Transcription of Stealthwatch Installation and Configuration Guide 7.0
1 Cisco StealthwatchInstallation and Configuration Guide Table of ContentsIntroduction8 Overview8 Virtual Edition (VE)8 Hardware8 Audience8 New Process9 Required Patches9 Terminology9 Abbreviations9 Before You Begin11 Hardware11 Virtual Appliances11 VMware11 KVM12 Downloading the VE Software12 Registering and Licensing12 Java12 TLS13 Third Party Applications13 Browsers13 Host Name13 Domain Name13 NTP Server13 Time Zone13 Hardware Resource Requirements15 Virtual Edition (VE) Resource Requirements16 SMC VE16 Copyright 2019 CiscoSystems, VE 200016 Flow Collector VE18 Flow Sensor VE20 Flow Sensor VE Network Environments21 Flow Sensor VE Traffic21 UDP Director VE23 Endpoint Concentrator23 Data Storage24 Access Information26 Hypervisor Server26 SMC VE27 Console Access27 Admin Access27 Flow Collector VE28 Console Access28 Admin Access28 Flow Sensor VE29 Console Access29 Admin Access29 UDP Director VE30 Console Access30 Admin Access30 Endpoint Concentrator31 Console Access31 Admin Access31 Quick Reference Workflows32 Stealthwatch Hardware32 Stealthwatch Virtual Edition321.
2 Installing a Virtual Appliance: Preparing your Network33 Copyright 2019 CiscoSystems, the Appliances33 Stealthwatch Management Console33 Stealthwatch Flow Collector33 Stealthwatch Flow Sensor33 Important Considerations for Integration34 TAPs34 Using Electrical TAPs35 Using Optical TAPs35 Using TAPs Outside Your Firewall36 Placing the Flow Sensor VE Inside Your Firewall37 SPAN Ports38 Stealthwatch UDP Director39 Configuring Your Firewall for Communications39 Open Ports39 SMC, Flow Collector, Flow Sensor, and UDP Director39 Endpoint Concentrator40 Communication Ports and Protocols40 Optional Communication Ports422a.
3 Installing a Virtual Appliance using VMware46 Overview46 Before You Begin46 Installing a Virtual Appliance Using vCenter (OVF)47 Process Overview471. Logging in to the VMware Client472. Configuring the Flow Sensor to Monitor Traffic48 Monitoring a vSwitch with Multiple Hosts48 Configuration Requirements48 Monitoring a vSwitch with a Single Host53 Copyright 2019 CiscoSystems, a Port Group53 Set the Port Group to Promiscuous Mode573. Installing the Virtual Appliance604. Defining Additional Monitoring Ports (Flow Sensors only)67 Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)71 Process Overview711.
4 Logging in to the VMware Web Client712. Booting from the ISO742b. Installing a Virtual Appliance on a KVM Host75 Overview75 Before You Begin75 Process Overview751. Installing a Virtual Appliance on a KVM Host762. Adding NIC and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only)823. Configuring the IP Addresses84 Configure the IP Addresses844. Configuring Your Appliances88 Preparation88 Appliance Setup Tool Requirements88 Managed or Stand-Alone88 SMC Failover88 Best Practices89 Configuration Order901. Log In912. Configure the Appliance923. Configure your Flow Collectors for Central Management974.
5 Confirm Appliance Status985. Finishing Appliance Configurations100 Copyright 2019 CiscoSystems, Director101 Configuring Forwarding Rules Using the SMC101 Configuring Forwarding Rules Using Appliance Administration103 Configuring High Availability Using Appliance Administration105 Primary Node and Secondary Node105 Requirements1061. Configure the Primary UDP Director HA1062. Configure the Secondary UDP Director HA108 Flow Sensor1091. Configure the Application ID and Payload1092. Configure the Flow Sensor to Identify Applications (optional)1113. Restart the Appliance111 Endpoint Concentrator112 Troubleshooting the Endpoint Concentrator1146.
6 Activating Licenses1157. Verifying Communications116 Overview116 Verify NetFlow Data Collection1168. Installing Patches118 Defining an SMC Failover Relationship119 Enabling the SLIC Threat Feed120 Copying the SLIC Feed Key120 Enabling the SLIC Threat Key1209. Getting Started with Stealthwatch124 Overview124 Managing Your Environment124 Investigating Behavior124 Responding To Threats125 Central Management126 Copyright 2019 CiscoSystems, Management and Appliance Administration Interface126 Opening Central Management127 Opening Appliance Admin127 Opening Appliance Admin through Central Management127 Opening Appliance Admin through Direct Login127 Editing Appliance Configuration127 Viewing Appliance Statistics129 Removing an Appliance from Central Management129 Adding an Appliance to Central Management130 Installing Patches and Updating Software131 Troubleshooting132 Config Channel Down132 Opening Appliance Administration Interface132 Replacing the Appliance Identity133 Changing Appliances After Configuration133 Changing
7 The Host Name133 Changing the Network Domain Name134 Changing IP Address134 Opening the Appliance Setup Tool135 Changing the Trusted Hosts135 Resetting Factory Defaults136 Resetting Passwords136 Enabling or Disabling Password Reset136 Resetting Passwords137 Resetting Admin, Sysadmin, and Root Passwords137 Resetting Sysadmin and Root Passwords139 Contacting Support142 Copyright 2019 CiscoSystems, this Guide to configure the following Cisco Stealthwatch Enterprise hardware and Virtual Edition (VE) appliances: lStealthwatch Management Console (SMC) lStealthwatch Flow Collector lStealthwatch Flow Sensor lStealthwatch UDP Director lEndpoint ConcentratorFor more information about Stealthwatch , refer to the following online resources: lOverview: lAppliances: Edition (VE) You can use this Guide to install and configure your virtual appliances.
8 HardwareIf you are configuring Stealthwatch hardware, install your physical appliances using the Stealthwatch x210 Series Hardware Installation Guide before you start this con-figuration. AudienceThe intended audience for this Guide includes network administrators and other per-sonnel who are responsible for installing and configuring Stealthwatch products. If you are configuring virtual appliances, we assume you have basic familiarity with VMware or KVM. If you prefer to work with a professional installer, please contact your local Cisco Partner or Cisco Stealthwatch Support. Copyright 2019 CiscoSystems, ProcessIf you are familiar with Stealthwatch , please note that we have a new process for installing and configuring your Stealthwatch appliances.
9 The Configuration includes the following: lConfiguration Order: Make sure you install and configure the appliances fol-lowing the instructions in this Guide and using the new order. lCertificates: Appliances are installed with a unique, self-signed appliance iden-tity certificate. lCentral Management: You can manage your appliances from the primary SMC/Central Manager. For details, refer to the Release PatchesAfter you install and configure your appliances, make sure you install the required patches using the patch readme notes. For details, refer to 8. Installing Patches TerminologyThis Guide uses the term appliance for any Stealthwatch product, including virtual products such as the Stealthwatch Flow Sensor Virtual Edition (VE).
10 A "cluster" is your group of Stealthwatch appliances that are managed by the Stealth-watch Management Console (SMC).Most appliances are managed by the SMC. If an appliance is not managed by the SMC, such as an Endpoint Concentrator, it is described as a "stand-alone appliance." AbbreviationsThe following abbreviations may appear in this Guide :AbbreviationsDefinitionDNSD omain Name System (Service or Server)dvPortDistributed Virtual PortCopyright 2019 CiscoSystems, Server XGBG igabyteIDSI ntrusion Detection SystemIPSI ntrusion Prevention SystemISOI nternational Standards OrganizationITInformation TechnologyKVMK ernel-based Virtual MachineMTUM aximum Transmission UnitNTPN etwork Time ProtocolOVFOpen Virtualization FormatSMCS tealthwatch Management ConsoleTBTerabyteUUIDU niversally Unique IdentifierVDSvNetwork Distributed SwitchVEVirtual EditionVLANV irtual Local Area NetworkVMVirtual MachineCopyright 2019 CiscoSystems, You BeginBefore you begin.
