Cisco Stealthwatch UDP Director Installation and Configuration Guide

Type
Installation and Configuration Guide
Cisco Stealthwatch
Installation and Configuration Guide 7.1
Table of Contents
Introduction 9
Overview 9
Virtual Edition (VE) 9
Hardware 9
Audience 9
Process 10
Terminology 10
Abbreviations 11
Before You Begin 12
Hardware 12
Virtual Appliances 12
VMware 12
KVM 13
Downloading the VE Software 13
Registering and Licensing 13
TLS 13
Third Party Applications 14
Browsers 14
Host Name 14
Domain Name 14
NTPServer 14
Time Zone 14
Hardware Resource Requirements 15
Virtual Edition (VE) Resource Requirements 16
Stealthwatch Management Console VE 17
Stealthwatch Management Console VE 2000 17
Stealthwatch Management Console VE and Capacities 18
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 2 -
Flow Collector VE 19
Flow Sensor VE 20
Flow Sensor VE Network Environments 21
Flow Sensor VE Traffic 22
UDP Director VE 23
Endpoint Concentrator 23
Data Storage 24
Access Information 26
Hypervisor Server 26
SMC VE 27
Console Access 27
Admin Access 27
Flow Collector VE 28
Console Access 28
Admin Access 28
Flow Sensor VE 29
Console Access 29
Admin Access 29
UDP Director VE 30
Console Access 30
Admin Access 30
Endpoint Concentrator 31
Console Access 31
Admin Access 31
Quick Reference Workflows 32
Stealthwatch Hardware 32
Stealthwatch Virtual Edition 32
1. Installing a Virtual Appliance:Configuring your Firewall and Ports 33
Overview 33
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 3 -
Placing the Appliances 33
Stealthwatch Management Console 33
Stealthwatch Flow Collector 33
Stealthwatch Flow Sensor 34
Important Considerations for Integration 34
TAPs 35
Using Electrical TAPs 35
Using Optical TAPs 36
Using TAPs Outside Your Firewall 36
Placing the Flow Sensor VE Inside Your Firewall 37
SPAN Ports 38
Stealthwatch UDP Director 39
Configuring Your Firewall for Communications 40
Open Ports 40
Stealthwatch Management Console (SMC), Flow Collector, Flow Sensor,
and UDP Director 40
Endpoint Concentrator 40
Communication Ports and Protocols 41
Optional Communication Ports 43
2a. Installing a Virtual Appliance using VMware 46
Overview 46
Before You Begin 46
Installing a Virtual Appliance Using vCenter (OVF) 47
Process Overview 47
1. Logging in to the VMware Client 47
2. Configuring the Flow Sensor to Monitor Traffic 48
Monitoring a vSwitch with Multiple Hosts 48
Configuration Requirements 48
Monitoring a vSwitch with a Single Host 53
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 4 -
Add a Port Group 53
Set the Port Group to Promiscuous Mode 57
3. Installing the Virtual Appliance 60
4. Defining Additional Monitoring Ports (Flow Sensors only) 66
Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO) 71
Process Overview 71
1. Logging in to the VMware Web Client 71
2. Booting from the ISO 74
2b. Installing a Virtual Appliance on a KVM Host (ISO) 76
Overview 76
Before You Begin 76
Process Overview 76
1. Installing a Virtual Appliance on a KVM Host 77
Configuration Requirements 77
2. Adding NIC and Promiscuous Port Monitoring on an Open vSwitch (Flow
Sensors Only) 84
3. Configuring the IPAddresses 86
Configure the IP Addresses 86
Troubleshooting 90
Accessing the Appliance 90
4. Configuring Your Appliances 91
Preparation 91
Appliance Setup Tool Requirements 91
Managed or Stand-Alone 91
SMC Failover 91
Best Practices 92
Configuration Order 93
1. Log In 94
2. Configure the Appliance 95
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 5 -
3. Configure your Flow Collectors for Central Management 100
4. Confirm Appliance Status 101
5. Finishing Appliance Configurations 103
UDP Director 104
Configuring Forwarding Rules Using the SMC 104
Configuring Forwarding Rules Using Appliance Administration 106
Configuring High Availability Using Appliance Administration 108
Primary Node and Secondary Node 108
Requirements 109
1. Configure the Primary UDP Director HA 109
2. Configure the Secondary UDP Director HA 111
Flow Sensor 112
1. Configure the Application ID and Payload 112
2. Configure the Flow Sensor to Identify Applications (optional) 115
3. Restart the Appliance 116
Endpoint Concentrator 117
Troubleshooting the Endpoint Concentrator 119
6. Activating Licenses 120
7. Installing the Stealthwatch Desktop Client 121
Install theDesktop Client Using Windows 121
Change the Memory Size 122
Install the Desktop Client Using macOS 123
Change the Memory Size 123
8. Verifying Communications 125
Overview 125
Verify NetFlow Data Collection 125
Defining an SMCFailover Relationship 128
Enabling the SLIC Threat Feed 129
Copying the SLIC Feed Key 129
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 6 -
Enabling the SLIC Threat Key 129
Configuring SAML SSO 133
Support Details 133
1. Prepare for Configuration 133
2. Upload Certificates to the Trust Store 134
3. Configure the Service Provider 134
4. Enable SSO 136
5. Configure the Identity Provider 136
6. Add an SSO User 137
7. Test SAML Login 137
Troubleshooting 138
Getting Started with Stealthwatch 139
Overview 139
Managing Your Environment 139
Investigating Behavior 139
Responding To Threats 140
Central Management 141
Central Management and Appliance Administration Interface 141
Opening Central Management 142
Opening Appliance Admin 142
Opening Appliance Admin through Central Management 142
Opening Appliance Admin through Direct Login 142
Editing Appliance Configuration 142
Viewing Appliance Statistics 144
Removing an Appliance from Central Management 144
Adding an Appliance to Central Management 145
Installing Patches and Updating Software 146
Troubleshooting 147
Config Channel Down 147
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 7 -
Opening Appliance Administration Interface 147
Replacing the Appliance Identity 148
Changing Appliances After Configuration 148
Changing the Host Name 149
Changing the Network Domain Name 149
Changing IP Address 149
Opening the Appliance Setup Tool 150
Changing the Trusted Hosts 150
Resetting Factory Defaults 151
Enabling/Disabling Admin Users 151
Resetting Passwords 152
Enabling or Disabling Password Reset 152
Resetting Passwords 153
Resetting Admin, Sysadmin, and Root Passwords 153
Resetting Sysadmin and Root Passwords 154
Contacting Support 158
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 8 -
Introduction
Overview
Use this guide to configure the following Cisco Stealthwatch Enterprise hardware and
Virtual Edition (VE) appliances for v7.1.3:
lStealthwatch Management Console (SMC)
lStealthwatch Flow Collector
lStealthwatch Flow Sensor
lStealthwatch UDP Director
lEndpoint Concentrator
For more information about Stealthwatch, refer to the following online resources:
lOverview:
https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html
lAppliances:
https://www.cisco.com/c/en/us/products/security/stealthwatch/datasheet-
listing.html
Virtual Edition (VE)
You can use this guide to install and configure your virtual appliances.
Hardware
If you are configuring Stealthwatch hardware, install your physical appliances using the
Stealthwatch x210 Series Hardware Installation Guide before you start this
configuration.
Audience
The intended audience for this guide includes network administrators and other
personnel who are responsible for installing and configuring Stealthwatch products.
If you are configuring virtual appliances, we assume you have basic familiarity with
VMware or KVM.
If you prefer to work with a professional installer, please contact your local Cisco Partner
or Cisco Stealthwatch Support.
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 9 -
Introduction
Process
If you are familiar with Stealthwatch, please note that we have a new process for
installing and configuring your Stealthwatch appliances. The configuration includes the
following:
lConfiguration Order: Make sure you install and configure the appliances
following the instructions in this guide and using the new order.
lCertificates: Appliances are installed with a unique, self-signed appliance
identity certificate.
lCentral Management: You can manage your appliances from the primary
SMC/Central Manager.
For details, refer to the Release Notes.
Terminology
This guide uses the term appliancefor any Stealthwatch product, including virtual
products such as the Stealthwatch Flow Sensor Virtual Edition (VE).
A "cluster" is your group of Stealthwatch appliances that are managed by the
Stealthwatch Management Console (SMC).
Most appliances are managed by the SMC. If an appliance is not managed by the SMC,
such as an Endpoint Concentrator, it is described as a "stand-alone appliance."
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 10 -
Introduction
Abbreviations
The following abbreviations may appear in this guide:
Abbreviations Definition
DNS Domain Name System (Service or Server)
dvPort Distributed Virtual Port
ESX Enterprise Server X
GB Gigabyte
IDS Intrusion Detection System
IPS Intrusion Prevention System
ISO International Standards Organization
IT Information Technology
KVM Kernel-based Virtual Machine
MTU Maximum Transmission Unit
NTP Network Time Protocol
OVF Open Virtualization Format
SMC Stealthwatch Management Console
TB Terabyte
UUID Universally Unique Identifier
VDS vNetwork Distributed Switch
VE Virtual Edition
VLAN Virtual Local Area Network
VM Virtual Machine
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 11 -
Introduction
Before You Begin
Before you begin, review this guide to understand the process as well as the
preparation, time, and resources you'll need to plan for the installation and
configuration.
Hardware
lInstallation: Make sure you install your appliance hardware (physical appliances)
using the Stealthwatch x210 Series Hardware Installation Guide before you
configure them using this guide.
lSpecifications: Hardware specifications are available on Cisco.com.
lSupported Platforms: To view the supported hardware platforms for each
system version, refer to the Hardware Version and Support Matrix on Cisco.com.
lWork Flow: See Quick Reference Workflows to review the instructions you'll
need to configure your hardware.
Virtual Appliances
You can use a VMware environment or KVM (Kernel-based Virtual Machine) for the
virtual appliance installation. It is important to review the following compatibility
information:
VMware
lCompatibility: VMware v6.0, v6.5, or v6.7.
lEnvironment: You can install your virtual appliances on VMware vCenter or on an
ESXi stand-alone server. Refer to 2a. Installing a Virtual Appliance using
VMware for details.
lOVF Deployment: We validated VMware v6.5 using update 2 and the vSphere
flash web client. There may be issues using other clients from vSphere. You can
use the ESXi 6.5 update 2 HTML5 client, but you may encounter system time-
outs.
lVMware Upgrades: Stealthwatch VE appliances that are running on older
versions of VMware are not compatible with v6.5. If you upgrade your VMware
environment to v6.x, delete your existing Stealthwatch VE appliances and reinstall
them.
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 12 -
Before You Begin
lLive migration (for example, with vMotion) from host to host is not supported.
lSnapshots:Virtual machine snapshots are not supported.
Do not install VMware Tools on a Stealthwatch virtual appliance because it will
override the custom version already installed. Doing so would render the virtual
appliance inoperable and require reinstallation.
KVM
lCompatibility: using any compatible Linux distribution.
lKVM Host Versions: There are several methods used to install a virtual machine
on a KVM host. We tested KVM and validated performance using the following
components:
llibvirt 3.0.0
lqemu-KVM 2.8.0
lOpen vSwitch 2.6.1
lLinux Kernel 4.4.38
lVirtualization Host: For minimum requirements and best performance, review the
Virtual Edition (VE) Resource Requirements section and see the hardware
specification sheet for your appliance at Cisco.com.
The system performance is determined by the host environment. Your
performance may vary.
Downloading the VE Software
If you are installing virtual appliances, download the appliance installation file (OVF or
ISO) from the Download and License Center. For instructions, refer to the
Downloading and Licensing Stealthwatch Products Guide.
Registering and Licensing
As part of the configuration process for both hardware and virtual appliances, you will
register and license your Stealthwatch products. For instructions, refer to the
Downloading and Licensing Stealthwatch Products Guide.
TLS
Stealthwatch requires TLS v1.1 or v1.2.
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 13 -
Before You Begin
Third Party Applications
Stealthwatch does not support installing third party applications on appliances.
Browsers
lCompatible Browsers: Stealthwatch supports the latest version of Chrome,
Firefox, and Edge.
lMicrosoft Edge: There may be a file size limitation with Microsoft Edge. We do
not recommend using Microsoft Edge to install the VE OVF or ISO files.
Host Name
A unique host name is required for each appliance. We cannot configure an appliance
with the same host name as another appliance. Also, make sure each appliance host
name meets the Internet standard requirements for Internet hosts.
Domain Name
A fully qualified domain name is required for each appliance. We cannot install an
appliance with an empty domain.
NTPServer
lConfiguration: At least 1 NTP server is required for each appliance.
lProblematic NTP:Remove the 130.126.24.53 NTP server if it is in your list of
servers. This server is known to be problematic and it is no longer supported in our
default list of NTP servers.
Time Zone
All Stealthwatch appliances use Coordinated Universal Time (UTC).
lVirtual Host Server: Make sure your virtual host server is set to the correct time.
Make sure the time setting on the virtual host server (where you will be
installing the virtual appliances) is set to the correct time. Otherwise, the
appliances may not be able to boot up.
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 14 -
Before You Begin
Hardware Resource Requirements
Use the following table to record the settings that you will need to configure
Stealthwatch appliances.
Settings SMC Flow
Collector
Flow
Sensor
UDP
Director
Host Name
IP Address 192.168.1.11* 192.168.1.4* 192.168.1.7* 192.168.1.2*
Subnet Mask
Gateway   
DNS Server(s)
NTP Server(s)
Mail Relay
*These are default IP addresses. The Flow Collector sFlow default is
192.168.1.5. The default for the Flow Collector 5000 Series Database is
192.168.1.15.
In addition, you could also use the following settings:
Port exporting flow data (usually 2055) ________________________________
SNMP read-only community string of routers _________________________________
___________________________________
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 15 -
Hardware Resource Requirements
Virtual Edition (VE) Resource Requirements
This section provides the resource requirements for the virtual appliances. Use the
tables provided in this section to record settings you will need to install and configure
the Stealthwatch VE appliances.
lStealthwatch Management Console (SMC)
lFlow Collector
lFlow Sensor
lUDP Director
lEndpoint Concentrator
lData Storage
Make sure you reserve the required resources for your system. This step is
critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required
resources, you assume the responsibility to closely monitor your appliance
resource utilization and increase resources as needed to ensure proper health
and function of the deployment.
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 16 -
Virtual Edition (VE) Resource Requirements
Stealthwatch Management Console VE
To determine the minimum resource allocations for the SMC VE, you should determine
the number of Flow Collectors and users expected to log in to the SMC.
Refer to the following specifications to determine your resource allocations. Also, refer
to Stealthwatch Management Console VE and Capacities for additional
information.
Flow Collectors Concurrent
Users*
Required
Reserved
Memory
Required
Reserved
CPUs
1 2 24 GB 3
3 5 32 GB 4
5 10 32 GB 4
*Concurrent users include scheduled reports and people using the SMC client at the
same time.
Stealthwatch Management Console VE 2000
The following specifications are the default settings for the download of the SMC VE
2000, the minimum recommended, and an estimate of the hardware equivalent:
OVF or ISO
Required
Minimum
Reserved
Memory
Hardware
Equivalent*
RAM 64 GB 64 GB 128 GB
CPU 8 8 28
*These figures are based on the SMC 2010 appliance and physical (non hyper-threaded)
cores.
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 17 -
Virtual Edition (VE) Resource Requirements
Stealthwatch Management Console VE and Capacities
These are the Stealthwatch Management Console VE models and their capacities:
SMC VE
Model
Required
Reserved Memory
Required
Reserved CPUs
SMC VE 63 GB up to 7
SMC VE 2000 64 GB 8 or more
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 18 -
Virtual Edition (VE) Resource Requirements
Flow Collector VE
To determine your resource allocations for the Flow Collector VE, you should determine
the flows per second expected on the network, and the number of exporters and hosts it
is expected to monitor. Refer to the following specifications to determine your resource
allocations:
Flows per
second Exporters Hosts
Required
Reserved
Memory
Required
Reserved
CPUs
Flow
Collector VE
Model
Up to
4,500 Up to 250 Up to
125,000 16 GB 2 FCVE
Up to
15,000 Up to 500 Up to
250,000 24 GB 3 FCVE
Up to
22,500 Up to 1000 Up to
500,000 32 GB 4 FCVE
Up to
30,000 Up to 1000 Up to
500,000 32 GB 5 FCVE
Up to
60,000 Up to 1500 Up to
750,000 64 GB 6 2000
Up to
120,000 Up to 2000 Up to
1,000,000 128 GB 7 4000
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 19 -
Virtual Edition (VE) Resource Requirements
Flow Sensor VE
Stealthwatch offers various types of Flow Sensor VEs depending upon the number of
NICs for the Flow Sensor VE.
lCache: The Flow Cache Size column indicates the maximum number of active
flows that the Flow Sensor can process at the same time. The cache adjusts with
the amount of reserved memory, and flows are flushed every 60 seconds. Use the
Flow Cache Size to calculate the amount of memory needed for the amount of
traffic being monitored.
lRequirements: Your environment may require more or less resources and may
depend on a number of variables, such as average packet size, burst rate, and
other network and host conditions.
License
Type
NICs -
monitoring
ports
(1 Gb)
Required
Reserved
CPUs
Required
Minimum
Reserved
Memory
Estimated
Throughput
Flow Cache
Size
(maximum
number of
concurrent
flows)
FSBASE 1 1 4 GB 850 Mbps 32,766
FSBASE 2 4 8 GB
1,850 Mbps
Interfaces
configured as
PCI pass-
through
(igb/ixgbe
compliant or
e1000e
compliant)
65,537
FSBASE 4 8 16 GB
3,700 Mbps
Interfaces
configured as
131,073
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 20 -
Virtual Edition (VE) Resource Requirements
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159

Cisco Stealthwatch UDP Director Installation and Configuration Guide

Type
Installation and Configuration Guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI