Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
1
Helpful
2
Replies

SNA Threat Intelligence license

Maciej Waliszko
Level 1
Level 1

‎06-24-2024 05:38 AM

Hello,

Based on the ordering guide of SNA TI license is per collector. However there are a few options

L-LC-TI-FC1K= -Use this PID for virtual Flow Collectors that are (or will be) configured as a FC1K for very small deployments

L-LC-TI-FC2K= -Use this PID for virtual Flow Collectors that are (or will be) configured as a FC2K for small deployments

L-LC-TI-FC4K= -Use this PID for virtual Flow Collectors that are (or will be) configured as a FC4K or FC4K model hardware

L-LC-TI-FC5K= -Use this PID for FC5K model hardware Flow Collectors

However none of the installation guides mentions any types of deployments. What is considered as:

- very small

- small

deployment? What kind of license should I choose for virtual FC/under which circumstances?

Labels:
0 Helpful
2 Replies 2

DanielLarsson63527
Level 1
Level 1

‎07-30-2024 06:52 AM

Hi,

Sometimes Cisco is just confusing in their ordering guide and SNA has always been almost impossible to puzzle together and they are still merging information from "lancope" a years down the aquisition.

"Very small"
"small"
"medium"
"large"

Is just the typical "enterprise classifications", meaning how many Flows they consider to be a "very small" or a "small" configuration. Not really related to reality, but that's another story. They also provide physical hardware that matches their definitions of "very small" and "small" etc...so that's basically what that means.

As far as SNA is concearned, you design and license it around "flows per second" so a FC1k physical appliance would meet their definition of "small" and can support a maximum amount of "flows per second" based on that hardware. There is a specific Threat Intelligence License for that and the other physical hardwares that they sell.

Most SNA-deployments i see are virtual installs, and for that you just need to buy a virtual license that matched your deployment when you created the VM.

https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/datasheet-c78-739398.html

Their datasheet is not the best, and like i said they still seem to struggle migrating lancope information to the new names after the acquisition...but when you download and install your virtual flow-collector you will deploy it as following in some installation guides:
FCVE-1000, FCVE-2000, or FCVE-4000

This is an indication of how many flows-per-second your installation can handle and that will give you an indication which license to buy. Now with the new versions, you just install the ISO and configure some parameters to fit your requirements and there is no "very small, small, medium, large" deployments....instead you need to check how many "flows per seconds" you need to support.

And then match the TI-license to the flows per second. To complicate this is that... they don't sell the FC1K or FC2k appliances anymore...:

  • Secure Network Analytics Flow Collector 4210 — Part number: ST-FC4210-K9
  • Secure Network Analytics Flow Collector 5210 — Part number: ST-FC5210-K9
  • Secure Network Analytics Flow Collector 4300 — Part number: ST-FC4300-K9

 

So you have to dig deep into documents to find the specifications for the FC1K and FC2K appliances.
FC5k = roughly 500k FPS (datastore)
FC4k = roughly 500k FPS (datastore)
FC2k = roughly 60k FPS (used to be a lancope appliance e.g LC-FC-NF-2000-K9)
FC1k = roughly 30k FPS (used to be a lancope appliance e.g LC-FC-NF-1000-K9)

So with that said, FC1k = used to count as very small or about 30k FPS.
FC2k = used to count as small or about 60k FPS.
FC4/5K = medium/large deployments or a high amount of FPS per collector.

In general this means that most deployments land at these:

Cisco Secure Network Analytics Threat Feed for FC1K License – Part number: L-LC-TI-FC1K=

Cisco Secure Network Analytics Threat Feed for FC2K License – Part number: L-LC-TI-FC2K=

 

But whenever it comes to this i always check with Cisco first because nothing is written in stone and they rebrand these things all the time. I've never had issues with the L-LC-TI-FC2K= even with 120k flows, there is a limit somewhere around there mainly because of the scale of the installs/deployments.

HTH
-Daniel



jamegill
Cisco Employee
Cisco Employee

‎07-30-2024 08:48 AM - edited ‎07-30-2024 08:49 AM

I've been helping customers with Stealthwatch / SNA for years and I'm tempted to click on the "I have this problem too" button .

One day this will change and get simpler.  Until then, @DanielLarsson63527 does a solid job of untangling the licensing intention and the documentation in his post above. Nice work, Daniel.

--jg

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents