Cisco Secure Cloud Analytics (also known as Stealthwatch Cloud) is a Network Detection and Response solution that provides advanced threat detection, accelerated threat response, and simplified network segmentation. The Cisco Secure Analytics IOS-XE Integration Guide allows any IOS-XE device running 17.5.1 to be used as a sensor for the Cisco Secure Cloud Analytics solution without the need to deploy additional virtual machines or consuming extra resources in your on-premises infrastructure.
NOTE: Attached at the bottom of the page, you'll find the same guide in PDF format.
Requirements:
All IOS-XE devices require full outbound HTTPs access to Stealthwatch Cloud service, this needs to be direct, if you use a proxy service create an exception for outbound Internet traffic coming from the device’s IP address. DNS resolution is also required to resolve Stealthwatch Cloud service URL. Use the following table to determine your Stealthwatch Cloud portal service URL according to where it was initially deployed:
US |
|
Europe |
|
Asia |
To verify DNS configuration on your IOS-XE device:
switch#show ip name-server
switch#A.B.C.D
NOTE: A.B.C.D will be the IPv4 address of your DNS server
switch#configure terminal
switch(config)#ip name-server A.B.C.D
switch(config)#
NOTE: Replace A.B.C.D for the IPv4 address of your DNS server.
The Service Key allows the IOS-XE device to be associated to your Stealthwatch Cloud portal. This key will be the same for all devices.
Make sure your device is running IOS-XE version 17.5.1 or newer before configuring this. IOS-XE is available on different network devices including WLC, Access Points, Routers and Catalyst 9k devices. This guide will be focused on the Catalyst 9K family devices.
NOTE: This configuration may be done via alternate GUI-based methods or through Cisco DNA-C, this guide will use CLI for configuration and verification.
switch#configure terminal
switch(config)#
switch(config)#stealthwatch-cloud-monitor
switch(config-swc-monitor)#
switch(config-swc-monitor)#sensor-name cat9k-sensor
switch(config-swc-monitor)#
NOTE: This is optional but recommended, if no sensor name is specified, the serial number will be used.
switch(config-swc-monitor)#service-key qsiLvNPbEX7aVVcQo9B..
switch(config-swc-monitor)#
NOTE: This is a critical step, this is what associates the device with your portal. The service key in this example has been abbreviated, the real service key is a longer string or characters.
switch(config-swc-monitor)#url https://sensor.ext.obsrvbl.com
switch(config-swc-monitor)#
NOTE: This URL is static for all deployments. This is not your company’s portal URL. Refer to “Requirements” earlier in this guide to get the URL you need.
Switch#show stealthwatch-cloud detail
========================================
Stealthwatch Cloud Parameters
========================================
Service Key : qsiLvNPbEX7aVVcQo9B..
Sensor Name : cat9k-sensor
URL : https://sensor.ext.obsrvbl.com
========================================
Stealthwatch Cloud Sensor Info
========================================
Sensor Status : Registered
Last heartbeat : 2021-05-17T17:11:53
Switch#configure terminal
Switch(config)#flow record StealthwatchRecord
Switch(config-flow-record)#description SWCFlowRecord
Switch(config-flow-record)#match ipv4 protocol
Switch(config-flow-record)#match ipv4 source address
Switch(config-flow-record)#match ipv4 destination address
Switch(config-flow-record)#match transport source-port
Switch(config-flow-record)#match transport destination-port
Switch(config-flow-record)#collect counter bytes long
Switch(config-flow-record)#collect counter packets long
Switch(config-flow-record)#collect timestamp absolute first
Switch(config-flow-record)#collect timestamp absolute last
Switch(config)#flow exporter StealthwatchExporter
Switch(config-flow-exporter)#destination stealthwatch-cloud
NOTE: This is a critical step, this is what makes NetFlow configuration use the built-in capabilities of IOS-XE devices and send NetFlow directly to the Stealthwatch Cloud service.
Switch(config)#flow monitor StealthwatchMonitor
Switch(config-flow-monitor)#exporter StealthwatchExporter
Switch(config-flow-monitor)#record StealthwatchRecord
Switch(config)#interface gi1/0/1
Switch(config)#ip flow monitor StealthwatchMonitor input
TIP: Apply the flow monitor to all interfaces you want traffic to be monitored, such as end user, servers. Make sure you also add this to your uplinks ports.
switch#show run | section flow
flow record StealthwatchRecord
description SWCFlowRecord
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
flow exporter StealthwatchExporter
destination stealthwatch-cloud
flow monitor StealthwatchMonitor
exporter StealthwatchExporter
record StealthwatchRecord
switch#show run | section stealthwatch-cloud
stealthwatch-cloud-monitor
sensor-name cat9k-sensor
service-key qsiLvNPbEX7aVVcQo9B..!
url https://sensor.ext.obsrvbl.com
switch#show run | section flow
flow record StealthwatchRecord
description SWCFlowRecord
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
flow exporter StealthwatchExporter
destination stealthwatch-cloud
flow monitor StealthwatchMonitor
exporter StealthwatchExporter
record StealthwatchRecord
switch#show flow interface
Interface GigabitEthernet1/0/2
FNF: monitor: StealthwatchMonitor
direction: Input
traffic(ip): on
Interface GigabitEthernet1/0/12
FNF: monitor: StealthwatchMonitor
direction: Input
traffic(ip): on
NOTE: Make sure you see all intended monitoring interface with “input”.
Switch#show stealthwatch-cloud connection
Stealthwatch-Cloud details
Registration
#ID : 0x10000001
URL : https://sensor.ext.obsrvbl.com
Service Key : qsiLvNPbEX7aVVcQo9B..!
Sensor Name : cat9k-sensor
Registered : N/A
Connection
Status : DOWN
Last status update : 05/06/2021 11:32:47
# Flaps : 0
# Heartbeats : 0
# Lost heartbeats : 0
Total RX bytes : 26849665
Total TX bytes : 63538118
Upload Speed (B/s) : 39
Download Speed (B/s) : 17
# Open sessions : 0
# Redirections : 0
# Timeouts : 0
HTTP Events
GET response : 14485
GET request : 14485
GET Status Code 2XX : 14481
PUT response : 14482
PUT request : 14487
PUT Status Code 2XX : 14481
POST response : 14481
POST request : 14481
POST Status Code 2XX : 14481
API Events
TX : 14481
OK : 14481
Event History
Timestamp #Times Event RC Context
----------------------- -------- ------------------- -- ----------------------------------------
05/17/2021 09:08:39.470 14481 SEND_OK 0 ID:3890
05/17/2021 09:08:35.324 14481 SIGNAL_DATA 0 ID:3890
05/17/2021 09:08:34.738 14487 PUT_DATA 0 ID:3890
05/17/2021 09:08:34.491 14485 GET_URL 0 ID:3890
05/17/2021 09:08:34.490 14481 SEND_START 0 ID:3890
05/12/2021 10:12:03.544 32 REGISTER_OK 0 Not applicable
05/12/2021 10:12:03.544 36 SEND_ABORT_ALL 0 config change
05/12/2021 10:12:03.544 1 OPTIONS_CONFIG 0 Service Key: qsiLvNPbEX7aVVcQo9B..!
NOTE: Currently, some devices may show “DOWN” in the connection status section. This is a known issue that will be fixed in future releases.
switch#show flow exporter statistics
Flow Exporter StealthwatchExporter:
Packet send statistics (last cleared 4d23h ago):
Successfully sent: 205526 (205903172 bytes)
Client send statistics:
Client: Flow Monitor StealthwatchMonitor
Records added: 3974244
- sent: 3974244
Bytes added: 205903172
- sent: 205903172
NOTE: Verify traffic is being sent successfully based on the number of bytes in the counters. If this number is zero, no traffic is being sent. Verify NetFlow configuration and verify that the monitored ports are generating traffic.
For further assistance, email swatchc-support@cisco.com.
For more information on Stealthwatch Cloud, see the following:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: