Secure Cloud Analytics IOS-XE Integration Guide

 

Cisco Secure Cloud Analytics (also known as Stealthwatch Cloud) is a Network Detection and Response solution that provides advanced threat detection, accelerated threat response, and simplified network segmentation. The Cisco Secure Analytics IOS-XE Integration Guide allows any IOS-XE device running 17.5.1 to be used as a sensor for the Cisco Secure Cloud Analytics solution without the need to deploy additional virtual machines or consuming extra resources in your on-premises infrastructure.

 

NOTE: Attached at the bottom of the page, you'll find the same guide in PDF format.

 

Requirements:

• A Cisco Secure Analytics portal is required. Use the following resource to submit a portal Trial form       
• IOS-XE device running 17.5.1.

All IOS-XE devices require full outbound HTTPs access to Stealthwatch Cloud service, this needs to be direct, if you use a proxy service create an exception for outbound Internet traffic coming from the device’s IP address. DNS resolution is also required to resolve Stealthwatch Cloud service URL. Use the following table to determine your Stealthwatch Cloud portal service URL according to where it was initially deployed:

 

US	https://sensor.ext.obsrvbl.com
Europe	https://sensor.eu-prod.obsrvbl.com
Asia	https://sensor.anz-prod.obsrvbl.com

 

To verify DNS configuration on your IOS-XE device: 

Procedure

 

1. Verify DNS configuration on the switch:

switch#show ip name-server

switch#A.B.C.D

 

NOTE: A.B.C.D will be the IPv4 address of your DNS server 

 

2. If DNS configuration is missing use the following command to configure a DNS server on the switch:

switch#configure terminal

switch(config)#ip name-server A.B.C.D

switch(config)#

 

NOTE: Replace A.B.C.D for the IPv4 address of your DNS server.

 

Obtaining the Service Key

 

The Service Key allows the IOS-XE device to be associated to your Stealthwatch Cloud portal. This key will be the same for all devices.

 

Before You Begin

• Log into the Stealthwatch Cloud portal. This should be in the format <your_company_name@obsrvbl.com>

 

Procedure

1. From the top menu go to Settings > Sensors.
2. Copy the value of Service Key on a text editor.

 

NOTE: If the Service Key is not shown in the sensor page do this:

 

1. Click Settings > Account Management.
2. In the left side menu click Management > Display.
3. Turn off Beta on button.
4. Click on the cloud icon on the top right or in the left side menu click Sensors > Sensors.
5. Scroll to the end of the page and copy the value of the Service Key on a text editor.

 

Configuring IOS-XE device for Stealthwatch Cloud service

 

Make sure your device is running IOS-XE version 17.5.1 or newer before configuring this. IOS-XE is available on different network devices including WLC, Access Points, Routers and Catalyst 9k devices. This guide will be focused on the Catalyst 9K family devices.

 

NOTE: This configuration may be done via alternate GUI-based methods or through Cisco DNA-C, this guide will use CLI for configuration and verification.

 

Configuring Stealthwatch Cloud integration using CLI:

 

Before You Begin

• Login via SSH to your device.

 

Procedure

1. Enter global configuration mode:

switch#configure terminal

switch(config)#

 

2. Enter the Stealthwatch Cloud Monitor global configuration mode:

switch(config)#stealthwatch-cloud-monitor

switch(config-swc-monitor)#

 

3. Define a sensor name (optional):

switch(config-swc-monitor)#sensor-name cat9k-sensor

switch(config-swc-monitor)#

 

 

NOTE: This is optional but recommended, if no sensor name is specified, the serial number will be used.

 

4. Enter the Service Key retrieved from the portal:

switch(config-swc-monitor)#service-key qsiLvNPbEX7aVVcQo9B..

switch(config-swc-monitor)#

 

NOTE: This is a critical step, this is what associates the device with your portal. The service key in this example has been abbreviated, the real service key is a longer string or characters.

 

5. Configure the Stealthwatch Cloud server URL:

switch(config-swc-monitor)#url https://sensor.ext.obsrvbl.com

switch(config-swc-monitor)#

 

NOTE: This URL is static for all deployments. This is not your company’s portal URL. Refer to “Requirements” earlier in this guide to get the URL you need.

 

6. Verify the integration on the device:

Switch#show stealthwatch-cloud detail

========================================

Stealthwatch Cloud Parameters

========================================

   Service Key  : qsiLvNPbEX7aVVcQo9B..

   Sensor Name  : cat9k-sensor

   URL          : https://sensor.ext.obsrvbl.com

========================================

Stealthwatch Cloud Sensor Info

========================================

   Sensor Status    : Registered

   Last heartbeat   : 2021-05-17T17:11:53

 

NetFlow Configuration

 

Before You Begin

• Login via SSH to your device.

 

Procedure

1. Enter global configuration mode:

Switch#configure terminal

 

2. Configure a flow record:

Switch(config)#flow record StealthwatchRecord

 

3. Add a description (optional):

Switch(config-flow-record)#description SWCFlowRecord

 

4. Configure NetFlow specific fields to be used by the Stealthwatch Cloud service:

Switch(config-flow-record)#match ipv4 protocol

Switch(config-flow-record)#match ipv4 source address

Switch(config-flow-record)#match ipv4 destination address

Switch(config-flow-record)#match transport source-port

Switch(config-flow-record)#match transport destination-port

Switch(config-flow-record)#collect counter bytes long

Switch(config-flow-record)#collect counter packets long

Switch(config-flow-record)#collect timestamp absolute first

Switch(config-flow-record)#collect timestamp absolute last

 

5. Configure a flow exporter:

Switch(config)#flow exporter StealthwatchExporter

 

6. Configure a flow exporter destination:

Switch(config-flow-exporter)#destination stealthwatch-cloud

 

NOTE: This is a critical step, this is what makes NetFlow configuration use the built-in capabilities of IOS-XE devices and send NetFlow directly to the Stealthwatch Cloud service.

 

7. Configure a flow monitor:

Switch(config)#flow monitor StealthwatchMonitor

 

8. Add the flow exporter and flow record to the flow monitor:

Switch(config-flow-monitor)#exporter StealthwatchExporter

Switch(config-flow-monitor)#record StealthwatchRecord

 

9. Apply the flow monitor to multiple interfaces:

Switch(config)#interface gi1/0/1

Switch(config)#ip flow monitor StealthwatchMonitor input

 

TIP: Apply the flow monitor to all interfaces you want traffic to be monitored, such as end user, servers. Make sure you also add this to your uplinks ports.

 

10. Verify configuration:

switch#show run | section flow

   flow record StealthwatchRecord

     description SWCFlowRecord

     match ipv4 protocol

     match ipv4 source address

     match ipv4 destination address

     match transport source-port

     match transport destination-port

     collect counter bytes long

     collect counter packets long

     collect timestamp absolute first

     collect timestamp absolute last

   flow exporter StealthwatchExporter

     destination stealthwatch-cloud

   flow monitor StealthwatchMonitor

     exporter StealthwatchExporter

     record StealthwatchRecord

 

Troubleshooting and Verification

 

IOS-XE Device Verification:

Before You Begin

• Login via SSH to your device.

 

Procedure

1. Verify Stealthwatch Cloud configuration:

switch#show run | section stealthwatch-cloud

stealthwatch-cloud-monitor

 sensor-name cat9k-sensor

 service-key qsiLvNPbEX7aVVcQo9B..!

 url https://sensor.ext.obsrvbl.com

 

2. Verify NetFlow configuration:

switch#show run | section flow

   flow record StealthwatchRecord

     description SWCFlowRecord

     match ipv4 protocol

     match ipv4 source address

     match ipv4 destination address

     match transport source-port

     match transport destination-port

     collect counter bytes long

     collect counter packets long

     collect timestamp absolute first

     collect timestamp absolute last

   flow exporter StealthwatchExporter

     destination stealthwatch-cloud

   flow monitor StealthwatchMonitor

     exporter StealthwatchExporter

     record StealthwatchRecord

 

3. Verify interfaces where NetFlow has been applied:

switch#show flow interface

Interface GigabitEthernet1/0/2

  FNF:  monitor:          StealthwatchMonitor

        direction:        Input

        traffic(ip):      on

Interface GigabitEthernet1/0/12

  FNF:  monitor:          StealthwatchMonitor

        direction:        Input

        traffic(ip):      on

 

NOTE: Make sure you see all intended monitoring interface with “input”.

 

4. Verify Stealthwatch connection status:

Switch#show stealthwatch-cloud connection

Stealthwatch-Cloud details

  Registration

    #ID         : 0x10000001

    URL         : https://sensor.ext.obsrvbl.com

    Service Key : qsiLvNPbEX7aVVcQo9B..!

    Sensor Name : cat9k-sensor

    Registered  : N/A

  Connection

    Status               : DOWN

    Last status update   : 05/06/2021 11:32:47

    # Flaps              : 0

    # Heartbeats         : 0

    # Lost heartbeats    : 0

    Total RX bytes       : 26849665

    Total TX bytes       : 63538118

    Upload Speed (B/s)   : 39

    Download Speed (B/s) : 17

    # Open sessions      : 0

    # Redirections       : 0

    # Timeouts           : 0

 

  HTTP Events

    GET response                   : 14485

    GET request                    : 14485

    GET Status Code 2XX            : 14481

    PUT response                   : 14482

    PUT request                    : 14487

    PUT Status Code 2XX            : 14481

    POST response                  : 14481

    POST request                   : 14481

    POST Status Code 2XX           : 14481

 

  API Events

    TX                             : 14481

    OK                             : 14481

 

  Event History

Timestamp               #Times   Event               RC Context

----------------------- -------- ------------------- -- ----------------------------------------

05/17/2021 09:08:39.470 14481    SEND_OK              0 ID:3890                                

05/17/2021 09:08:35.324 14481    SIGNAL_DATA          0 ID:3890                                

05/17/2021 09:08:34.738 14487    PUT_DATA             0 ID:3890                                

05/17/2021 09:08:34.491 14485    GET_URL              0 ID:3890                                

05/17/2021 09:08:34.490 14481    SEND_START           0 ID:3890                                

05/12/2021 10:12:03.544 32       REGISTER_OK          0 Not applicable                         

05/12/2021 10:12:03.544 36       SEND_ABORT_ALL       0 config change                          

05/12/2021 10:12:03.544 1        OPTIONS_CONFIG       0 Service Key: qsiLvNPbEX7aVVcQo9B..!

 

NOTE: Currently, some devices may show “DOWN” in the connection status section. This is a known issue that will be fixed in future releases.

 

5. Verify flow exporter statistics:

switch#show flow exporter statistics

   Flow Exporter StealthwatchExporter:

    Packet send statistics (last cleared 4d23h ago):

       Successfully sent:         205526                (205903172 bytes)

 

    Client send statistics:

         Client: Flow Monitor StealthwatchMonitor

      Records added:           3974244

        - sent:                3974244

      Bytes added:             205903172

        - sent:                205903172

 

NOTE: Verify traffic is being sent successfully based on the number of bytes in the counters. If this number is zero, no traffic is being sent. Verify NetFlow configuration and verify that the monitored ports are generating traffic.

 

Stealthwatch Cloud Portal Verification:

 

Before You Begin

• Log into the Stealthwatch Cloud portal.
• Your portal should have the following format: https://<company-name>.obsrvbl.com

 

Procedure

1. Click on the cloud icon on the top right or in the menu Settings > Sensors.
2. Verify that the sensor is displayed with the name you assigned.
3. Verify that the sensor is correctly displaying the message “Receiving Data” and “Heartbeat” in green.

 

4. Verify the type of NetFlow says “Cisco IOS-XE NetFlow” in the “Receiving Data” Section of the sensor.

 

Additional Resources and Support

For further assistance, email swatchc-support@cisco.com.

For more information on Stealthwatch Cloud, see the following:

• https://www.cisco.com/c/en/us/products/security/stealthwatch- cloud/index.html for a general overview
• https://www.cisco.com/c/en/us/products/security/stealthwatch/stealthwatch- cloud-free-offer.html to sign up for a 60-day Free Trial
• https://www.cisco.com/c/en/us/support/security/stealthwatch-cloud/tsd- products-support-series-home.html for Stealthwatch Cloud documentation resources
• https://www.cisco.com/c/en/us/support/security/stealthwatch- cloud/products-installation-guides-list.html for installation and configuration guides, including the Stealthwatch Cloud Free Trial Guide