Install Script
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 71
Virtual Service Install ScriptInstall Script Operation
SUMMARY STEPS
1. cd /opt/cisco/sln/install_upgrade/container
2. installation_auto.py -c install.yaml, then enter your password when prompted3. If you did not update install.yaml with passwords, enter those when prompted.
DETAILED STEPS
PurposeCommand or Action
Navigate to the /container directory.cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container
Step 1
Run the installation_auto.py installscript.
installation_auto.py -c install.yaml, then enter your passwordwhen prompted
Example:user@host:/opt/cisco/sln/install_upgrade/container$installation_auto.py -c install.yaml
Step 2
Provide passwords when prompted.If you did not update install.yaml with passwords, enter those whenprompted.
Step 3
Script LogsThe install script logs tomultiple files on the controller at /opt/cisco/sln/install_upgrade/container/LOGSfor virtual service agents. These files include:
• aa_summary - The pass/fail status for each agent deployment. By default, the script references this file,and only deploys agents that failed to deploy properly.
• <dla-hostname>_commands - The ISR and agent commands the script ran successfully for this agent.
• <dla-hostname>_logs - The installation information logged as the script ran for this agent, includingerror information.
Each time you run the install script, it moves the existing log files to/opt/cisco/sln/install_upgrade/container/PREV_RUN, deletes the files in that folder, and generates newlog files in the LOGS folder.
Accessing the Install Script Logs
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.172
Virtual Service Install ScriptScript Logs
SUMMARY STEPS
1. cd /opt/cisco/sln/install_upgrade/container/LOGS
2. vi <logfile>
DETAILED STEPS
PurposeCommand or Action
Navigate to the /LOGS directory.cd /opt/cisco/sln/install_upgrade/container/LOGS
Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container/LOGS
Step 1
Open the log file in the vi text editor.vi <logfile>
Example:user@host:/opt/cisco/sln/install_upgrade/container/LOGS$ viaa_summary
Step 2
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 73
Virtual Service Install ScriptScript Logs
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.174
Virtual Service Install ScriptScript Logs
C H A P T E R 7Agent Management
The following describes how to enable Smart Licensing on your controller and manage agents.
• Managing and Licensing Agents, page 75
• Smart Licensing Overview, page 75
• Interface Configuration, page 81
• Enabling Agents on the Controller, page 83
• Configuring Agent Network Settings, page 83
• Agent Configuration Templates, page 84
Managing and Licensing AgentsAfter you run the install script, you can register Smart Licensing on your controller, then enable the managedagents.
Step 1 Log into the controller and register Smart Licensing. See Smart Licensing Overview, on page 75 for more information.Step 2 Enable your agents on the controller. See Enabling Agents on the Controller, on page 83for more information.
Smart Licensing OverviewTo deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. Ifyou do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10managed agents, and disables new functionality when the 90 days expire.
Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorizationkey (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensinglets you assess your license usage and needs at a glance.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 75
In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent andpurchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase orderapproval.
Smart Software ManagerWhen you purchase one or more Smart Licenses, you manage them in the Cisco Smart Software Manager:http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager letsyou create a master account for your organization.
By default, your licenses are assigned to the Default Virtual Account under your master account. As theaccount administrator, you can create additional virtual accounts; for example, for regions, departments, orsubsidiaries. Multiple virtual accounts help you manage large numbers of licenses and appliances.
You manage licenses and appliances by virtual account. Only that virtual account’s appliances can use thelicenses assigned to the account. If you need additional licenses, you can transfer an unused license fromanother virtual account. You can also transfer appliances between virtual accounts.
For each virtual account, you can create a Product Instance Registration Token. Enter this token ID when youregister a controller. You can create a new token if an existing token expires. An expired token does not affecta registered controller that used this token for registration, but you cannot use an expired token to register acontroller. Also, a registered controller becomes associated with a virtual account based on the token you use.You can also create a new token, and use it to reregister even if the current token is still valid.
For more information about the Cisco Smart Software Manager, see Cisco Smart Software Manager UserGuide.
Smart License TypesEach Learning Network License component has a corresponding license entitlement, as described in thefollowing table:
Table 23: Smart License Entitlement Types
Associated File Downloads andDescription
License Entitlement andDescription
Learning Network LicenseComponent
sln-sca-k9-<ver>.ova - singlecontroller OVA
L-SW-SCA-K9 - SCA VirtualManager
controller
sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's NIM-SSD
sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's bootflash
L-SW-LN-43-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 1 Yr Term
L-SW-LN-43-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 3 Yr Term
agent deployed as a virtual serviceon an ISR 43XX
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.176
Agent ManagementSmart Software Manager
Associated File Downloads andDescription
License Entitlement andDescription
Learning Network LicenseComponent
sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's NIM-SSD
sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova
- agent deployed as a virtualservice to the ISR's bootflash
L-SW-LN-44-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4400 Series 1 Yr Term
L-SW-LN-44-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4400 Series 3 Yr Term
agent deployed as a virtual serviceon an ISR 44XX
sln-dla-ucse-k9-<ver>.ova -agent deployed to a UCS E-Seriesblade server
L-SW-LN-UCS-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 1 Yr Term
L-SW-LN-UCS-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 3 Yr Term
agent installed on a UCS E-Seriesblade server
You must obtain one license entitlement for each controller and agent deployed to your environment.
The controller web UI displays license entitlement counts for your agents. When you enable a managed agentwith the controller, the Smart Licensing Agent automatically requests a license entitlement for that agent,specific to that installation type. It also updates the license count. Similarly, when you disable a managedagent from the controller, the Smart Licensing Agent requests to free the license entitlement, and updates thelicense count.
For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.
Smart Licensing ConfigurationBy default, the controller connects directly to the Licensing Authority servers. You can configure thesa.properties Smart Licensing configuration file to connect to the Licensing Authority servers through anHTTP or HTTPS proxy server.
By default, the controller logs information about Smart Licensing. You can disable this in the sa.propertiesconfiguration file.
Smart Licensing Configuration File SettingsIf you want to change how your controller connects to the Licensing Authority servers, you can configure anHTTP proxy or HTTPS proxy. You cannot configure more than one.
Table 24: sa.properties Configuration File Settings
Allowed ValuesDescriptionField
not configurable, do not modifythis property even if blank
A globally unique identifier for thecontroller generated by the systemduring the installation process
PRODUCT_SN
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 77
Agent ManagementSmart Licensing Configuration
Allowed ValuesDescriptionField
URL of the HTTP proxy
Do not configure this if youconfigured HTTPS_PROXY_HOST.
URL of the HTTP proxy used toconnect to the Licensing Authorityservers
HTTP_PROXY_HOST
HTTP proxy port
Do not configure this unless youconfigured HTTP_PROXY_HOST
HTTP proxy port used to connectto the Licensing Authority servers
HTTP_PROXY_PORT
URL of the HTTPS proxy
Do not configure this if youconfigured HTTP_PROXY_HOST.
URL of the HTTPS proxy used toconnect to the Licensing Authorityservers
HTTPS_PROXY_HOST
HTTPS proxy port
Do not configure this unless youconfigured HTTPS_PROXY_HOST
HTTPS proxy port used to connectto the Licensing Authority servers
HTTPS_PROXY_PORT
true to enable logging, false todisable logging
Whether Smart Licensing loggingis enabled or disabled
LOGGER_ON
Updating the Smart Licensing Configuration File
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA/services/sa-server
2. sudo vi sa.properties, then enter your password when prompted3. You have the following options:
• To connect to the License Authority servers through an HTTP proxy, configure the HTTP_PROXY_HOSTsetting with the HTTP proxy URL, and optionally configure the HTTP_PROXY_PORT setting with aport to use.
• To connect to the License Authority servers through an HTTPS proxy, configure theHTTPS_PROXY_HOST setting with the HTTPS proxy URL, and optionally configure theHTTPS_PROXY_PORT setting with a port to use.
4. If you want to disable Smart Licensing logging, update LOGGER_ON to false.5. Press Esc, then enter :wq! and press Enter.6. more sa.properties, to review the file for errors
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.178
Agent ManagementSmart Licensing Configuration
DETAILED STEPS
PurposeCommand or Action
Change directories to the /sa-serverdirectory.
cd ~/SCA/services/sa-server
Example:user@host:~$cd ~/SCA/services/sa-server
Step 1
Open the sa.properties in the vi texteditor with super user privileges.
sudo vi sa.properties, then enter your password when prompted
Example:
Step 2
user@host:~/SCA/services/sa-server$ sudo vi sa.properties
Update the configuration file to change theSmart Licensing servers connectionmethod.
You have the following options:Step 3
• To connect to the License Authority servers through an HTTP proxy,configure the HTTP_PROXY_HOST setting with the HTTP proxy URL,and optionally configure the HTTP_PROXY_PORT setting with a portto use.
• To connect to the License Authority servers through an HTTPSproxy, configure the HTTPS_PROXY_HOST setting with the HTTPSproxy URL, and optionally configure the HTTPS_PROXY_PORT settingwith a port to use.
Example:HTTP_PROXY_HOST = <http-proxy-url> HTTP_PROXY_PORT =
<http-proxy-port>
Example:HTTPS_PROXY_HOST = <https-proxy-url> HTTPS_PROXY_PORT =
<https-proxy-port>
Update the configuration file to disablelogging.
If you want to disable Smart Licensing logging, update LOGGER_ON tofalse.
Example:
Step 4
LOGGER_ON = false
Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 5
Open the file in read-only mode to reviewthe entries for errors.
more sa.properties, to review the file for errors
Example:
Step 6
user@host:~/SCA/services/sa-server$ more sa.properties
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 79
Agent ManagementSmart Licensing Configuration
What to Do Next
• Restart the controller processes, as described in the next section.
Restarting the Controller Processes
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca restart
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Restart the controller processes.sudo service ciscosln-sca restart
Example:
Step 2
user@host:~/SCA$ sudo service ciscosln-sca restart
Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset theadministrator user account (admin) password. Log in with the temporary password printed to the controllerVM console. After you log in once, you must change the password and confirm the new password.
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username andpassword when prompted.
Registering the Controller Instance
Before You Begin
• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.180
Agent ManagementLogging into the Controller Web UI
• Log into the controller web UI.
Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Click Register.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it
is already registered.Step 6 Click Register.
Interface ConfigurationWhen you configure a Network Element's interface, select a traffic direction, whether you want to enablemitigations on the interface, and whether you want to enable packet buffer capture (PBC) or deep packetinspection (DPI).
Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.Note
Interface Traffic DirectionTheDirection you select for an interface determines how the agent tracks traffic origin from within or outsidethe branch, populates clusters, and models traffic to identify anomalies. Label each interface based on thefollowing guidelines:
• An Internal interface faces the branch and branch hosts. The system applies Learning NetworkLicense-related NetFlow on this interface.
• An External interface faces the core. This interface passes traffic outside the branch, including otherbranches, headquarters, or the Internet.
• An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is areason you do not want to monitor the traffic over this interface.
An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters externalhosts, those residing on External interfaces, separately from internal hosts, those residing on Internalinterfaces. Traffic between clusters is monitored for anomaly detection.
The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which representsthe branch host traffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internalinterface is not modeled. See the following table for more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 81
Agent ManagementInterface Configuration
Table 25: Interface Direction and Modeled Traffic
...to an Unconfiguredinterface...
...to an Externalinterface...
...to an Internalinterface...
...is modeled andinspected for anomaloustraffic.
...is modeled andinspected for anomaloustraffic.
...is modeled andinspected for anomaloustraffic.
Traffic from an Internalinterface...
...is not modeled andinspected for anomaloustraffic.
...is not modeled andinspected for anomaloustraffic.
...is modeled andinspected for anomaloustraffic.
Traffic from anExternal interface...
...is not modeled andinspected for anomaloustraffic.
...is not modeled andinspected for anomaloustraffic.
...is modeled andinspected for anomaloustraffic.
Traffic from anUnconfiguredinterface...
Enable MitigationYou can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not supportenabling mitigation on tunnel interfaces with multipoint GRE (mGRE) enabled.
Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction.This provides maximum protection if the agent detects an anomaly, and you want to install a QoS policy onthe Network Element to prevent the anomaly from being forwarded. If you configure a mitigation tailored tothis anomalous traffic, the system installs the corresponding QoS policy on all Network Element interfaceson which you enabled mitigation.
By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnelinterfaces.
Note
If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at theparent interface level, you can only enable mitigation policies at the parent level for that interface family.Similarly, if the subinterfaces have a QoS policy installed, you can only enable mitigation policies at thesubinterface level for that interface family. If you enable a mitigation on a subinterface, the system automaticallyenables the mitigation on all sibling subinterfaces.
If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interfaceor subinterface level. Once you configure a mitigation for a parent interface or a subinterface, however, youcan only subsequently create mitigations at that level for the interface family.
Enable PBC/DPIYou can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:
• You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic(ip traffic-export). If you configured IP traffic export on the interface, remove the configurationfrom the interface before enabling PBC and DPI.
• You can only enable PBC or DPI on a 4000 Series ISR parent interface.
This allows you to capture and download PCAP files, or capture DNS query information from traffic.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.182
Agent ManagementInterface Configuration
On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for allsub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables itfor the parent interface and all sibling subinterfaces.
Note
Enabling Agents on the ControllerIf you do not register your controller with Smart Licensing before you enable agents, your deployment is inEvaluation Mode, and you are limited to managing 10 agents with your controller for 90 days.
When you register your controller with Smart Licensing and enable the agents, ensure you have enough licenseentitlements.
Before You Begin
• Log into the controller web UI.
Step 1 Select AGENTS.Step 2 For each managed agent, click Enable, then click Continue to enable the agent.
Configuring Agent Network SettingsYou can update an agent's network settings, including the host router's IP address and directionality of therouter's interfaces.
Before You Begin
• See Interface Configuration, on page 81 for information on configuring your agents.
Step 1 Select AGENTS.Step 2 Click Configure next to an agent.Step 3 Enter the VirtualPortGroup1 virtual service eth0 IPv4 address in the Network Element IP field.Step 4 Click the expand icon ( ) next to an interface to view the router interface configuration.Step 5 For an interface, choose from the drop-down:
• Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)
• External if the interface faces the core (generally, if the interface is passing traffic)
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 83
Agent ManagementEnabling Agents on the Controller
• Unconfigured if you interface is unused, or the interface faces neither the branch nor the core
Step 6 Check Enable mitigation to apply mitigation actions to this interface.Step 7 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:
• Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.
• Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the networkelement passes raw packets to the agent
• Select a agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receivesraw packets from the network element.
Step 8 If you want to enable the packet buffer capture (PBC) feature, checkEnable PBC. You must enable capturing raw packetdata.
Step 9 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data.Step 10 Click Submit.Step 11 Click Submit.Step 12 If you want to create a template to apply this configuration to other agents, click Create template.
What to Do Next
• Allow the system time to perform the initial learning phase, as described in Initial Learning PhaseOverview, on page 87.
Agent Configuration TemplatesAfter you configure an agent, you can save a configuration template with that agent's configured settings. Ifyou apply that template to another agent, the system updates the agent's configuration with those saved settings.You can apply a configuration template to one agent at a time.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.184
Agent ManagementAgent Configuration Templates
Applying a Template to an Agent
Before You Begin
• Configure at least one agent and create a configuration template.
Step 1 Select AGENTS.Step 2 Check the checkbox for one agent.Step 3 Enter a template name in the Select a configuration template to apply field. The field updates to showmatching results
as you type.Step 4 Click Apply configuration to selected Agent, then confirm your selection.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 85
Agent ManagementApplying a Template to an Agent
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.186
Agent ManagementApplying a Template to an Agent
C H A P T E R 8Initial Learning Phase
The following describes the system's initial learning phase, used to develop a baseline model of your networktraffic.
• Initial Learning Phase Overview, page 87
Initial Learning Phase OverviewAfter you manage your agents with the controller, allow the system to run for seven days, inspect your networktraffic, and build a baseline traffic model.
The Learning Network License system identifies anomalies by comparing detected traffic to the baselinemodel, and noting deviations. After system deployment, each agent inspects traffic traversing the router.During this initial learning phase, the agent builds a baseline traffic model. The model includesdynamically-generated clusters of hosts, and what types of application traffic are transmitted between clustersat what times of day.
If you log into the controller web UI while the system is learning about your network, you may see very fewor no reported anomalies, as the system cannot compare against a baseline yet. Towards the end of the initiallearning phase, the system may start reporting anomalies, but without a complete baseline, these anomaliesmay not be relevant. After the initial learning phase, when each agent completes its baseline model, the systemcan properly identify anomalous traffic that deviates from the baseline.
For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 87
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.188
Initial Learning PhaseInitial Learning Phase Overview
C H A P T E R 9Next Steps
The following describes next steps to take after deploying the Learning Network License system.
• Next Steps, page 89
• For Assistance, page 89
Next StepsAfter you deploy the Learning Network License system, you can perform the following:
• Log into the controller web UI to configure user display settings, view anomalies and assign relevancefeedback, configure mitigations for an anomaly, and configure external system integration. See theCiscoStealthwatch Learning Network License Configuration Guide for more information.
For AssistanceThank you for using Cisco products.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a servicerequest, and gathering additional information about the Firepower System, seeWhat’s New in Cisco ProductDocumentation at http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe toWhat’s New in Cisco Product Documentation, which lists all new and revised Cisco technicaldocumentation, as an RSS feed and deliver content directly to your desktop using a reader application. TheRSS feeds are a free service.
If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system,please contact Cisco Support:
• Visit the Cisco Support site at http://support.cisco.com.
• Email Cisco Support at [email protected].
• Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 89
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.190
Next StepsFor Assistance
A P P E N D I X ALogging Configuration
The following describes how to enable audit and event logging on the controller.
• Logging Configuration Overview, page 91
Logging Configuration OverviewThe Learning Network License system enables audit, event, and general logging by default on the controller.It also automatically enables Smart Licensing logging after you register your controller with Smart Licensing.See the following table for descriptions and default file output locations.
Table 26: Controller Logging Descriptions and Default Output Locations
Default Output LocationsDescriptionLog Type
~/SCA/logs/sca.log
console (ERROR severity andabove)
system transactionsaudit logging
/var/log/user.log
~/SCA/logs/sca.log
console (ERROR severity andabove)
events the system generates,tracking:
• agents connecting to ordisconnecting from thecontroller
• anomaly events (INFOseverity)
• updated anomaly eventswhere the severity increases
event logging
~/SCA/logs/sca.log
console (ERROR severity andabove)
general system informationgeneral logging
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 91
Default Output LocationsDescriptionLog Type
/var/log/user.log
~/SCA/services/sa-server/sa-server.log
Smart Licensing transactions,including when you register thecontroller, and when you use agentlicense entitlements
Smart Licensing logging
~/SCA/services/pxgrid/pxg.loglogging related to pxGridintegration with ISE
pxGrid logging
The agent logs general system information to multiple log files, located on the agent at ~/DLA/LOG.
The Controller Logging Configuration FileThe controller uses the logback logging framework to log information, including anomaly events,agent/controller connection and disconnection events, audit logging, general system logging, and SmartLicensing logging. Cisco provides a sample configuration file on the controller at ~/SCA/sample_logback.xml.This file provides an example of logging configuration syntax. If you copy this file and rename it tosca-logback.xml, you can update the logging configuration settings.
If you incorrectly configure sca-logback.xml due to invalid or malformed XML syntax, the system logsan error message to the console, but does not start logging. If you incorrectly configure sca-logback.xmldue to unrecognized nodes, options, or class names, the system logs an error message to the console. Itthen loads the remaining valid configuration in the file, and otherwise loads default logging settings.
Note
Beneath the parent configuration node are the following:
• logger - the class that provides the level of log messages
• root - the root logger class
• appender - the class that output the log message
By default, the root logger is configured to log INFO messages to the console and the ~/SCA/logs/sca.loglog file. However, note that the console appender is configured to log ERROR and above by default, so INFOmessages are not displayed on the console.
The com.cisco.sln.utils.log.ScaCefLogger logger does not have a logging level configured, but inheritslogging INFO messages. By default, this logger logs the CEF messages, which are INFO level, to the/var/log/user.log log file, ~/SCA/logs/sca.log log file, and the console.
For more information on logback, see http://logback.qos.ch/documentation.html.
syslog Export to External HostsWithin the sample_logback.xml configuration file, the ScaCefLogger logger controls logging anomaly CEFevents to syslog. You can modify this configuration to change the host that receives these events.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.192
Logging ConfigurationThe Controller Logging Configuration File
sca-logback.xml Creation
To update the logging configuration, first copy the sample_logback.xml file and rename it to sca-logback.xml,then open it and view the markup.
General Configuration
By default, the system checks sca-logback.xml for changes every minute. If it detects changes, the systemupdates the logging configuration. To disable this check, set the scan attribute equal to false.
If you set the scan attribute equal to false, you must restart the controller's processes before the systemupdates logging configuration.
Note
The following default configuration root element configuration controls this setting.<configuration scan="true"></configuration>If you want to change the sca-logback.xml check frequency, add the scanPeriod attribute to theconfiguration element, and set it equal to a number of seconds, minutes, hours, or days. The followingprovides an example.<configuration scan="true" scanPeriod="10 seconds"></configuration>
ScaCefLogger Logger Configuration
The following is the ScaCefLogger default configuration.<logger name="com.cisco.sln.utils.log.ScaCefLogger">
<appender-ref ref="SYSLOG" /></logger>
If you need to change logging level, add a level attribute to the ScaCefLogger logger element. The followingprovides an example.
<logger name="com.cisco.sln.utils.log.ScaCefLogger" level="TRACE"><appender-ref ref="SYSLOG" />
</logger>If you need to stop logging, add level="OFF" as an attribute to the ScaCefLogger logger element. The followingprovides an example.
<logger name="com.cisco.sln.utils.log.ScaCefLogger" level="OFF"><appender-ref ref="SYSLOG" />
</logger>
The system logs anomaly event CEF messages with an INFO logging level. The ScaCefLogger loggerinherits INFO logging level from the parent root logger. If you change the ScaCefLogger logging level,select a level that contains INFOmessages (TRACE, DEBUG, INFO). If you override this with a level that doesnot include INFO messages (WARN, ERROR), the system cannot write anomaly event messages to syslog.
Note
The appender-ref element references the SYSLOG appender which controls the host that receives these anomalyevents.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 93
Logging ConfigurationThe Controller Logging Configuration File
SYSLOG Appender Configuration
The SYSLOG appender, by default, logs to the syslog on the local host. The following is the default SYSLOGappender configuration.
<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender"><syslogHost>localhost</syslogHost><facility>USER</facility><suffixPattern>%msg</suffixPattern>
</appender>The syslogHost element controls the target for the logged anomaly events. Update this to the hostname ofyour external host or SIEM to export syslog to that host.
The facility element controls the syslog facility. LOCAL0 through LOCAL7 are unused facilities you can definefor custom purposes.
Because the USER facility generates the events, Cisco recommends you keep this setting.Note
The suffixPattern element controls the format of the non-standard message component. See http://logback.qos.ch/manual/layouts.html for the discussion of PatternLayout and more information on how toconfigure suffixPattern.
To define a port on the host other than the default port 514, you can add the port element as a child of theappender element and define a different port in that element's text. The following provides an example.
<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender"><syslogHost>externalHostName</syslogHost><port>515</port><facility>USER</facility><suffixPattern>%msg</suffixPattern>
</appender>
Changes Saved
Save your changes to the file. The system updates the logging configuration the next time it checks the file.
Log File Location
The system by default outputs the anomaly events to /var/log/user.log.
Updating a syslog Target Host
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.194
Logging ConfigurationThe Controller Logging Configuration File
SUMMARY STEPS
1. cd ~/SCA
2. cp sample_logback.xml sca-logback.xml
3. vi sca-logback.xml
4. If you want to change the logging level, add level="TRACE" or level="DEBUG" as an attribute to theScaCefLogger logger element, or level="OFF" as an attribute to the ScaCeflogger logger element todisable anomaly event logging.
5. If you want to define a port for the syslog host other than the default port 514, add a port element as achild of the SYSLOG appender element, then add the port number as the port element text.
6. Press Esc, then enter :wq!, then press Enter.
DETAILED STEPS
PurposeCommand or Action
Change to the ~/SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Make a copy of the sample_logback.xmlconfiguration file, and name itsca-logback.xml.
cp sample_logback.xml sca-logback.xml
Example:user@host:~/SCA$ cp sample_logback.xml sca-logback.xml
Step 2
Open the sca-logback.xml configurationfile in vi.
vi sca-logback.xml
Example:
Step 3
user@host:~/SCA$ vi sca-logback.xml
Change the logging level, or disable it.If you want to change the logging level, add level="TRACE" orlevel="DEBUG" as an attribute to the ScaCefLogger logger element, or
Step 4
level="OFF" as an attribute to the ScaCeflogger logger element todisable anomaly event logging.
Example:<logger name="com.cisco.sln.utils.log.ScaCefLogger"
level="TRACE">
Update the target syslog host port.If you want to define a port for the syslog host other than the defaultport 514, add a port element as a child of the SYSLOG appender element,then add the port number as the port element text.
Step 5
Example:<port>515</port>
Save your changes and close the file.Press Esc, then enter :wq!, then press Enter.
Example:
Step 6
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 95
Logging ConfigurationThe Controller Logging Configuration File
PurposeCommand or Action
:wq!
What to Do Next
• View ~/SCA/logs/console.log to verify that the controller updated the logging configuration.
• View the logs to see syslog messages. The log destination depends on the facility you defined in theSyslogAppender appender. By default, the USER facility logs to /var/log/user.log.
Logging TimestampsBy default, sca.log and console.log use Coordinated Universal Time (UTC) timestamps.
In contrast, pxg.log, saserver.log, and sca_monitor.log use timestamps based on your current localtimezone. You can edit the logging properties files and run sed to update those logs to use UTC timestamps.
Updating Logging Configuration Files for UTC TimestampsUpdate the log4j.properties files to update timestamps from your local configured timezone to UTCtimezones. Find the following lines:
log4j.appender.file.layout=org.apache.log4j.PatternLayoutlog4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L -
%m%n
And update the lines to add the bold text:log4j.appender.file.layout=org.apache.log4j.EnhancedPatternLayoutlog4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss}{UTC} %-5p %c{1}:%L
- %m%n
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA/services/pxgrid
2. sudo vi log4j.properties, then enter your password when prompted3. Update the lines listed above.4. Press Esc, then enter :wq!.5. cd ~/SCA/services/sa-server
6. sudo vi log4j.properties, then enter your password when prompted7. Update the lines listed above.8. Press Esc, then enter :wq!.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.196
Logging ConfigurationLogging Timestamps
DETAILED STEPS
PurposeCommand or Action
Change to the ~/SCA/services/pxgriddirectory.
cd ~/SCA/services/pxgrid
Example:user@host:~$ cd ~/SCA/services/pxgrid
Step 1
Open log4j.properties in the vi texteditor as a superuser.
sudo vi log4j.properties, then enter your password when prompted
Example:user@host:~/SCA/services/pxgrid$ sudo vi log4j.properties
Step 2
Update the log4j.properties file touse UTC timestamps.
Update the lines listed above.
Example:
log4j.appender.file.layout=org.apache.log4j.EnhancedPatternLayout
Step 3
log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-ddHH:mm:ss}{UTC} %-5p %c{1}:%L - %m%n
Save your changes, then exit the vi texteditor.
Press Esc, then enter :wq!.Step 4
Change to the~/SCA/services/sa-server directory.
cd ~/SCA/services/sa-server
Example:user@host:~$ cd ~/SCA/services/sa-server
Step 5
Open log4j.properties in the vi texteditor as a superuser.
sudo vi log4j.properties, then enter your password when prompted
Example:user@host:~/SCA/services/sa-server$ sudo vi log4j.properties
Step 6
Update the log4j.properties file touse UTC timestamps.
Update the lines listed above.
Example:
log4j.appender.file.layout=org.apache.log4j.EnhancedPatternLayout
Step 7
log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-ddHH:mm:ss}{UTC} %-5p %c{1}:%L - %m%n
Save your changes, then exit the vi texteditor.
Press Esc, then enter :wq!.Step 8
Updating UTC Timestamps for the Controller Monitor LogsRun sed to display UTC timestamps in the sca_monitor.log log file.
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 97
Logging ConfigurationLogging Timestamps
DETAILED STEPS
PurposeCommand or Action
Run sed to update how the sca_monitor.log logfile displays timestamps.
sed -ie 's/(date /(date --utc /' SCA/sca_monitor.sh
Example:user@host:~$ sed -ie 's/(date /(date --utc /'SCA/sca_monitor.sh
Step 1
Accessing Audit and Event Log Files
Before You Begin
• Log into the controller VM console on the ESXi hypervisor.
SUMMARY STEPS
1. cd ~/var/log
2. vi syslog or vi user.log
DETAILED STEPS
PurposeCommand or Action
Change to the /var/log directory.cd ~/var/log
Example:
Step 1
user@host:~$ cd ~/var/log
Edit the syslog or user.log log file.vi syslog or vi user.log
Example:
Step 2
user@host:~/var/log$ vi syslog
Example:user@host:~/var/log$ vi user.log
Audit Log FieldsFor Version 1.0, the system logs each audit log message in the following format:
userId [timestamp] category > {jsonData}
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.198
Logging ConfigurationAccessing Audit and Event Log Files
Table 27: Audit Log Version 1.0 Field Descriptions
DescriptionField
ID of the user associated with the transactionuserId
Date and time the transaction occurredtimestamp
The type of transactioncategory
Information associated with the transaction typejsonData
For Version 1.1 and greater, the system logs each audit log message in the following format:
[timestamp] - User(userInfo) - source: category > {jsonData}
Table 28: Audit Log Version 1.1 and Greater Field Descriptions
DescriptionField
ISO8061 timestamp when the transaction occurredtimestamp
One of the following values related to users:
• unknown - an unknown user
• id - a user's ID (username unknown)
• id, username - a user's ID and username
userInfo
the source that generated the audit log message:
• authentication - user authentication duringlogin, user logout, and user account passwordchange
• configuration - configuration applied to anagent by the controller
• dla - agent configuration, such as enable,disable, and certificate pinning
• download - PCAP file download
• mitigation - mitigation creation, deletion, andreversion
• pbc - PCAP file download requests
• user - user account creation, update, andconversion to an API user
• whitelisting - whitelist rule creation anddeletion
source
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 99
Logging ConfigurationAccessing Audit and Event Log Files
DescriptionField
the type of transaction task requested by the user, andthe success or failure, depending on the source
category
information associated with the transaction type,depending on the source
jsonData
Event Log Fields
Table 29: Event Log Field Descriptions
DescriptionField
The date and time the system detected the event.timestamp
The host that logged the message.host
The CEF version, always 0.version
The associated vendor, always Cisco.deviceVendor
The associated vendor product, always SLN.deviceProduct
The controller version.deviceVersion
The event type:
• SLN_ANOMALY for anomaly events
• SLN_DLA for agent health status events
signatureID
Description of the event log message.name
Integer representing the event severity:
• 0 for low
• 5 for medium
• 10 for high
severity
Information related to the anomaly event. If this is anagent health status event, this contains no data.
extension
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1100
Logging ConfigurationAccessing Audit and Event Log Files
Event Log Message Examples
The system logs each event log message in CEF. When the system adds an event log message to the syslog,it prepends a timestamp and host, in the following format:timestamp host CEF:version|deviceVendor|deviceProduct|deviceVersion|signatureID|name|severity|extension
The following describes a connection between agent and controller has gone down:Jan 1 00:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_DLA|CON_DOWN|0|deviceExternalId=1
The following describes an agent in safe mode:Jan 1 21:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_DLA|DLA is in safe mode|0|
The following describes an updated agent configuration:Jan 1 11:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_DLA_INTERFACES|Interfaces have changed on dla 2|5|
The following describes a user asking for more anomalies:Jan 1 21:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_MORE_LESS|User admin asked for more anomalies|0|
The following describes a sample anomaly:Jan 1 22:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_ANOMALY|Small total number of bytes (10.00 bytes)from an external mixed host in Chile (RM) 200.10.9.23 in Chile (anomalous trafficenters and exits the branch)|10|deviceExternalId=1 dst=192.0.2.14 dvchost=samplenameexternalId=1923 startTime=2016-01-01T22:08:00Z
Smart Licensing Log FieldsThe system logs each Smart Licensing log message in the following format:
timestamp hostname userId: %CISCO-SMART-LIC% message
Table 30: Smart Licensing Log Field Descriptions
DescriptionField
Date and time the transaction occurredtimestamp
Name of the host where the transaction occurredhostname
ID of the user associated with the transactionuserId
The log messagemessage
Accessing Controller General Log Files
Before You Begin
• Log into the controller VM console on the ESXi hypervisor.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 101
Logging ConfigurationAccessing Controller General Log Files
SUMMARY STEPS
1. cd ~/SCA
2. vi SCA.log
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Edit the SCA.log general controller log file.vi SCA.log
Example:
Step 2
user@host:~/SCA$ vi SCA.log
Accessing Agent Log Files
Before You Begin
• For an agent deployed to a UCS E-Series blade server, log into the agent VM console on the ESXihypervisor. For an agent deployed as a virtual service, log into the virtual service console, then exit theinitial menu to access the administrator settings.
SUMMARY STEPS
1. 1) File access
2. 1) Log files
3. 1) List log files
4. 2) View log file
5. Enter a log file name. You can use the asterisk character (*) as a wild card.6. :qto exit
DETAILED STEPS
PurposeCommand or Action
Access the File access menu options.1) File access
Example:
Step 1
Enter a number: 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1102
Logging ConfigurationAccessing Agent Log Files
PurposeCommand or Action
Access the log files options.1) Log files
Example:
Step 2
Enter a number: 1
List the available agent log files.1) List log files
Example:
Step 3
Enter a number: 1
View log files.2) View log file
Example:
Step 4
Enter a number: 2
Select a log file to view.Enter a log file name. You can use the asterisk character (*) asa wild card.
Step 5
Example:Enter filename, or a pattern for a menu of files:
log-name
Exit viewing the log file.:qto exit
Example:
Step 6
:q
Exporting Agent Troubleshooting FilesYou can export your agent troubleshooting files to an external host. Do this when directed by Cisco Support.
Before You Begin
• For an agent deployed to a UCS E-Series blade server, log into the agent VM console on the ESXihypervisor. For an agent deployed as a virtual service, log into the virtual service console, then exit theinitial menu to access the administrator settings.
SUMMARY STEPS
1. 1) File access
2. 5) ML debug files
3. 1) List ML debug files
4. 2) Send ML debug files to remote system, then ip-address, then username, then press Enter, thenpassword
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 103
Logging ConfigurationExporting Agent Troubleshooting Files
DETAILED STEPS
PurposeCommand or Action
Access the File access menu options.1) File access
Example:
Step 1
Enter a number: 1
Access the log files options.5) ML debug files
Example:
Step 2
Enter a number: 5
List the available debugging files.1) List ML debug files
Example:
Step 3
Enter a number: 1
Export the debugging files to a remotesystem.
2) Send ML debug files to remote system, then ip-address, thenusername, then press Enter, then password
Example:Enter a number: 2Name or address of remote host []? 192.168.0.1
Step 4
Destination username []? adminThe destination filename path can absolute, or relativeto home dir.Destination filename [scala.out]:admin@remotehost's password: <password>
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1104
Logging ConfigurationExporting Agent Troubleshooting Files
A P P E N D I X BpxGrid Integration
The following describes how to integrate the Learning Network License system with pxGrid and IdentityServices Engine (ISE).
• Integrating pxGrid, page 105
• ISE pxGrid Demo, page 106
• Controller pxGrid Client Certificates, page 108
• pxGrid Properties Configuration, page 113
• pxGrid Activation, page 115
• ISE Server Settings Update, page 117
• Controller Process Restart, page 117
Integrating pxGridYou can integrate your Learning Network License deployment with an ISE server to populate detected hostsin anomalies with user identity information. This involves integrating pxGrid by generating public keycertificates, trusting controller and ISE certificates, configuring pxGrid properties, and updating the controller'sconfiguration.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 105
If you have not deployed an ISE server, you can instead enable an ISE pxGrid integration demo. This demopopulates endpoints detected in anomalies with sample user identity information. You update demo pxGridproperties, and update the controller's configuration. See ISE pxGrid Demo, on page 106 for more information.
Step 1 Manage the controller pxGrid and ISE public key certificates, adding them to keystores on the controller VM. SeeController pxGrid Client Certificates, on page 108 for more information.
Step 2 Update the pxGrid properties configuration file. See pxGrid Properties Configuration, on page 113 for more information.Step 3 Update the controller pxGrid configuration, then restart the controller's processes. See pxGrid Activation, on page 115
for more information.Step 4 Add the SLNpxGridClient to the Session group on your ISE server. See ISE Server Settings Update, on page 117 for
more information.Step 5 Restart the controller's processes again. See Controller Process Restart, on page 117 for more information.
ISE pxGrid DemoThe ISE pxGrid integration demo populates anomaly endpoints with sample user identity information, andprovides an example of the additional context ISE provides to the Learning Network License system. As youreview anomalies in the controller web UI, you can view the sample user identity information for hosts involvedin the anomaly.
To enable the demo, you update a pxGrid properties file with demo settings, then update a controllerconfiguration file to enable ISE integration. Finally, you restart controller processes.
pxGrid Demo Properties Table
Table 31: pxGrid Demo Properties Table
Enter...DescriptionProperty
.conf/pxgrid_demo.csvpxGrid integration demo file,which contains sample user identityvalues populated into anomalyendpoints.
PXGRID_DEMOFILENAME_IN
truepxGrid integration demo IP addresssetting.
PXGRID_DEMOIP
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1106
pxGrid IntegrationISE pxGrid Demo
Configuring an ISE pxGrid Demo
Before You Begin
• Log into the controller VM console from the ESXi hypervisor.
SUMMARY STEPS
1. cd SCA/services/pxgrid
2. sudo vi app.properties, then enter your administrator password when prompted.3. Update the pxGrid demo properties in the app.properties file.4. Press Esc, then enter :wq! and press Enter.
DETAILED STEPS
PurposeCommand or Action
Navigate to the pxgrid directory.cd SCA/services/pxgrid
Example:
Step 1
user@host:~$ cd SCA/services/pxgrid
Edit the app.properties file with super userprivileges.
sudo vi app.properties, then enter your administrator password whenprompted.
Example:
Step 2
user@host:~/SCA/services/pxgrid$ sudo vi app.properties
Update PXGRID_DEMOFILENAME_IN with./conf/pxgrid_demo.csv. UpdatePXGRID_DEMOID with true.
Update the pxGrid demo properties in the app.properties file.
Example:PXGRID_HOSTNAMES=PXGRID_USERNAME=
Step 3
PXGRID_DESCRIPTION=sln_pxgrid_clientPXGRID_KEYSTORE_FILENAME=PXGRID_KEYSTORE_PASSWORD=PXGRID_TRUSTSTORE_FILENAME=PXGRID_TRUSTSTORE_PASSWORD=PXGRID_APP_PORT=7072PXGRID_DEMOFILENAME_IN=./conf/pxgrid_demo.csvPXGRID_DEMOIP=true
Save your changes and exit vi.Press Esc, then enter :wq! and press Enter.Step 4
What to Do Next
• Enable the ISE pxGrid demo, as described in the next section.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 107
pxGrid IntegrationConfiguring an ISE pxGrid Demo
Enable the pxGrid Demo
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA
2. sudo vi sca.conf, then enter your password when prompted3. Update the ise enabled setting to true.4. Press Esc, then enter :wq! and press Enter.5. sudo ./sca.sh restart
DETAILED STEPS
PurposeCommand or Action
Change the directory.cd ~/SCAStep 1
Open the sca.conf file in vi as a super user.sudo vi sca.conf, then enter your password when promptedStep 2
Enable pxGrid integration.Update the ise enabled setting to true.
Example:modules {ise {
Step 3
enabled = true}
}
Save your changes and exit vi.Press Esc, then enter :wq! and press Enter.Step 4
Restart the controller processes.sudo ./sca.sh restart
Example:
Step 5
user@host:~/SCA$ sudo ./sca.sh restart
Controller pxGrid Client CertificatesThe controller contains a pxGrid client which retrieves user information from the ISE server. To integrateLearning Network License with ISE, you first generate a private key and public key certificate signing request(CSR), then have a certificate authority (CA) sign the certificate, using a custom pxGrid certificate template.You then export an ISE identity certificate from the ISE server to the controller. Finally, you create a pxGridclient identity keystore and a Learning Network License controller trusted keystore, and import the appropriatecertificates into each.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1108
pxGrid IntegrationEnable the pxGrid Demo
When you submit the CSR to the CA, the CA must use a custom pxGrid certificate template to sign thecertificate. Create this certificate template with an enhanced key usage (EKU) object identifier (OID) forclient authentication (1.3.6.1.5.5.7.3.2) and for server authentication (1.3.6.1.5.5.7.3.1).
Generating pxGrid Client Certificates
Before You Begin
• Create a custom certificate template with the proper EKU OIDs for client authentication and serverauthentication.
• Log into the controller VM console as a user with privileges to run OpenSSL.
SUMMARY STEPS
1. cd SCA/services/pxgrid
2. openssl genrsa -out pxGridClient.key 4096
3. openssl req -new -key pxGridClient.key -out pxGridClient.csr
4. Optionally, enter country-code, then state, then locality, then organization, thenorganizational-unit, then common-name, then email, then challenge-password, then company-name
5. Submit pxGridClient.csr and the certificate template to a CA.6. Receive the signed certificate and the CA root certificate.7. Upload pxGridClient.cer and ca_root.cer to the controller, in the SCA/services/pxgrid folder.8. On the controller VM, navigate to the SCA/services/pxgrid directory.9. openssl pkcs12 -export -out pxGridClient.pl2 -inkey pxGridClient.key -in
issued-certificate.cer -CAfileroot-ca-certificate.cer, then enter and verify a p12-passwordwhen prompted
DETAILED STEPS
PurposeCommand or Action
Navigate to the /pxgrid directory.cd SCA/services/pxgrid
Example:
Step 1
user@host:~$ cd SCA/services/pxgrid
Generate the pxGridClient.key private key for thecontroller pxGrid client.
openssl genrsa -out pxGridClient.key 4096
Example:
Step 2
user@host:~/SCA/services/pxgrid$ openssl genrsa -out
pxGridClient.key 4096
Enter the certificate signing request (CSR) wizardto generate a CSR for the pxGrid client.
openssl req -new -key pxGridClient.key -out
pxGridClient.csr
Example:
Step 3
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 109
pxGrid IntegrationGenerating pxGrid Client Certificates
PurposeCommand or Action
user@host:~/SCA/services/pxgrid$ openssl req -new -key
pxGridClient.key -out pxGridClient.csr
If you want to specify the certificate subjectdistinguished name (DN), provide the information.
Optionally, enter country-code, then state, then locality, thenorganization, then organizational-unit, then common-name,then email, then challenge-password, then company-name
Step 4
If you want to specify a challenge password, enter achallenge-password. Determine what informationyour CA requires for a CSR.Example:
Country Name (2 letter code) [AU]: country-codeState or Province Name (full name) [Some-State]: stateLocality Name (eg, city) []: localityOrganization Name (eg, company) [Internet Widgits PtyLtd]: organizationOrganizational Unit Name (eg, section) []:organizational-unitCommon Name (e.g. server FQDN or YOUR name) []:common-nameEmail Address []: email
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: challenge-passwordAn optional company name []: company-name
Submit the certificate signing request to the CA. TheCA signs the request, and uses the certificate
Submit pxGridClient.csr and the certificate template to a CA.Step 5
template to add the EKU OIDs for clientauthentication and server authentication.
Receive the pxGridClient.cer signed certificatefile and the ca_root.cerCA root certificate file fromthe CA.
Receive the signed certificate and the CA root certificate.Step 6
Upload the signed certificate and root CA certificateto the pxgrid folder on the controller VM.
Upload pxGridClient.cer and ca_root.cer to the controller, inthe SCA/services/pxgrid folder.
Step 7
Change directories.On the controller VM, navigate to the SCA/services/pxgriddirectory.
Step 8
Add the pxGridClient.key private key,issued-certificate.cer signed client certificate,
openssl pkcs12 -export -out pxGridClient.pl2 -inkey
pxGridClient.key -in issued-certificate.cer
Step 9
and root-ca-certificate.cer root CA certificateto the pxGridClient.p12 archive file.
-CAfileroot-ca-certificate.cer, then enter and verify ap12-password when prompted
Example:user@host:~/SCA/services/pxgrid$ openssl pkcs12-export -out pxGridClient.pl2 -inkey pxGridClient.key-inpxGridClient.cer -CAfile ca_root.cer
Enter Export Password: p12-passwordVerifying - Enter Export Password: p12-password
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1110
pxGrid IntegrationGenerating pxGrid Client Certificates
What to Do Next
• Export the ISE identity public key certificate to the controller, as described in the next section.
Exporting an ISE Identity Certificate
Before You Begin
• Log into the ISE server.
SUMMARY STEPS
1. From the System Certificates page, select the Default self-signed server certificate and click Export.2. Select Export Certificate Only and click Export. Rename the file to isemnt.pem.3. Upload isemnt.pem to the controller, in the SCA/services/pxgrid folder.4. Repeat the procedure for any remaining ISE servers in your network deployment. Give each exported
certificate file a different name.
DETAILED STEPS
Step 1 From the System Certificates page, select the Default self-signed server certificate and click Export.
Step 2 Select Export Certificate Only and click Export. Rename the file to isemnt.pem.Step 3 Upload isemnt.pem to the controller, in the SCA/services/pxgrid folder.Step 4 Repeat the procedure for any remaining ISE servers in your network deployment. Give each exported certificate file a
different name.
What to Do Next
• Add certificates to keystores, as described in the next section.
Adding pxGrid Certificates to Stores
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 111
pxGrid IntegrationExporting an ISE Identity Certificate
SUMMARY STEPS
1. cd SCA/services/pxgrid
2. keytool -importkeystore -srckeystore pxGridClient.p12 -destkeystore
./certificates/pxGridClient.jks -srcstoretype PKCS12, then enter and verify apxgrid-keystore-password, then enter the p12-password
3. keytool -import -alias pxGridSLNClient -keystore ./certificates/pxGridClient.jks -file
issued-certificate.cer
4. openssl x509 -outform der -in isemnt.pem -out isemnt.der
5. keytool -import -alias isemnt -keystore ./certificates/root3.jks -file isemnt.der, thenenter and verify a pxgrid-truststore-password, then yes to trust the certificate
6. Repeat the previous 2 steps for any remaining ISE identity certificates.7. keytool -import -alias ca_root1 -keystore ./certificates/root3.jks -file ca_root.cer, then
yes to trust the certificate
DETAILED STEPS
PurposeCommand or Action
Navigate to the /pxgrid directory.cd SCA/services/pxgrid
Example:
Step 1
user@host:~$ cd SCA/services/pxgrid
Create the pxGridClient.jks pxGrid clientidentity keystore from the pxGridClient.p12archive file.
keytool -importkeystore -srckeystore pxGridClient.p12
-destkeystore ./certificates/pxGridClient.jks -srcstoretype
PKCS12, then enter and verify a pxgrid-keystore-password, then enterthe p12-password
Step 2
Example:user@host:~/SCA/services/pxgrid$ keytool -importkeystore-srckeystore pxGridClient.p12 -destkeystore./certificates/pxGridClient.jks-srcstoretype PKCS12
Enter destination keystore password: pxgrid-keystore-passwordRe-enter new password: pxgrid-keystore-passwordEnter source keystore password: p12-password
Import the issued-certificate.cercertificate file into the pxGridClient.jkspxGrid client identity keystore.
keytool -import -alias pxGridSLNClient -keystore
./certificates/pxGridClient.jks -file issued-certificate.cer
Example:user@host:~/SCA/services/pxgrid$ keytool -import -aliaspxGridSLNClient -keystore ./certificates/pxGridClient.jks -file
Step 3
pxGridClient.cer
Enter keystore password: pxgrid-keystore-password
...
Trust this certificate? [no]: yes
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1112
pxGrid IntegrationAdding pxGrid Certificates to Stores
PurposeCommand or Action
Convert the isemnt.pem certificate file toDER format.
openssl x509 -outform der -in isemnt.pem -out isemnt.der
Example:
Step 4
user@host:~/SCA/services/pxgrid$ openssl x509 -outform der -in
isemnt.pem -out isemnt.der
Import the isemnt.der ISE identity certificateinto the root3.jksLearningNetwork Licensecontroller trusted keystore.
keytool -import -alias isemnt -keystore
./certificates/root3.jks -file isemnt.der, then enter and verify apxgrid-truststore-password, then yes to trust the certificate
Example:user@host:~/SCA/services/pxgrid$ keytool -import -alias isemnt-keystore
Step 5
./certificates/root3.jks -file isemnt.der
Enter keystore password: pxgrid-truststore-passwordRe-enter new password: pxgrid-truststore-password
...
Trust this certificate? [no]: yes
Convert other ISE identity certificate files toDER format, then import them into the
Repeat the previous 2 steps for any remaining ISE identity certificates.Step 6
root3.jks Learning Network Licensecontroller trusted keystore.
Import the ca_root.cer root CA certificateinto the root3.jksLearningNetwork Licensecontroller trusted keystore.
keytool -import -alias ca_root1 -keystore
./certificates/root3.jks -file ca_root.cer, then yes to trust thecertificate
Example:user@host:~/SCA/services/pxgrid$ keytool -import -aliasca_root1 -keystore
Step 7
./certificates/root3.jks -file ca_root.cer
Enter keystore password: pxgrid-truststore-password
...
Trust this certificate? [no]: yes
What to Do Next
• Configure the pxGrid properties, as described in the next section.
pxGrid Properties ConfigurationAfter you add certificates to keystores on the controller, configure the pxGrid properties file to allow thecontroller to trust the certificates, and log into the ISE server to retrieve user identity information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 113
pxGrid IntegrationpxGrid Properties Configuration
pxGrid Properties Table
Table 32: pxGrid Properties Table
Enter...DescriptionProperty
an IPv4 addressThe ISE server IP address toconnect to.
PXGRID_HOSTNAMES
an ISE server usernameThe username the controller usesto contact the ISE server.
PXGRID_USERNAME
SLNpxGridClient (do not modify)The description associated with theusername, visible on the ISEserver.
PXGRID_DESCRIPTION
./certificates/pxGridClient.jks
or the filename and filepath whereyou created the keystore
The controller pxGrid clientidentity keystore location.
PXGRID_KEYSTORE_FILENAME
the keystorepxgrid-keystore-password
The controller pxGrid clientidentity keystore password.
PXGRID_KEYSTORE_PASSWORD
./certificates/root3.jks or thefilename and filepath where youcreated the trust store
The Learning Network Licensecontroller pxGrid trusted keystorelocation.
PXGRID_TRUSTSTORE_FILENAME
the trusted keystorepxgrid-truststore-password
The Learning Network Licensecontroller pxGrid trusted keystorepassword.
PXGRID_TRUSTSTORE_PASSWORD
7072 (do not modify)Port used by the controller tointernally connect to the controllerpxGrid client.
PXGRID_APP_PORT
Configuring pxGrid
Before You Begin
• Log into the controller VM console from the ESXi hypervisor.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1114
pxGrid IntegrationpxGrid Properties Table
SUMMARY STEPS
1. cd SCA/services/pxgrid
2. sudo vi app.properties, then enter your administrator password when prompted.3. Update the pxGrid properties in the app.properties file.4. Press Esc, then enter :wq! and press Enter.
DETAILED STEPS
PurposeCommand or Action
Navigate to the pxgrid directory.cd SCA/services/pxgrid
Example:
Step 1
user@host:~$ cd SCA/services/pxgrid
Edit the app.properties file with super user privileges.sudo vi app.properties, then enter your administrator passwordwhen prompted.
Step 2
Example:user@host:~/SCA/services/pxgrid$ sudo vi app.properties
Update PXGRID_HOSTNAMES with the ISE server IPaddress. Update PXGRID_USERNAME with a username
Update the pxGrid properties in the app.properties file.
Example:PXGRID_HOSTNAMES=192.0.2.2PXGRID_USERNAME=<username>
Step 3
the controller uses to log into the ISE server. UpdatePXGRID_KEYSTORE_FILENAME with the keystorelocation. Update PXGRID_KEYSTORE_PASSWORD with
PXGRID_DESCRIPTION=sln_pxgrid_clientthe pxgrid-keystore-password. UpdatePXGRID_KEYSTORE_FILENAME=./certificates/pxGridClient.jksPXGRID_TRUSTSTORE_FILENAME with the keystorePXGRID_KEYSTORE_PASSWORD=pxgrid-keystore-password
PXGRID_TRUSTSTORE_FILENAME=./certificates/root3.jks location. Update PXGRID_TRUSTSTORE_PASSWORDwiththe pxgrid-truststore-password.
PXGRID_TRUSTSTORE_PASSWORD=pxgrid-truststore-passwordPXGRID_APP_PORT=7072
Save your changes and exit vi.Press Esc, then enter :wq! and press Enter.Step 4
pxGrid ActivationAfter you configure the pxGrid properties, update the controller configuration file to enable pxGrid integration,then restart the controller processes.
Activating pxGrid Integration
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 115
pxGrid IntegrationpxGrid Activation
SUMMARY STEPS
1. cd SCA
2. sudo vi sca.conf, then enter your password when prompted3. Update the ise enabled setting to true.4. Press Esc, then enter :wq! and press Enter.
DETAILED STEPS
PurposeCommand or Action
Change the directory.cd SCA
Example:
Step 1
user@host:~$ cd SCA
Open the sca.conf file in vi as a super user.sudo vi sca.conf, then enter your password when prompted
Example:
Step 2
user@host:~/SCA$ sudo vi sca.conf
Enable pxGrid integration.Update the ise enabled setting to true.
Example:modules {ise {
Step 3
enabled = true}
}
Save your changes and exit vi.Press Esc, then enter :wq! and press Enter.Step 4
What to Do Next
• Restart the controller processes, as described in the next section.
Restarting Controller Processes
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA
2. sudo ./sca.sh restart
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1116
pxGrid IntegrationRestarting Controller Processes
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Restart the controller processes.sudo ./sca.sh restart
Example:
Step 2
user@host:~/SCA$ sudo ./sca.sh restart
ISE Server Settings UpdateAfter you activate pxGrid integration, log into your ISE server. Approve the registration for theSLNpxGridClient client if it is in a pending state, then assign SLNpxGridClient to the Session group. Seehttp://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html for more information on approving a client's registration, and https://communities.cisco.com/docs/DOC-68291 for more information on updating the group membership.
Controller Process RestartAfter you update the SLNpxGridClient client group membership in ISE, restart the controller's processesagain. See Restarting Controller Processes, on page 116 for more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 117
pxGrid IntegrationISE Server Settings Update
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1118
pxGrid IntegrationController Process Restart
A P P E N D I X CController Database Cleanup
The following describes the controller database cleanup process.
• Controller Database Cleanup, page 119
Controller Database CleanupThe controller runs a cleanup script daily against the PostgreSQL database, log files, and stored PCAP files,to make disk space available, and in cases of larger disk space usage, to reclaim disk space for the controller.
The actions the script takes depends on disk usage. If less than 75% of available disk space is used, the cleanupscript:
• Saves table data based on the following retention times, and marks rows outside these retention timesas deleted:
◦up to 180 days' worth of anomaly event and related IP information, including DNS queries, Talosthreat intelligence, geolocation, and the like, if those anomalies are presented in the controller webUI
◦up to 30 days' worth of unpulled anomaly event and related IP information, including DNS queries,Talos threat intelligence, geolocation, and the like, if those anomalies are not presented to endusers
◦up to 180 days' worth of events displayed in the anomaly inbox
◦up to 30 days' worth of user authentication and login data, and associated logs
◦up to 7 days' worth of agent-related files for warm starts
◦up to 7 days' worth of various statistics and agent status
• Creates a database backup at ~/SCA/backups (without the statistics, agent status, stored PCAP files, orthe sca.conf configuration file), and deletes backups older than the 15 most recent
• Rotates the controller's log files, and deletes logs older than 15 days
• Deletes saved PCAP files for anomalies presented in the controller web UI that are older than 180 days
• Deletes saved PCAP files for anomalies that are not presented to end users and older than 30 days
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 119
Rows marked as deleted can be reused after the PostgreSQL autovacuum daemon runs VACUUM on thetables.
Note
If disk usage is between 75% and 89%, the cleanup script takes the above steps, but also runs VACUUM on thetables.
If disk usage is at or above 90%, the cleanup script takes the following steps on a first pass:
• Saves table data based on the same retention times as if under 75% of available disk space is used, andmarks rows outside those retention times as deleted
• Runs VACUUM FULL on the database tables, which frees the rows marked as deleted and reclaims the diskspace for the controller
• Creates a database backup, without the statistics and agent status, at ~/SCA/backups, and deletes backupsolder than the 3 most recent
• Rotates the controller's log files, and deletes logs older than 3 days
After the first pass, the cleanup script checks the disk space. If over 90% of disk space is still used, the cleanupscript:
• runs TRUNCATE on the statistics table, emptying it
• Runs VACUUM FULL on the database tables again
• saves only the most recent database backup at ~/SCA/backups
If the controller disk space usage remains over 90% after the cleanup script runs, then the controller serviceshuts down. If this happens, determine which files are using the most space. Clear log files from thecontroller to free disk space. If disk space usage still remains over 90%, addmore disk space. See ControllerVirtual Hard Disk Storage, on page 26 for more information on increasing the available disk space.
Note
Controller Database Cleanup Notes• Consider backing up files on external storage. Database backups are stored in ~/SCA/backups. PCAPfiles are stored in ~/SCA/pbc. The controller configuration is stored in ~/SCA/sca.conf.
• Database backups do not include statistics. If you restore a controller database using a database backup,the dashboard will not display graph information or clusters on the dashboard for a period. Wait for thecontroller to gather more statistics to populate the dashboard.
Checking Disk UsageIf controller disk space usage exceeds 90%, and the cleanup script cannot reduce this below 90%, the controllershuts down. Check the disk usage of various system components to determine the areas of highest usage, thenprune files in those areas.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1120
Controller Database CleanupController Database Cleanup Notes
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. du -chs /opt/cisco/sln/sca
2. du -chs /opt/cisco/sln/viz
3. sudo du -chs /var/lib/postgresql, then enter your password when prompted4. sudo du -chs /var/log, then enter your password when prompted
DETAILED STEPS
PurposeCommand or Action
Check disk usage in the /sca folder, forcontroller-related components.
du -chs /opt/cisco/sln/sca
Example:user@host:~$ du -chs /opt/cisco/sln/sca
Step 1
Check disk usage in the /viz folder, for controllerweb UI-related components.
du -chs /opt/cisco/sln/viz
Example:user@host:~$ du -chs /opt/cisco/sln/viz
Step 2
Check disk usage in the /postgresql folder, fordatabase-related components.
sudo du -chs /var/lib/postgresql, then enter yourpassword when prompted
Example:user@host:~$ sudo du -chs /var/lib/postgresql
Step 3
Check disk usage in the /log folder, for log files.sudo du -chs /var/log, then enter your password whenprompted
Step 4
Example:user@host:~$ sudo du -chs /var/log
What to Do Next
• Based on disk usage, prune backups and logs as necessary.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 121
Controller Database CleanupChecking Disk Usage
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1122
Controller Database CleanupChecking Disk Usage
A P P E N D I X DDatabase Backup Restore
The following describes how to restore the controller database after a failed upgrade, and reinstall the upgrade.
• Database Backup Restore, page 123
Database Backup RestoreIf a controller upgrade fails, you can uninstall the upgrade, restore the controller database from a saved backup,and reinstall the upgrade.
The database backup restore only restores database information. You must backup PCAP files and thecontroller configuration separately, then reupload them after the database backup restore is complete.PCAP files are stored in ~/SCA/pbc. The controller configuration is stored in ~/SCA/sca.conf.
Note
Reinstalling Failed Upgrade PackagesIf your controller upgrade fails, you can uninstall the Debian packages, clear the controller database, thenreinstall them.
Before You Begin
• Log into the controller VM console
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 123
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca stop
3. ./sca.sh clean
4. dpkg -l 'ciscosln*'
5. sudo dpkg --purge ciscosln-setup-scripts ciscosln-install-upgrade ciscosln-sca
ciscosln-viz, then enter your password when prompted6. dpkg -l 'ciscosln*'
7. cd /opt/cisco/sln/install_upgrade/sca, if you created this directory and stored the Debian upgradepackages here, or change to the directory that contains the Debian upgrade packages
8. sudo dpkg -i *
9. dpkg -l 'ciscosln*'
DETAILED STEPS
PurposeCommand or Action
Change to the ~/SCA directory.cd ~/SCA
Example:user@host:~$ cd ~/SCA
Step 1
Stop the controller service.sudo service ciscosln-sca stop
Example:user@host:~/SCA$ sudo service ciscosln-sca stop
Step 2
Clear the logs and the database../sca.sh clean
Example:user@host:~/SCA$ ./sca.sh clean
Step 3
List all installed Debian packages that start withciscosln. Ensure that you see
dpkg -l 'ciscosln*'
Example:user@host:~/SCA$ dpkg -l 'ciscosln*'
Step 4
ciscosln-setup-scripts,ciscosln-install-upgrade, ciscosln-sca, andciscosln-viz.
Remove the ciscosln-setup-scripts,ciscosln-install-upgrade, ciscosln-sca, andciscosln-viz Debian packages.
sudo dpkg --purge ciscosln-setup-scripts
ciscosln-install-upgrade ciscosln-sca ciscosln-viz,then enter your password when prompted
Example:user@host:~/SCA$ sudo dpkg --purgeciscosln-setup-scripts ciscosln-install-upgradeciscosln-sca ciscosln-viz
Step 5
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1124
Database Backup RestoreReinstalling Failed Upgrade Packages
PurposeCommand or Action
List all installed Debian packages that start withciscosln. Ensure that you see no results.
dpkg -l 'ciscosln*'
Example:user@host:~/SCA$ dpkg -l 'ciscosln*'
Step 6
Change to the directory containing the Debian upgradepackages.
cd /opt/cisco/sln/install_upgrade/sca, if you createdthis directory and stored the Debian upgrade packages here,or change to the directory that contains the Debian upgradepackages
Step 7
Example:user@host:~/SCA$ cd/opt/cisco/sln/install_upgrade/sca
Install all Debian packages in the directory.sudo dpkg -i *
Example:user@host:/opt/cisco/sln/install_upgrade/sca$ sudodpkg -i *
Step 8
List all installed Debian packages that start withciscosln. Ensure that you see
dpkg -l 'ciscosln*'
Example:user@host:~/SCA$ dpkg -l 'ciscosln*'
Step 9
ciscosln-setup-scripts,ciscosln-install-upgrade, ciscosln-sca, andciscosln-viz.
What to Do Next
• Restore the database from a backup, as described in the next section.
Restoring a Database from a BackupAfter reinstalling the failed upgrade packages, clear the database, restore a backup, upgrade the database, andrestart the controller. Optionally, reset the admin administrator user password if your database backup is anolder backup, as your passwords may expire upon restore.
Before You Begin
• Log into the controller VM console
• Note the file name of the database backup you want to restore, located at ~/SCA/backups.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 125
Database Backup RestoreRestoring a Database from a Backup
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca stop
3. ./sca.sh clean
4. ./sca.sh restore backups/sln-db-<date>.sql.gz
5. ./sca.sh dbupgrade
6. ./sca.sh reset-admin-password to reset the admin password, if your restored database backup is anolder backup
7. sudo service ciscosln-sca start
DETAILED STEPS
PurposeCommand or Action
Change to the ~/SCA directory.cd ~/SCA
Example:user@host:~$ cd ~/SCA
Step 1
Stop the controller service.sudo service ciscosln-sca stop
Example:user@host:~/SCA$ sudo service ciscosln-sca stop
Step 2
Clear the logs and the database../sca.sh clean
Example:user@host:~/SCA$ ./sca.sh clean
Step 3
Restore the database backup../sca.sh restore backups/sln-db-<date>.sql.gz
Example:user@host:~/SCA$ ./sca.sh restorebackups/sln-db-2016-10-10-120000.sql.gz
Step 4
Upgrade the database schema for the installedversion.
./sca.sh dbupgrade
Example:user@host:~/SCA$ ./sca.sh dbupgrade
Step 5
Reset the admin administrator user accountpassword.
./sca.sh reset-admin-password to reset the admin password, ifyour restored database backup is an older backup
Example:user@host:~/SCA$ ./sca.sh reset-admin-password
Step 6
Start the controller service.sudo service ciscosln-sca start
Example:user@host:~/SCA$ sudo service ciscosln-sca start
Step 7
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1126
Database Backup RestoreRestoring a Database from a Backup
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 127
Database Backup RestoreRestoring a Database from a Backup
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1128
Database Backup RestoreRestoring a Database from a Backup
A P P E N D I X EAdditional Controller Configuration
The following describes the controller sca.conf configuration file.
• Additional Controller Configuration, page 129
Additional Controller ConfigurationYou can configure the sca.conf configuration file, located on the controller at ~/SCA, beyond what is requiredfor installation and external system integration, to further customize your deployment. The sample_sca.conffile, also at ~/SCA, contains example settings most useful to users. These include:
• HTTP server configuration
• user session timeout settings
• database configuration
• agent public key certificate management settings
• logging configuration
• agent polling frequency
• external system integration settings
Before making changes to the sca.conf file, make a backup of your existing file. Rollback the file if thereare issues.
Note
After you save your changes, you must restart the controller's processes for the changes to take effect. SeeRestarting the Controller Processes, on page 130 for more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 129
Restarting the Controller Processes
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca restart
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Restart the controller processes.sudo service ciscosln-sca restart
Example:
Step 2
user@host:~/SCA$ sudo service ciscosln-sca restart
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1130
Additional Controller ConfigurationRestarting the Controller Processes
A P P E N D I X FNetFlow Configuration Overview
The following describes the Flexible NetFlow configuration performed by the installation_auto.py installscript.
• NetFlow Configuration, page 131
NetFlow ConfigurationTo capture information about traffic traversing your network, as you deploy agents to your network, the systemconfigures the following Flexible NetFlow components in order:
• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fieldsto collect
• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent Management and Control IPaddress to send NetFlow data to the agent
• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and outputtraffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 131
The following diagram illustrates NetFlow operation on the ISR.
Figure 8: NetFlow Operation on the ISR
As input and output traffic passes over the branch facing interfaces, the SLN-NF-MONITOR flow monitor,referencing the SLN-NF-RECORD flow record, monitors the traffic for the key fields. It collects the non-keyfields defined in the flow record. The flow monitor sends the flow record to the SLN-NF-EXPORTER flowexporter, which then sends it to the configured virtual service eth0 Management and Control IP address.
NetFlow Configuration Fields
Flow Record
The following describes the fields configured for the SLN-NF-RECORD flow record.
Table 33: SLN-NF-RECORD Flow Record Fields
DescriptionConfigured Field
Configures the flow protocol as a key field to matchon.
match ipv4 protocol
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1132
NetFlow Configuration OverviewNetFlow Configuration Fields
DescriptionConfigured Field
Configures the flow source IPv4 address as a key fieldto match on.
match ipv4 source address
Configures the flow destination IPv4 address as a keyfield to match on.
match ipv4 destination address
Configures the flow source port as a key field tomatch on.
match transport source-port
Configures the flow destination port as a key field tomatch on.
match transport destination-port
Configures the source MAC address received on aninput interface as a nonkey field to collect.
collect datalink mac source address input
Configures the destination MAC address transmittedon an output interface as a nonkey field to collect.
collect datalink mac destination address
output
Configures the TCP flags as a nonkey field to collect.collect transport tcp flags
Configures the router interfaces on which a packetentered the router as a nonkey field to collect.
collect interface input
Configures the router interfaces on which a packetexited the router as a nonkey field to collect.
collect interface output
Configures the flow direction as a nonkey field tocollect.
collect flow direction
Configures the total number of bytes in the flow as anonkey field to collect.
collect counter bytes
Configures the total number of packets in the flow asa nonkey field to collect.
collect counter packets
Configures the first time the system saw a packet ina flow as a nonkey field to collect.
collect timestamp sys-uptime first
Configures the last time the system saw a packet ina flow as a nonkey field to collect.
collect timestamp sys-uptime last
Configures the name of the application used in theflow as a nonkey field to collect.
collect application name
Configures the packet forwarding status as a nonkeyfield to collect.
collect routing forwarding-status
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 133
NetFlow Configuration OverviewNetFlow Configuration Fields
Flow Exporter
The following describes the fields configured for the SLN-NF-EXPORTER flow record.
Table 34: SLN-NF-EXPORTER Flow Exporter Fields
DescriptionConfigured Field
Configures the IP address to which the exporter willsend flow records.
destination <dla-ip-address>
Configures the UDP port on which the destinationhost listens for UDP traffic.
transport udp 6666
Configures sending the flow record template every300 seconds.
template data timeout 60
Flow Monitor
The following describes the fields configured for the SLN-NF-MONITOR flow monitor.
Table 35: SLN-NF-MONITOR Flow Monitor Fields
DescriptionConfigured Field
Associates themonitorwith the SLN-NF-EXPORTERflow exporter you created.
exporter SLN-NF-EXPORTER
Configures the cache timeout for active flows at 60seconds.
cache timeout active 60
Configures the cache to store a maximum of 512000flows.
cache entries 512000
Associates the monitor with the SLN-NF-RECORDflow record you created.
record SLN-NF-RECORD
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1134
NetFlow Configuration OverviewNetFlow Configuration Fields
A P P E N D I X GTroubleshooting
The following describes the most common troubleshooting scenarios.
• Time Synchronization, page 135
• Initial Anomaly Display Issues, page 135
• Maximum Managed Agents, page 136
• Disabled Functionality, page 136
• Controller Administrator Password Reset, page 136
• Performance Issues, page 137
• Certificate Fingerprint Retrieval, page 137
• Connectivity Issues, page 139
• Agent Status Messages, page 139
Time SynchronizationYour controller, agents, and Network Elements should all reference the same NTP servers for proper timesynchronization, and to report anomalies correctly.
If you deploy your agents to a UCS E-Series blade server, you must configure NTP on each agent.
If you do not configure NTP servers on a agent deployed as a virtual service, configure them on your NetworkElements, as the agents pull time from the host Network Element.
Initial Anomaly Display IssuesIf you have installed the Learning Network License system and you do not see any reported anomalies, waitfor seven days. The system requires an initial learning phase to create a baseline model of your network trafficand identify anomalies. Note that during this initial learning phase, the system may start reporting anomalies.Because the baseline is not yet complete, these anomalies may not be of interest or relevant to you.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 135
Maximum Managed AgentsIf you have not registered your controller with Smart Licensing, you are in Evaluation Mode, and limited tomanaging 10 agents with that controller. Register the controller with Smart Licensing before the 90-dayEvaluation Mode expires to remove the limit.
Disabled FunctionalityIf the system no longer detects or reports new anomalies, or you can no longer create mitigations, or modifyexisting mitigations, system registration is expired. If the 90-day Evaluation Mode elapsed, make sure youhave the proper license entitlements, and register your controller with the Licensing Authority. Otherwise, ifyour controller has not communicated with the Licensing Authority in more than 90 days, manually renewyour registration with the Licensing Authority.
Controller Administrator Password ResetIf you forget the admin user account's password for the controller web UI, you can reset it from the controllerCLI. When you reset the password, the system prints a randomly generated password to the console. Thisnew password is valid for 3 days, by default. When you next login to the controller web UI as admin, thesystem prompts you to change the password.
You must have access to the ~/SCA/sca.sh script to reset the password.
Resetting the Controller Administrator Password
Before You Begin
• Log into the controller VM as a user with access to the ~/SCA/sca.sh script.
SUMMARY STEPS
1. cd ~/SCA
2. sudo service ciscosln-sca stop, then enter your password when prompted3. ./sca.sh reset-admin-password
4. sudo service ciscosln-sca start
DETAILED STEPS
PurposeCommand or Action
Change directories to ~/SCA.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1136
TroubleshootingMaximum Managed Agents
PurposeCommand or Action
Stop the controller processes.sudo service ciscosln-sca stop, then enter your password whenprompted
Step 2
Example:user@host:~/SCA$ sudo service ciscosln-sca stop
Reset the admin user account's password../sca.sh reset-admin-password
Example:user@host:~/SCA$ ./sca.sh reset-admin-passworduser@host:~/SCA$ Resetting the admin password in sln
Step 3
user@host:~/SCA$ New password is 'AbCd1234'user@host:~/SCA$ Admin password reset done.
Start the controller processes.sudo service ciscosln-sca start
Example:
Step 4
user@host:~/SCA$ sudo service ciscosln-sca start
What to Do Next
• Log into the controller web UI as admin, then update the password.
Performance IssuesIf you are having performance issues, remember that there are several factors that affect your virtual appliances.See System Performance, on page 4 for a list of factors that may affect your performance. To monitor ESXihost performance, you can use your vSphere Client and the information found under the Performance tab.
Certificate Fingerprint RetrievalTo help troubleshoot public key certificate issues, you can retrieve stored certificate fingerprints from thecontroller VM console, controller web UI, and agent VM console.
Viewing a Controller Client Certificate Fingerprint from the Agent
Before You Begin
• Log into the agent VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 137
TroubleshootingPerformance Issues
DETAILED STEPS
PurposeCommand or Action
View the stored controller client certificate SHA256fingerprint in the console.
cat DLA/certificates/authorized_cert
Example:user@host:~$ cat DLA/certificates/authorized_cert
Step 1
Viewing a Controller Client Certificate Fingerprint from the Controller
Before You Begin
• Log into the controller VM console.
DETAILED STEPS
PurposeCommand or Action
View the stored controller client certificateSHA256 fingerprint in the console.
keytool -v -list -storepass <password> -keystore
SCA/keystore.jks | egrep "Alias|SHA256"
Example:user@host:~$ keytool -v -list -storepass sln123 -keystoreSCA/keystore.jks | egrep "Alias|SHA256"
Step 1
Viewing an Agent Server Certificate Fingerprint from the Agent
Before You Begin
• Log into the agent VM console.
DETAILED STEPS
PurposeCommand or Action
View the stored agent server certificate SHA256fingerprint in the console.
openssl x509 -in DLA/certificates/server.pem -noout
-fingerprint -sha256
Example:user@host:~$ openssl x509 -in DLA/certificates/server.pem-noout -fingerprint -sha256
Step 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1138
TroubleshootingViewing a Controller Client Certificate Fingerprint from the Controller
Viewing an Agent Server Certificate Fingerprint from the Controller Web UI
Before You Begin
• Log into the controller web UI.
Step 1 Click AGENTS.Step 2 Click Certificate next to an agent.
Connectivity IssuesYou can view and confirm connectivity for management and sensing interfaces using VMware vSphere Client.
If a firewall or other security appliance sits between the controller and agents, or between the user and thecontroller, ensure that certain communication ports are open. See Communication Ports, on page 17 for moreinformation.
Confirming Interface Connectivity
Step 1 Right-click the name of the virtual appliance in vSphere Client and select Edit Settings.Step 2 Select Network adapter 1 in the Hardware list and make sure the Connect at power on check box is selected.Step 3 Repeat step 2 for each remaining network adapter.
Agent Status MessagesThe following lists the various agent status codes and messages that the system logs during agent configurationin the controller web UI, as well as recommended steps to resolve the error. You can also view the agent logfile at LOG/DLC.log to determine which error occurred, and resolve the issue.
Status Code: 2000• Status Message - Agent Not Responding
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 139
TroubleshootingViewing an Agent Server Certificate Fingerprint from the Controller Web UI
• Description - The controller tried to establish a connection with the agent, and did not receive a response,possibly because the agent is down or unreachable.
• RecommendedResolution - From the controller VM console, ping the agent by IP address and hostnameto verify the controller can reach the agent. If you do not receive a response, check your networkdeployment settings.
Before You Begin
• Log into the controller VM console
SUMMARY STEPS
1. ping <agent-IP-address> -c 5
2. ping <agent-hostname> -c 5
DETAILED STEPS
PurposeCommand or Action
Send five packets to the agent's IP address and receive aresponse for each packet.
ping <agent-IP-address> -c 5
Example:user@host:~$ ping <agent-IP-address> -c 5
Step 1
Send five packets to the agent's host name and receive aresponse for each packet.
ping <agent-hostname> -c 5
Example:user@host:~$ ping <agent-hostname> -c 5
Step 2
Status Code: 2001• Status Message - Agent Certificate Rejected
• Description - The controller rejected the agent certificate, possibly for one of the following reasons:
◦The agent certificate does not match the certificate fingerprint pinned in the controller web UI.
◦The agent certificate is self-signed, and the system is not configured to support self-signedcertificates.
◦The agent certificate is not self-signed, and a CA or root certificate in the chain of trust is missingfrom the controller's truststore.
◦The certificate is expired.
• Recommended Resolution - Take the following actions:
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1140
TroubleshootingStatus Code: 2001
◦If you recently upgraded the agent, generate an agent certificate fingerprint, and upload it to thecontroller web UI. See Uploading an Agent Certificate Fingerprint, on page 141 for moreinformation.
◦If your certificate is self-signed, enable support for self-signed certificates. See Enabling Supportfor Self-Signed Certificates, on page 143 for more information.
◦If your certificate is not self-signed, verify the truststore contains the necessary root and CAcertificates.
◦If your certificate is expired, renew your certificate.
Uploading an Agent Certificate Fingerprint
SUMMARY STEPS
1. Log into the agent virtual service console.2. 4) Certificate and trust management
3. 6) Export DLA certificate
4. 1) Export to remote system, then hostname, then username, then ~/SCA/filename, then password5. 11) Exit
6. Log into the controller VM console.7. cd ~/SCA
8. open ssl x509 -in <dla-filename>.pem -noout -fingerprint -sha256
9. Copy the fingerprint into a text editor.10. Log into the controller web UI.11. Click AGENTS.12. Click Certificate next to an agent.13. Delete the Hash value and enter your new certificate fingerprint hash.14. Check theCheck to overwrite the active certificate checkbox to overwrite the existing pinned certificate
fingerprint.15. Click Pin certificate.
DETAILED STEPS
PurposeCommand or Action
Log into the agent virtual service console.Step 1
Access the CertificateManagement menu options.4) Certificate and trust management
Example:
Step 2
Enter a number: 4
Export the certificate associated with the agent.6) Export DLA certificate
Example:
Step 3
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 141
TroubleshootingStatus Code: 2001
PurposeCommand or Action
Enter a number:
Export the certificate to the controller. Give eachseparate certificate you export a different name,such as the agent's hostname.
1) Export to remote system, then hostname, then username,then ~/SCA/filename, then password
Example:Enter a number: 1Name or address of remote host []? remotehost
Step 4
Destination username []? adminThe destination filename path can absolute, orrelativeto home dir.Destination filename [server.pem]:~/SCA/<dla-filename>.pemadmin@remotehost's password: <password>
Quit the admin script and return to the commandprompt.
11) Exit
Example:
Step 5
Enter a number: 11
Log into the controller VM console.Step 6
Change to the ~/SCA directory.cd ~/SCA
Example:
Step 7
user@host:~$ cd ~/SCA
Generate a SHA256 fingerprint for the agentcertificate.
open ssl x509 -in <dla-filename>.pem -noout
-fingerprint -sha256
Example:user@host:~$ open ssl x509 -in <dla-filename>.pem-noout -fingerprint -sha256
Step 8
Store the fingerprint in a text editor file.Copy the fingerprint into a text editor.Step 9
Log into the controller web UI.Log into the controller web UI.Step 10
The agents management window appears.Click AGENTS.Step 11
The certificate management window appears.Click Certificate next to an agent.Step 12
The displayed certificate fingerprint is updated.Delete the Hash value and enter your new certificatefingerprint hash.
Step 13
The pinned certificate fingerprint is overwritten.Check theCheck to overwrite the active certificate checkboxto overwrite the existing pinned certificate fingerprint.
Step 14
The system pins the certificate fingerprint.Click Pin certificate.Step 15
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1142
TroubleshootingStatus Code: 2001
Enabling Support for Self-Signed CertificatesThe sca.conf configuration file contains several layers of nested brackets. When you update the file to addor update the dla node, make sure that you nest it within the sln bracket. See the following for an example.sln {dla {security {allowSelfSignedCert = true
}}
}
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA
2. sudo vi sca.conf, then input your password when prompted3. Update the configuration file to include or modify the configuration.4. Press Esc, then enter :wq! and press Enter.5. sudo service ciscosln-sca restart
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Edit the sca.conf configuration file.sudo vi sca.conf, then input your password when prompted
Example:
Step 2
user@host:~/SCA$ sudo vi sca.conf
Update the configuration file to includeallowSelfSignedCert = true.
Update the configuration file to include or modify theconfiguration.
Step 3
Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 4
Restart the controller processes.sudo service ciscosln-sca restart
Example:
Step 5
user@host:~/SCA$ sudo service ciscosln-sca restart
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 143
TroubleshootingStatus Code: 2001
Status Code: 2002• Status Message - Connection Refused or Closed
• Description - The agent refused to accept or closed the connection with the controller, possibly for oneof the following reasons:
◦The controller certificate does not match the certificate fingerprint pinned on the agent.
◦The controller certificate is self-signed, and the agent is not configured to support self-signedcertificates.
◦The controller certificate is not self-signed, and a CA or root certificate in the chain of trust ismissing from the agent's truststore.
◦The controller certificate is expired.
• Recommended Resolution - Take the following actions:
◦If the fingerprint pinned on the agent does not match the certificate, you enabled TOFU, and youdo not want to upload the new controller certificate fingerprint to the agent, clear the pinnedcontroller certificate from the agent, and manage your agent with the controller. See Clearing aPinned Controller Certificate from an Agent, on page 144 for more information.
If TOFU is enabled, and you clear the pinned controller certificate fingerprint, the agentis vulnerable to any entity that connects to it over TLS with a trustable certificate.Manage the agent from the controller as soon as possible after you clear the fingerprint.
Note
◦If the fingerprint pinned on the agent does not match the controller certificate, and you did notenable TOFU, generate a controller certificate fingerprint, and pin it on the agent, as described inUploading a Controller Certificate Fingerprint, on page 146.
◦If your certificate is self-signed, enable support for self-signed certificates. See Enabling Trust onFirst Use, on page 147 for more information.
◦If your certificate is not self-signed, verify the trusted CA certificates on the agent hold the issuingCA certificate.
◦If your certificate is expired, renew your certificate.
Clearing a Pinned Controller Certificate from an AgentIf you enabled TOFU, and you clear the pinned controller certificate fingerprint, make sure you connect theagent to the controller as soon as possible, or pin the new controller certificate fingerprint.
Before You Begin
• Log into the agent virtual service console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1144
TroubleshootingStatus Code: 2002
SUMMARY STEPS
1. 4) Certificate and trust management
2. 1) Manage Certificate Pinning
3. 6) Clear Trusted SCA certificate fingerprint
4. y to confirm
DETAILED STEPS
PurposeCommand or Action
Access the certificate and trust management options.4) Certificate and trust management
Example:
Step 1
Enter a number: 4
Access the certificate pinning options.1) Manage Certificate Pinning
Example:
Step 2
Enter a number: 1
Choose to clear the pinned controller certificatefingerprint.
6) Clear Trusted SCA certificate fingerprint
Example:
Step 3
Enter a number: 6
Clear the pinned controller certificate fingerprint.y to confirm
Example:
Step 4
Confirm removal of existing SCA certificate
fingerprint [confirm] y
What to Do Next
• If you enabled TOFU, log into the controller web UI and manage the agent with the controller. SeeConfiguring Agent Network Settings, on page 83 for more information.
• If you did not enable TOFU, pin the controller certificate fingerprint to the agent. See the next sectionfor more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 145
TroubleshootingStatus Code: 2002
Uploading a Controller Certificate Fingerprint
SUMMARY STEPS
1. Log into the controller VM console on the ESXi hypervisor.2. cd ~/SCA
3. open ssl x509 -in sca_cert.pem -noout -fingerprint -sha256
4. Copy the fingerprint into a text editor.5. Log into the agent virtual service console.6. 4) Certificate and trust management
7. 1) Manage Certificate Pinning
8. 5) Set Trusted SCA certificate fingerprint
9. SHA256
10. sca-fingerprint
DETAILED STEPS
PurposeCommand or Action
Log into the controller VM console on the ESXi hypervisor.Step 1
Change directories.cd ~/SCA
Example:
Step 2
user@host:~$ cd ~/SCA
Generate a SHA256 certificatefingerprint.
open ssl x509 -in sca_cert.pem -noout -fingerprint -sha256
Example:
Step 3
user@host:~/SCA$ open ssl x509 -in sca_cert.pem -noout -fingerprint
-sha256
Store the fingerprint in a text editorfile.
Copy the fingerprint into a text editor.
Example:SHA256Fingerprint=37:9A:DD:72:B6:91:8F:3E:D7:26:63:86:96:42:83:C3:39:AE:86:96:8F:3C:B8:CA:63:66:65:37:90:0C:51:DC
Step 4
Log into the agent virtual service console.Step 5
Access the certificate and trustmanagement options.
4) Certificate and trust management
Example:
Step 6
Enter a number: 4
Access the certificate pinningoptions.
1) Manage Certificate Pinning
Example:
Step 7
Enter a number: 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1146
TroubleshootingStatus Code: 2002
PurposeCommand or Action
Pin the controller certificatefingerprint.
5) Set Trusted SCA certificate fingerprint
Example:
Step 8
Enter a number: 1
Enter the SHA256 hash algorithm.SHA256
Example:
Step 9
Please enter hash algorithm name: SHA256
Enter the sca-fingerprint.sca-fingerprint
Example:Please enter hash value as XX:XX:XX:XX...:37:9A:DD:72:B6:91:8F:3E:D7:26:63:86:96:42:83:C3:39:AE:86:96:8F:3C:B8:CA:63:66:65:37:90:0C:51:DC
Step 10
Enabling Trust on First Use
Before You Begin
• Log into the agent virtual service console as sln.
SUMMARY STEPS
1. 4) Certificate and trust management
2. 1) Manage Certificate Pinning
3. 1) Enable Trust SCA Certificate on First Use
DETAILED STEPS
PurposeCommand or Action
Enter the Certificate and trust management menu.4) Certificate and trust management
Example:
Step 1
Enter a number: 4
Enter the Certificate Pinning menu.1) Manage Certificate Pinning
Example:
Step 2
Enter a number: 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 147
TroubleshootingStatus Code: 2002
PurposeCommand or Action
Enable TOFU, to trust the controller certificate the firsttime it is detected.
1) Enable Trust SCA Certificate on First Use
Example:
Step 3
Enter a number: 1
Status Code: 2003• Status Message - Message Decode Error
• Description - The controller cannot decode a message from the agent.
• Recommended Resolution - Ensure that the controller and agent are on the same version. Upgrade theout-of-band component. See theCisco Stealthwatch Learning Network License Virtual Service InstallationGuide, theCisco Stealthwatch Learning Network License UCS E-Series Blade Server Installation Guide,and the Cisco Stealthwatch Learning Network License Release Notes for more information.
Status Code: 2004• Status Message - Message ACK Timeout
• Description - The agent did not send an ACK in time, cause the controller to close the agent connectionand reconnect to the agent.
• Recommended Resolution - Make sure that your agent is turned on, and ping it from the controller.
Before You Begin
• Log into the controller VM console
SUMMARY STEPS
1. ping <agent-IP-address> -c 5
2. ping <agent-hostname> -c 5
DETAILED STEPS
PurposeCommand or Action
Send five packets to the agent's IP address and receive aresponse for each packet.
ping <agent-IP-address> -c 5
Example:user@host:~$ ping <agent-IP-address> -c 5
Step 1
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1148
TroubleshootingStatus Code: 2003
PurposeCommand or Action
Send five packets to the agent's host name and receive aresponse for each packet.
ping <agent-hostname> -c 5
Example:user@host:~$ ping <agent-hostname> -c 5
Step 2
Status Code: 2005• Status Message - Message Too Big
• Description - The controller received a message from the agent that exceeded the maximum supportedmessage size.
• Recommended Resolution - Contact Cisco Support for more information.
Status Code: 2006• Status Message - Secure connection misconfigured
• Description - The controller cannot create an SSL context to validate the certificate.
• Recommended Resolution - View the keystore and truststore contents, and provide the store passwordto check their integrity.
Before You Begin
• Log into the controller VM console.
SUMMARY STEPS
1. cd ~/SCA
2. keytool -list -keystore keystore.jks, then provide your password when prompted3. keytool -list -keystore truststore.jks, then provide your password when prompted
DETAILED STEPS
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 149
TroubleshootingStatus Code: 2005
PurposeCommand or Action
View the keystore contents, and provide thepassword to check the keystore's integrity
keytool -list -keystore keystore.jks, then provide yourpassword when prompted
Example:user@host:~/SCA$ keytool -list -keystore keystore.jks
Step 2
View the truststore's contents, and provide thepassword to check the keystore's integrity
keytool -list -keystore truststore.jks, then provide yourpassword when prompted
Example:user@host:~/SCA$ keytool -list -keystoretruststore.jks
Step 3
Status Code: 2010• Status Message - Unknown Connection error
• Description - The connection with the agent closed for an unexpected reason.
• Recommended Resolution - If this issue persists, contact Cisco Support for more information.
Status Code: ALLOCFAIL• Status Message - Failed to allocate memory
• Description - The agent failed to allocate memory.
• Recommended Resolution - Contact Cisco Support for more information.
Status Code: DNSQEVENTSPERBINLIMIT• Status Message - Too many events have been observed for too many 1-minute bins in the
recent past, for DNS queries.
• Description - The agent reached the maximum on observed unique DNS queries and stopped trackingsome DNS queries.
• Recommended Resolution - Check the maximum detected flows and DNS query capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1150
TroubleshootingStatus Code: 2010
Status Code: DNSQKEYSPERBINLIMIT• Status Message - Too many different keys have been observed for too many 1-minute bins
in the recent past, for DNS queries.
• Description - The agent groups DNS queries using unique keys. It reached the maximum on observedDNS query groups and stopped tracking DNS queries that do not have a key, and thus do not belong toa tracked group.
• Recommended Resolution - Check the maximum detected flows and DNS query capacity and scalingrecommendations in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendations.
Status Code: DNSREVENTSPERBINLIMIT• Status Message - Too many events have been observed for too many 1-minute bins in the
recent past, for DNS replies.
• Description - The agent reached the maximum on observed unique DNS query replies and stoppedtracking some DNS query replies.
• Recommended Resolution - Check the maximum detected flows and DNS query capacity and scalingrecommendations in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendations.
Status Code: DNSRKEYSPERBINLIMIT• Status Message - Too many different keys have been observed for too many 1-minute bins
in the recent past, for DNS replies.
• Description - The agent groups DNS query replies using unique keys. It reached the maximum onobserved DNS query reply groups and stopped tracking DNS query replies that do not have a key, andthus do not belong to a tracked group.
• Recommended Resolution - Check the maximum detected flows and DNS query capacity and scalingrecommendations in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendations.
Status Code: HOSTLIMITEXT• Status Message - Limit of tracked external hosts has been reached for too long in the
recent past
• Description - The agent reached the maximum number of tracked external hosts and stopped trackingsome hosts.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 151
TroubleshootingStatus Code: DNSQKEYSPERBINLIMIT
• Recommended Resolution - Check the maximum external host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.
Status Code: HOSTLIMITINT• Status Message - Limit of tracked internal hosts has been reached for too long in the
recent past
• Description - The agent reached the maximum number of tracked internal hosts and stopped trackingsome hosts.
• Recommended Resolution - Check the maximum internal host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.
Status Code: HOSTSDROPPEDEXT• Status Message - Too many external hosts have been observed in the recent past
• Description - The agent reached the maximum number of tracked unique external hosts and stoppedtracking some hosts.
• Recommended Resolution - Check the maximum external host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.
Status Code: HOSTSDROPPEDINT• Status Message - Too many internal hosts have been observed in the recent past
• Description - The agent reached the maximum number of tracked unique internal hosts and stoppedtracking some hosts.
• Recommended Resolution - Check the maximum internal host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.
Status Code: IPLOCCHANGED• Status Message - Too many recently seen hosts have a changed IP locality
• Description - The agent identified hosts as internal or external, and the classification of those hosts laterchanged, possibly due to router configuration updates.
• Recommended Resolution - Take the following steps:
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1152
TroubleshootingStatus Code: HOSTLIMITINT
◦From the Network Element, verify your interface configuration, especially if you reconfigured aninterface's direction from internal to external or vice versa.
◦From the controller web UI, verify theDirection configuration of all Network Element interfaces,including recently reconfigured interfaces.
◦If the updated Network Element interface configuration changed a subnet's label from internal toexternal or external to internal, the traffic models must be updated. Shut down the agent and restartit.
Step 1 From the Network Element, verify your interface configuration by running the following commands:enableshow interfacesexit
Step 2 From the controller web UI, verify the Direction configuration of the Network Element interfaces.
• Click Configure next to the agent.
• For each interface, choose Internal if the interface faces the branch, External if the interface faces the core, orUnconfigured if the interface should be ignored.
• Click Submit.
• Click Submit.
Step 3 If a subnet's label changed from internal to external or external to internal, shut down and restart the agent.
Status Code: IPLOCINVAL• Status Message - Too many recently seen hosts have an invalid IP locality
• Description - The agent detects hosts behind interfaces that are not labeled as internal or external,possibly due to newly enabled or reconfigured interfaces on the Network Element.
• Recommended Resolution - Take the following steps:
◦From the Network Element, verify your interface configuration, especially if you enabled orreconfigured an interface.
◦From the controller web UI, verify theDirection configuration of all Network Element interfaces,including recently enabled or reconfigured interfaces.
Step 1 From the Network Element, verify your interface configuration by running the following commands:enableshow interfacesexit
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 153
TroubleshootingStatus Code: IPLOCINVAL
Step 2 From the controller web UI, verify the Direction configuration of the Network Element interfaces.
• Click Configure next to the agent.
• For each interface, choose Internal if the interface faces the branch, External if the interface faces the core, orUnconfigured if the interface should be ignored.
• Click Submit.
• Click Submit.
Status Code: NECONNFAIL• Status Message - Network Element connection failure
• Description - The agent cannot establish an SSH connection with the Network Element, due to one ormore of the following causes:
◦The configured Network Element IP address is incorrect.
◦The Network Element is not configured for SSHv2 access.
◦An access control list is preventing SSH access from the agent.
◦The Network Element configuration does not allocate sufficient Virtual Teletype (VTY) resourcesfor SSH.
• Recommended Resolution - Take the following actions:
◦Examine the Network Element's log to determine a specific error.
◦Ensure the Network Element has SSHv2 configured.
◦Ensure the Network Element does not have an access control list preventing SSH access from theagent.
◦Ensure the Network Element has sufficient VTY resources.
◦From the controller web UI, configure the Network Element IP address for the agent.
Step 1 Review the Network Element's logged error messages to for SSH connection failure.Step 2 From the Network Element command line, run the following commands to verify that SSHv2 is configured:
enableshow sshexit
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1154
TroubleshootingStatus Code: NECONNFAIL
Step 3 From the Network Element command line, run show access-lists and verify that none of the access control lists blocksthe agent's IP address.
Step 4 From the Network Element command line, run the following commands to verify there are sufficient VTY resources:enableshow usersexit
Step 5 From the controller web UI, take the following steps to configure the Network Element IP address:
• Select AGENTS.
• Click Configure next to an agent.
• Enter the IPv4 address in the Network Element IP field.
• Click Submit.
• Click Submit.
Status Code: NENOAUTH• Status Message - Unable to authenticate to Network Element
• Description - The agent cannot authenticate the SSH connection with the Network Element becausethe credentials are incorrect or not configured.
• RecommendedResolution - From the agent, use the administrator menu to correct the Network Elementcredentials for SSH login.
Step 1 Access the administrator menu. You have the following options:
• If your agent is deployed as a virtual service, log into the agent VM.
• If you agent is installed on a UCS-E server, log into the agent VM, then run the following commands:cd ~/DLA./dla_admin
Step 2 Select the following options in the administrator menu. Enter the Network Element username and password whenprompted.5) Password management1) Change router credentials
Status Code: NENOIP• Status Message - Network Element IP not configured
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 155
TroubleshootingStatus Code: NENOAUTH
• Description - The agent configuration does not have a Network Element IP address.
• Recommended Resolution - From the controller web UI, configure the Network Element IP addressfor the agent.
Step 1 From the controller web UI, select AGENTS.Step 2 Click Configure next to an agent.Step 3 Enter the IPv4 address in the Network Element IP field.Step 4 Click Submit.Step 5 Click Submit.
Status Code: NFDRPFLD• Status Message - Dropping NetFlow: required fields missing
• Description - The NetFlow flow record is missing required fields.
• Recommended Resolution - Ensure that the SLN-NF-RECORD flow record configuration is correct. Afteryou verify the flow record configuration, save the Network Element running configuration as a startupconfiguration.
Step 1 From the Network Element command line, run the following commands and verify that the flow record is properlyconfigured:enableconfigure terminalshow running-config flow record SLN-NF-RECORDexit
Step 2 If the flow record is improperly configured, from the Network Element command line, run the following commands toconfigure the flow record:enableconfigure terminalflow record SLN-NF-RECORD
match ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portcollect datalink mac source address inputcollect datalink mac destination address outputcollect transport tcp flagscollect interface inputcollect interface outputcollect flow directioncollect counter bytes
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1156
TroubleshootingStatus Code: NFDRPFLD
collect counter packetscollect timestamp [absolute | sys-uptime] firstcollect timestamp [absolute | sys-uptime] lastcollect application namecollect routing forwarding-statusend
Step 3 From the Network Element command line, run the following commands to copy the current running configuration tothe startup configuration:enablecopy running-config startup-configend
Status Code: NFDRPNOINTF• Status Message - Dropping NetFlow: internal intfs not configured
• Description - The Network Element interface Direction configuration has not been performed, or hasnot been pushed to the agent.
• Recommended Resolution - From the controller web UI, check the agent Configured status. If it isWaiting, wait for the controller to push the configuration to the agent. If it is Incomplete or Error,verify and correct the interface configuration.
Step 1 From the controller web UI, select AGENTS.Step 2 If the Configured status for an agent isWaiting, wait for the controller to push the configuration to the agent.Step 3 If the Configured status is Incomplete or Error, take the following steps:
• Click Configure next to the agent.
• Enter the IPv4 address in the Network Element IP field.
• For each interface, choose Internal if the interface faces the branch, External if the interface faces the core, orUnconfigured if the interface should be ignored.
• Click Submit.
• Click Submit.
Status Code: NFDRPSYNT• Status Message - Dropping NetFlow: config file syntax error
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 157
TroubleshootingStatus Code: NFDRPNOINTF
• Description - The agent cannot parse the internal_ranges.csv internal IP address file due to a syntaxerror.
• Recommended Resolution - Take the following actions:
◦If you have not intentionally added the file, remove the file from the agent, then restart the agent.
◦If you have intentionally added the file, verify the file format and syntax, then log into the agentVM console, and use the dla_admin script to reimport the file.
Step 1 If you have not intentionally added internal_ranges.csv, from the agent command line, run rm {internal_ranges.csv}
to remove the file, then power down and start the agent VM.Step 2 If you intentionally added internal_ranges.csv, verify that the file is well-formed. Copy the well-formed file to the
agent VM and overwrite the file at /CONF/internal_ranges.csv.Step 3 You have the following options:
• If your agent is deployed as a virtual service, log into the agent VM.
• If your agent is installed on a UCS-E server, log into the agent VM, then run the following commands:cd ~/DLA./dla_admin
Step 4 From the administrator menu, select the following options to copy the file. Provide an IP address, username, filepath forinternal_ranges.csv, and password when prompted.1) File access3) Configuration files3) Get config file from remote system2) internal_ranges.csv
Status Code: NFDRPVER• Status Message - Dropping NetFlow: unsupported version
• Description - The configured NetFlow version does not match the version the system expects.
• Recommended Resolution - Ensure NetFlow v9 is configured on the Network Element.
From the Network Element command line, run the following commands to configure NetFlow version 9 on an interface,and repeat for all interfaces:enableconfigure terminalip flow-export version 9interface interface-type interface-numberip flow {ingress | egress}exitend
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1158
TroubleshootingStatus Code: NFDRPVER
Status Code: NFEVENTSPERBINLIMIT• Status Message - Too many events have been observed for too many 1-minute bins in the
recent past, for NetFlow events.
• Description - The agent reached the maximum on observed unique NetFlow flows and stopped trackingsome NetFlow flows.
• Recommended Resolution - Check the maximum detected NetFlow flows capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.
Status Code: NFKEYSPERBINLIMIT• Status Message - Too many different keys have been observed for too many 1-minute bins
in the recent past, for NetFlow events.
• Description - The agent groups NetFlow flows using unique keys. It reached the maximum on observedNetFlow flow groups and stopped tracking NetFlow flows that do not have a key, and thus do not belongto a tracked group.
• Recommended Resolution - Check the maximum detected NetFlow flows capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.
Status Code: NFNORCV• Status Message - Not receiving NetFlow
• Description - The agent has not received NetFlow packets from the Network Element in over 10minutes,possibly due to NetFlow misconfiguration.
• Recommended Resolution - From the Network Element, ensure that the Network Element is running,that NetFlow v9 is configured, and that the Learning Network License flow exporter is properlyconfigured.
Step 1 Ensure that the Network Element is running.Step 2 From the Network Element command line, run the following commands and verify that NetFlow version 9 is configured.
enableshow mls ndeexit
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 159
TroubleshootingStatus Code: NFEVENTSPERBINLIMIT
Step 3 From the Network Element command line, run the following commands and verify that the flow exporter is properlyconfigured and exporting to the agent IP address on port 6666.enableconfigure terminalshow running-config flow exporter SLN-NF-EXPORTERexit
Step 4 If the flow exporter is incorrectly configured, from the Network Element command line, run the following commandsto configure the flow exporter, replacing <dla-ip-address> with your agent's IP address.configure terminalflow exporter SLN-NF-EXPORTER
destination <dla-ip-address>transport udp 6666template data timeout 300exit
end
Status Code: SOLTCOLLECTIONSLIMIT1• Status Message - The maximum number of level 1 model collections has been reached,
therefore no more model may be created.
• Description - The agent reached the maximum on observable application groups, and cannot createadditional traffic models based on the excess application groups.
• Recommended Resolution - Check the maximum detected application group capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.
Status Code: SOLTCOLLECTIONSLIMIT2• Status Message - The maximum number of level 2 model collections has been reached,
therefore no more model may be created.
• Description - The agent reached the maximum on observable source cluster and application group pairs,and cannot create additional traffic models based on the excess source cluster and application grouppairs.
• Recommended Resolution - Check the maximum detected cluster and application group capacity andscaling recommendations in the Cisco Stealthwatch Learning Network License Data Sheet, and verifythat your environment falls within the recommendations.
Status Code: TOPOFAIL• Status Message - Failed to read required topology file
• Description - A topology file, used to process network traffic information, is missing or corrupt.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1160
TroubleshootingStatus Code: SOLTCOLLECTIONSLIMIT1
• Recommended Resolution - From the agent, check the log at LOG/DLC.log to determine the specificerror.
◦If the custom clusters file is missing or corrupted and the agent is deployed as a virtual service,reinstall the agent.
◦If the custom clusters file is missing or corrupted and the agent is installed on a UCS-E server,copy the file from another UCS-E-based agent.
◦If the internal_hosts file is in the error message, use the controller web UI to verify thatconfig.json does not reference internal_hosts_filename file. Contact Cisco Support for moreinformation on whether you should be using the internal_ranges.csv file.
Step 1 If the clusters file is missing or corrupted, and your agent is deployed as a virtual service, reinstall the agent. See theCisco Stealthwatch Learning Network License Virtual Service Installation Guide and the Cisco Stealthwatch LearningNetwork License Release Notes for more information.
Step 2 If the clusters file is missing or corrupted, and your agent is deployed on a UCS-E server, copy the file from anotheragent deployed on a UCS-E server.
Step 3 If the internal_hosts file is in the error message, verify that config.json does not reference internal_hosts_filename.
• From the controller web UI, select AGENTS.
• Next to the affected agent, click Configure.
• Click Edit raw JSON configuration.
Status Code: VERSCOMPONENT• Status Message - Incompatible DLA component versions
• Description - The agent has component executables at different versions from each other.
• Recommended Resolution - Download an upgrade file and upgrade your agent to that version.
Do NOT manually copy a component executable file from one agent to another.Note
Download an upgrade file and upgrade your agent to that version. See the Cisco Stealthwatch Learning Network LicenseVirtual Service Installation Guide, the Cisco Stealthwatch Learning Network License UCS E-Series Blade ServerInstallation Guide, and the Cisco Stealthwatch Learning Network License Release Notes for more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 161
TroubleshootingStatus Code: VERSCOMPONENT
Status Code: WARMBADFILE• Status Message - Failed to load warmstart model file
• Description - The agent failed to load a warmstart file.
• Recommended Resolution - Contact Cisco Support for more information.
Status Code: WARMNOFILE• Status Message - Required warmstart file is missing
• Description - The agent is configured with the force_load setting enabled, and a warmstart file ismissing.
• Recommended Resolution - From the controller web UI, remove the force_load setting fromconfig.json.
Step 1 From the controller web UI, select AGENTS.Step 2 Next to the affected agent, click Configure.Step 3 Click Edit raw JSON configuration.Step 4 Remove the force_load setting and save your changes.
Status Code: WARMSTATEVAL• Status Message - Invalid model state before saving warmstart file
• Description - The agent could not save the internal traffic model state, because it was invalid orinconsistent.
• Recommended Resolution - Contact Cisco Support for more information.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1162
TroubleshootingStatus Code: WARMBADFILE
A P P E N D I X HUninstallation
The following details how to remove the Learning Network License deployment from your network.
• Uninstalling the Learning Network License System, page 163
• Controller Removal from an ESXi Host, page 168
Uninstalling the Learning Network License SystemUninstalling the Learning Network License system involves removing Learning Network License-relatedconfiguration from the Network Element on which an agent is deployed, removing the agent from the hostNetwork Element, and removing the controller from the ESXi host.
From the controller web UI, delete all mitigations. This directs the agents to remove the QoS policyconfiguration from the host Network Element. Then, disable PBC/DPI on all interfaces. This directs the agentto remove the IP traffic export configuration from the interfaces. Disable the agents to halt controller/agentcommunications. Finally, deregister Smart Licensing.
Next, from the controller VM command line, modify install configuration files, and use the install script toremove the agents from the Network Elements. This also removes the Learning Network License-relatedFlexible NetFlow flow record, flow monitor, and flow exporter configuration.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 163
Finally, delete the controller from the ESXi host.
Step 1 From the controller web UI, delete the mitigation policies from the mitigation table. See Deleting All Mitigations, onpage 164 for more information.
Step 2 From the controller web UI, disable PBC/DPI for every Network Element interface. See Disabling PBC/DPI on anInterface, on page 165 for more information.
Step 3 From the controller web UI, disable every agent. See Disabling All Agents, on page 165 for more information.Step 4 From the controller web UI, deregister Smart Licensing. See Deregistering a Controller from Smart Licensing, on page
165 for more information.Step 5 From the controller VM command line interface, modify the install.yaml agent install and upgrade properties file to
include all agents. See Modifying the Install Properties File, on page 166 for more information.Step 6 From the controller VM command line interface, rename the aa_summary file to aa_summary_backup. See Renaming an
Install Log File, on page 167 for more information.Step 7 From the controller VM command line interface, run installation_auto.py -c install.yaml --clean_only to
remove all agents from the host Network Elements, as well as the SLN-NF-RECORD flow record, SLN-NF-EXPORTER flowexporter, and SLN-NF-MONITOR flow monitor Flexible NetFlow configuration. See Uninstalling Agents Using the InstallScript, on page 167 for more information.
Step 8 From the ESXi host hosting the controller, remove the controller VM. See Removing a VM from an ESXi Host, on page168 for more information.
Controller Web UI UninstallationTo uninstall the Learning Network License system, perform the following tasks from the controller web UIin order:
• Delete all mitigations
• Disable PBC/DPI on all Network Element interfaces
• Disable all managed agents
• Deregister Smart Licensing
Deleting All Mitigations
Before You Begin
• Ensure that the agents that enforce the mitigation policies are enabled.
Step 1 SelectMitigation.Step 2 Click Delete all mitigations to delete all mitigations.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1164
UninstallationController Web UI Uninstallation
Disabling PBC/DPI on an Interface
Before You Begin
• Ensure that the agent on the Network Element is enabled.
Step 1 Select AGENTS.Step 2 Click Configure next to an agent.Step 3 Uncheck Enable PBC/DPI on each interface to disable raw packet capture.Step 4 Uncheck Enable PBC.Step 5 Uncheck Enable DPI/DPS.Step 6 Click Submit.Step 7 Click Submit.
Disabling All AgentsIf you registered your controller with the Smart Licensing Authority, then disable an agent, the system freesthe license entitlement allocated to that agent.
Before You Begin
• Log into the controller web UI.
Step 1 Select AGENTS.Step 2 Check the select all checkbox at the top of the list to select all agents.Step 3 Click Disable.
What to Do Next
• Unregister your controller from the Licensing Authority, as described in the next section.
Deregistering a Controller from Smart LicensingDeregistering your controller from Smart Licensing also frees the controller license entitlement.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 165
UninstallationController Web UI Uninstallation
Before You Begin
• Log into the controller web UI.
Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Choose Deregister from the Actions drop-down menu.Step 4 Click Deregister to confirm the deregistration.
Agent Removal from a Virtual ServiceRemoving an agent deployed as a virtual service from a Network Element involves modifying the install andupgrade configuration settings file, renaming an install log file, then running the install and upgrade scriptwith a command line option to remove the agent.
Modifying the Install Properties FileModify the install.yaml install properties file so the install script can locate and remove the agents fromthe Network Elements.
Before You Begin
• Log into the controller VM console.
DETAILED STEPS
PurposeCommand or Action
Navigate to the /install_upgrade/containerdirectory.
cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd/opt/cisco/sln/install_upgrade/container
Step 1
Open the install.yaml properties file in the vitext editor.
vi install.yaml
Example:user@host:~/opt/cisco/sln/install_upgrade/container$vi install.yaml
Step 2
Ensure that your install.yaml properties file has aper-branch setting entry for each Network Elementand agent.
Verify that each of your Network Elements and agents has aper-branch setting entry. See the Cisco Stealthwatch LearningNetwork License Release Notes for more information.
Step 3
Save your changes and close the file.Press Esc, then enter :wq! and press Enter.Step 4
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1166
UninstallationAgent Removal from a Virtual Service
Install and Update Properties File Storage
When you deployed the agents as virtual services, you configured the install.yaml properties file withdeployment settings. If you plan on deploying the Learning Network License system again, you can log intothe controller, save the properties file, and upload it to the controller to redeploy your agents. See https://www.vmware.com/support/ws3/doc/ws32_running9.html for more information.
Renaming an Install Log FileRename the aa_summary install log file so the install script does not reference it and only attempt to clean upthose agents which failed to properly install.
Before You Begin
• Log into the controller VM console.
DETAILED STEPS
PurposeCommand or Action
Navigate to the/install_upgrade/container directory.
cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container
Step 1
Rename the aa_summary file toaa_summary_backup.
mv aa_summary aa_summary_backup
Example:user@host:~/opt/cisco/sln/install_upgrade/container$ mvaa_summary aa_summary_backup
Step 2
Uninstalling Agents Using the Install ScriptRun the installation_auto.py install script, referencing the install.yaml install properties file, to removeall agents deployed as virtual services.
Before You Begin
• Log into the controller VM console.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 167
UninstallationAgent Removal from a Virtual Service
DETAILED STEPS
PurposeCommand or Action
Navigate to the /install_upgrade/containerdirectory.
cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd/opt/cisco/sln/install_upgrade/container
Step 1
Run the installation_auto.py install script with the--clean_only command line option to remove the
installation_auto.py -c install.yaml --clean_only
Example:user@host:~/opt/cisco/sln/install_upgrade/container$installation_auto.py -c install.yaml --clean_only
Step 2
agents from the host Network Elements referenced ininstall.yaml.
Controller Removal from an ESXi HostRemoving a controller from an ESXi host requires connecting to the ESXi host and deleting the controllerVM.
Removing a VM from an ESXi Host
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to remove the VM.Step 2 Select View > Inventory > Hosts and Clusters.Step 3 Highlight the VM you want to remove.Step 4 Select Inventory > Virtual Machine > Power > Power Off and wait for the VM to power off.Step 5 Right-click the VM you want to remove, and select Delete from Disk. Confirm the deletion.
Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1168
UninstallationController Removal from an ESXi Host