Cisco Stealthwatch Learning Network License Virtual ... · StatusCode:HOSTLIMITINT 152...

Cisco Stealthwatch Learning Network License Virtual ServiceInstallation Guide, Version 1.1First Published: 2016-11-14

Last Modified: 2017-03-15

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

© 2016 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

C H A P T E R 1 Introduction 1

Learning Network License Introduction 1

Example Deployment 2

Example Learning Network License Deployment 3

System Performance 4

Security and Internet Access 4

Installing the Learning Network License System 5

C H A P T E R 2 Installation Prerequisites 7

Installation Prerequisites 7

Learning Network License and Licensing 7

ISE Server Requirements 9

Controller Host Requirements 9

Controller Installation Prerequisites 9

ISR Platform Requirements 12

ISR 4000 Series Platform Requirements 12

Verifying ISR Platform Requirements 13

Example ISR Platform Requirements 14

ISR Configuration Prerequisites 15

ISR License Installation 16

Agent and ISR Interaction 16

Communication Ports 17

Agent Installation Prerequisites 19

Agent Configuration Prerequisites 20

Downloading the OVA Files from Cisco 21

Obtaining a File's Checksum from cisco.com 21

C H A P T E R 3 Controller Installation 23

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 iii

Installing the Controller 23

Controller Deployment 24

Deploying the OVA File 24

Powering On the Virtual Machine 26

Controller Virtual Hard Disk Storage 26

Controller Virtual Hard Disk Allocation Expansion 26

Editing VM Settings to Increase Virtual Hard Disk Size 27

Extending a Virtual Hard Disk Partition 27

Updating the Filesystem for an Extended Virtual Hard Disk Partition 28

Adding a New Virtual Hard Disk Partition Larger than 2 TB 29

Updating the Filesystem for the New Virtual Hard Disk Partition 30

Controller Virtual Hard Disk Addition 31

Editing VM Settings for a New Hard Disk 32

Adding a New Hard Disk 32

Updating the Filesystem for the New Hard Disk 33

Custom Controller Web UI Certificates 34

Uploading a Private Key Password 35

Uploading Custom Controller Web UI Certificates 36

Controller Setup Script 37

Configuring the Controller with the Setup Script 38

Controller Setup Script Example 40

Resetting the Administrator Password 42

Disabling Host Time Synchronization 43

Logging into the Controller Web UI 44

Verifying NTP Configuration on the Controller 44

C H A P T E R 4 Controller and Agent Communications 47

Configuring Controller/Agent Communications 47

Controller and Agent Communications Overview 47

Controller Certificate Management 48

Updating the Controller Configuration 48

Restarting Controller Processes 49

Updating Administrator Credentials 49

C H A P T E R 5 Network Element Configuration 51

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1iv

Contents

Configuring a Network Element 51

NTP Configuration 51

Configuring NTP on the ISR 52

SSH Configuration 53

C H A P T E R 6 Virtual Service Install Script 55

Deploying Agents Using the Install Script 55

ISR Hardware Configuration 55

Install Script Overview 56

Install Script Deployment 56

Agent Properties File Overview 60

Agent Properties File Settings 60

Configuring VRF Forwarding on the ISR 68

Updating the Agent Properties File 69

Install Script Operation 70

Install Script Options 70

Running the Install Script 71

Script Logs 72

Accessing the Install Script Logs 72

C H A P T E R 7 Agent Management 75

Managing and Licensing Agents 75

Smart Licensing Overview 75

Smart Software Manager 76

Smart License Types 76

Smart Licensing Configuration 77

Smart Licensing Configuration File Settings 77

Updating the Smart Licensing Configuration File 78

Restarting the Controller Processes 80

Logging into the Controller Web UI 80

Registering the Controller Instance 80

Interface Configuration 81

Enabling Agents on the Controller 83

Configuring Agent Network Settings 83

Agent Configuration Templates 84

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 v

Contents

Applying a Template to an Agent 85

C H A P T E R 8 Initial Learning Phase 87

Initial Learning Phase Overview 87

C H A P T E R 9 Next Steps 89

Next Steps 89

For Assistance 89

A P P E N D I X A Logging Configuration 91

Logging Configuration Overview 91

The Controller Logging Configuration File 92

syslog Export to External Hosts 92

Updating a syslog Target Host 94

Logging Timestamps 96

Updating Logging Configuration Files for UTC Timestamps 96

Updating UTC Timestamps for the Controller Monitor Logs 97

Accessing Audit and Event Log Files 98

Audit Log Fields 98

Event Log Fields 100

Event Log Message Examples 101

Smart Licensing Log Fields 101

Accessing Controller General Log Files 101

Accessing Agent Log Files 102

Exporting Agent Troubleshooting Files 103

A P P E N D I X B pxGrid Integration 105

Integrating pxGrid 105

ISE pxGrid Demo 106

pxGrid Demo Properties Table 106

Configuring an ISE pxGrid Demo 107

Enable the pxGrid Demo 108

Controller pxGrid Client Certificates 108

Generating pxGrid Client Certificates 109

Exporting an ISE Identity Certificate 111

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1vi

Contents

Adding pxGrid Certificates to Stores 111

pxGrid Properties Configuration 113

pxGrid Properties Table 114

Configuring pxGrid 114

pxGrid Activation 115

Activating pxGrid Integration 115

Restarting Controller Processes 116

ISE Server Settings Update 117

Controller Process Restart 117

A P P E N D I X C Controller Database Cleanup 119

Controller Database Cleanup 119

Controller Database Cleanup Notes 120

Checking Disk Usage 120

A P P E N D I X D Database Backup Restore 123

Database Backup Restore 123

Reinstalling Failed Upgrade Packages 123

Restoring a Database from a Backup 125

A P P E N D I X E Additional Controller Configuration 129

Additional Controller Configuration 129

Restarting the Controller Processes 130

A P P E N D I X F NetFlow Configuration Overview 131

NetFlow Configuration 131

NetFlow Configuration Fields 132

A P P E N D I X G Troubleshooting 135

Time Synchronization 135

Initial Anomaly Display Issues 135

Maximum Managed Agents 136

Disabled Functionality 136

Controller Administrator Password Reset 136

Resetting the Controller Administrator Password 136

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 vii

Contents

Performance Issues 137

Certificate Fingerprint Retrieval 137

Viewing a Controller Client Certificate Fingerprint from the Agent 137

Viewing a Controller Client Certificate Fingerprint from the Controller 138

Viewing an Agent Server Certificate Fingerprint from the Agent 138

Viewing an Agent Server Certificate Fingerprint from the Controller Web UI 139

Connectivity Issues 139

Confirming Interface Connectivity 139

Agent Status Messages 139

Status Code: 2000 139


Uploading an Agent Certificate Fingerprint 141

Enabling Support for Self-Signed Certificates 143


Clearing a Pinned Controller Certificate from an Agent 144

Uploading a Controller Certificate Fingerprint 146

Enabling Trust on First Use 147






Status Code: ALLOCFAIL 150

Status Code: DNSQEVENTSPERBINLIMIT 150

Status Code: DNSQKEYSPERBINLIMIT 151

Status Code: DNSREVENTSPERBINLIMIT 151

Status Code: DNSRKEYSPERBINLIMIT 151

Status Code: HOSTLIMITEXT 151

Status Code: HOSTLIMITINT 152

Status Code: HOSTSDROPPEDEXT 152

Status Code: HOSTSDROPPEDINT 152

Status Code: IPLOCCHANGED 152

Status Code: IPLOCINVAL 153

Status Code: NECONNFAIL 154

Status Code: NENOAUTH 155

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1viii

Contents

Status Code: NENOIP 155

Status Code: NFDRPFLD 156

Status Code: NFDRPNOINTF 157

Status Code: NFDRPSYNT 157

Status Code: NFDRPVER 158

Status Code: NFEVENTSPERBINLIMIT 159

Status Code: NFKEYSPERBINLIMIT 159

Status Code: NFNORCV 159

Status Code: SOLTCOLLECTIONSLIMIT1 160

Status Code: SOLTCOLLECTIONSLIMIT2 160

Status Code: TOPOFAIL 160

Status Code: VERSCOMPONENT 161

Status Code: WARMBADFILE 162

Status Code: WARMNOFILE 162

Status Code: WARMSTATEVAL 162

A P P E N D I X H Uninstallation 163

Uninstalling the Learning Network License System 163

Controller Web UI Uninstallation 164

Deleting All Mitigations 164

Disabling PBC/DPI on an Interface 165

Disabling All Agents 165

Deregistering a Controller from Smart Licensing 165

Agent Removal from a Virtual Service 166

Modifying the Install Properties File 166

Install and Update Properties File Storage 167

Renaming an Install Log File 167

Uninstalling Agents Using the Install Script 167

Controller Removal from an ESXi Host 168

Removing a VM from an ESXi Host 168

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 ix

Contents

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1x

Contents

C H A P T E R 1Introduction

The following provides an introduction to installing the Cisco Stealthwatch Learning Network License(Learning Network License) platform, installing a controller on an ESXi host, and deploying an agent as avirtual service.

If your Network Element supports installing an agent on a UCS E-Series blade server, see the CiscoStealthwatch Learning Network License UCS E-Series Blade Server Installation Guide.

• Learning Network License Introduction, page 1

• Example Deployment, page 2

• Example Learning Network License Deployment, page 3

• System Performance, page 4

• Security and Internet Access, page 4

• Installing the Learning Network License System, page 5

Learning Network License IntroductionThe Learning Network License system is a hyper-distributed analytics architecture that inspects your networktraffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system canidentify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.

You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies inreal-time to the controller for additional system and user analysis. Based on the anomalies, you can providerelevance feedback, which the system incorporates into internal traffic models. This allows the system tobetter identify and report anomalies of interest.

You can also configure mitigations based on anomaly properties, such as hosts involved and application traffictransferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future.The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to addressthe threats specific to your network and better protect your users.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 1

Example DeploymentFigure 1: Example Security Deployment, on page 2 illustrates an example security deployment within anenterprise network.

Figure 1: Example Security Deployment

To install the Cisco Stealthwatch Learning Network License system, the organization deploys:

• an ESXi host running a controller in the network core

• a Cisco ISR running an agent in each branch, between the hosts and the internet

The organization also deploys an optional Cisco SNS-3415 to collect ISE user identity data. Though notrequired for Learning Network License, the user identity data provides additional context to anomalies.

Though a Learning Network License controller can manage up to 1000 agents, the diagram only shows acontroller managing two agents.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.12

IntroductionExample Deployment

Example Learning Network License DeploymentFigure 2: Example Learning Network License Deployment, on page 3 illustrates the Learning NetworkLicense system, focusing on the interaction among Learning Network License components.

Figure 2: Example Learning Network License Deployment

Both agents transfer management traffic, including anomaly data, over a TCP connection to the controller.The controller transfers management traffic, includingmitigations, back to the agents over the same connection.

The controller integrates with other systems. It consumes threat intelligence from Talos to better identifytraffic anomalies and malicious behavior, as well as user identity information from ISE to provide detailsabout hosts involved in anomalies.

The controller implements a northbound RESTful API for mitigations. Other authorized security appliancescan use this API to take mitigation actions on traffic in the network.


IntroductionExample Learning Network License Deployment

System PerformanceIt is not possible to accurately predict throughput and processing capacity for controller and agent virtualappliances. A number of factors heavily influence performance, such as the:

• amount of memory and CPU capacity of the ESXi host and router running the virtual service

• number of total virtual machines running on the ESXi host and router

• number of sensing interfaces, network performance, and interface speed

• amount of resources assigned to each virtual machine

• level of activity of other virtual appliances sharing the ESXi host and router

• complexity of mitigation policies applied to an agent

VMware provides a number of performance measurement and resource allocation tools. Use these toolson the ESXi host while you run your virtual appliance to monitor traffic and determine throughput. If thethroughput is not satisfactory, adjust the resources assigned to the virtual appliances that share the ESXihost.

You can enable VMware tools to improve the performance and management of your virtual appliances.Alternatively, you can install tools (such as esxtop or VMware/third-part add-ons) on the host or in thevirtualization management layer (not the guest layer) on the ESXi host to examine virtual performance.

Note

Security and Internet AccessManagement traffic sent from the agent to the controller includes health checks and anomaly data. Thebandwidth required varies based on multiple factors, including the nature of your network traffic and how thesystem learns and prioritizes detected anomalies. However, the system rate-limits the total amount of anomalydata sent by an agent per day, ensuring that they do not overwhelm your network by sending extraneousanomalies. The agent only reports anomalies of interest, based on user feedback and the machine learningalgorithms.

Encrypted management traffic sent from the controller to the agent includes:

• health check requests

• mitigations

• requests for anomaly-related PCAP files if packet buffer capture (PBC) is enabled

• startup files when managed agents restart and do not have certain local files

Each mitigation is relatively small, measured in kilobytes.


IntroductionSystem Performance

Installing the Learning Network License SystemThe following provides a high-level overview to installing the Learning Network License system.

Step 1 Ensure your Network Elements support installing the Learning Network License system, and have the proper licensesand hardware. See Installation Prerequisites, on page 7 for more information.

Step 2 Deploy a separate ESXi host to run the controller. See Controller Host Requirements, on page 9 for more information.Step 3 Download the agent and controller OVA files at http://www.cisco.com/c/en/us/support/security/

stealthwatch-learning-network-license/tsd-products-support-series-home.html. See Downloading the OVA Files fromCisco, on page 21 for more information.

Step 4 Deploy the controller to the ESXi host. Log into the controller VM console. Run the setup script to configure the networkconnection, NTP servers, and generate public key certificates. See Installing the Controller, on page 23 for moreinformation.

Step 5 Update the controller configuration file to configure public key certificate management settings, then log into the controllerweb UI to update administrator credentials. See Controller and Agent Communications Overview, on page 47 for moreinformation.

Step 6 Configure NTP servers on your Network Element. See NTP Configuration, on page 51 for more information.Step 7 Deploy the agent as a virtual service to a Network Element. See Deploying Agents Using the Install Script, on page 55

for more information.Step 8 Log into the controller web UI, then enable and configure your agents with the controller as described in Enabling Agents

on the Controller, on page 83.Step 9 Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning Phase

Overview, on page 87 for more information.

What to Do Next

• Fine-tune your configuration, inspect anomalies, and mitigate anomalous traffic, as described in NextSteps, on page 89.

• Optionally, enable audit and event logging on the controller. See Logging Configuration Overview, onpage 91 for more information.

• Optionally, integrate your deployment with ISE by configuring pxGrid. See Integrating pxGrid, on page105 for more information.

• Optionally, configure a pxGrid integration demo to populate anomalies with sample user identity data.You do not need to have ISE deployed to your environment for the pxGrid integration demo. See ISEpxGrid Demo, on page 106 for more information.


IntroductionInstalling the Learning Network License System

http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html



IntroductionInstalling the Learning Network License System

C H A P T E R 2Installation Prerequisites

The following describes Learning Network License installation prerequisites and system configurationprerequisites.

• Installation Prerequisites, page 7

• Learning Network License and Licensing, page 7

• ISE Server Requirements, page 9

• Controller Host Requirements, page 9

• ISR Platform Requirements, page 12

• Agent and ISR Interaction, page 16

• Communication Ports, page 17

• Agent Installation Prerequisites, page 19

• Downloading the OVA Files from Cisco, page 21

Installation PrerequisitesWhen you deploy the Learning Network License system, obtain or configure the following:

• open ports for system functionality

• an ESXi host for the controller

• a Network Element capable of running the agent as a virtual service (container)

• the proper licensing for your Network Element

• the controller and agent OVA files

Learning Network License and LicensingTo properly deploy your Learning Network License system, you must obtain the proper IOS Licenses foryour ISRs, as well as the proper Smart Licenses for Learning Network License.


To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App(appxk9) IOS license. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.htmlfor more information on activating the licenses.

You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.

Table 1: Smart License Entitlement Types

Associated File Downloads andDescription

License Entitlement andDescription

Learning Network LicenseComponent

sln-sca-k9-<ver>.ova - singlecontroller OVA

L-SW-SCA-K9 - SCA VirtualManager

controller

sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's NIM-SSD

sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's bootflash

L-SW-LN-43-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 1 Yr Term


agent deployed as a virtual serviceon an ISR 43XX








After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.

Note

For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.

In addition, youmust generate a registration token in the Cisco Smart SoftwareManager (http://www.cisco.com/web/ordering/smart-software-manager/index.html), then use this to register your controller. Each time youmanage and enable an agent with the controller, the controller automatically requests a license entitlementfor the agent.

For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager UserGuide.


Installation PrerequisitesLearning Network License and Licensing

http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html

http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html


http://www.cisco.com/web/ordering/smart-software-manager/index.html


ISE Server RequirementsIf you want to configure pxGrid integration and populate anomalies with Identity Services Engine (ISE) useridentity information, your ISE server must run Release 1.3 or greater. For more information on ISE, see http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-user-guide-list.html.

Controller Host RequirementsYou can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You canalso enable VMware tools on all supported ESXi versions. For information on the full functionality of VMwareTools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see theVMware ESXi documentation.

Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtualappliances in Open Virtual Appliance (OVA) format, an archive version of the OVF file.

The computer that serves as the controller ESXi host must meet the following requirements:

• It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology(VT) or AMD Virtualization™ (AMD-V™) technology.

• Virtualization must be enabled in the BIOS settings.

• To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers(such as PRO 1000MT dual port server adapters or PRO 1000GT desktop adapters).

• This host must have network connectivity to all Network Elements where you will install your agents.

• Users such as administrators and analysts should be able to establish a connection to this host, to accessthe controller user interface.

For more information, see the VMware website: http://www.vmware.com/resources/guides.html.

Installing the controller on a Network Element is not supported.Note

Controller Installation Prerequisites

Controller Download

Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.


Note


Installation PrerequisitesISE Server Requirements

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-user-guide-list.html

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-user-guide-list.html

http://www.VMware.com

http://www.vmware.com/resources/guides.html




Youmust also download and install the latest version of VMware vSphere Client to install the virtual machine.Cisco recommends you also download and install VMware ESXi version 5.5 to run the virtual machine.Download the files at https://my.vmware.com/web/vmware/downloads.

Controller Virtual Appliance Settings

Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on theESXi host. Do not decrease the default settings, as they are the minimum required to run the system software.The following table lists the default settings.

Table 2: Default Controller Virtual Appliance Settings

DefaultSetting

24576 MB (24 GB)memory

4virtual CPUs (vCPU)

• vNIC 0 - Main Network

• vNIC 1 (disconnected) - Alt1Network

• vNIC 2 (disconnected) - Alt2Network

virtual NICs

200 GBhard disk provisioned size

When you start the VM, the controller determines the amount of physical RAM available, and updates theconfiguration to allow use of up to half of that RAM.

Cisco recommends you increase VM settings, depending on the size of your Learning Network Licensedeployment. See the following table for recommendations.

Table 3: Recommended Controller VM Settings

Recommended VM SettingsLearning Network License Deployment Size

24576 MB (24 GB) of RAM

8 vCPU

400 GB of hard disk provisioned size

1 to 50 agents

65536 MB (64 GB) of RAM

16 vCPU

4 TB of hard disk provisioned size

51 to 1000 agents


Installation PrerequisitesController Installation Prerequisites

https://my.vmware.com/web/vmware/downloads

The number of vCPUs is determined by multiplying the number of virtual sockets by the number of coresper socket.

Note

If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http://www.vmware.com/ for more information and best practices.

Information Needed During Installation

When you run the setup script, provide the following information to configure the controller:

Table 4: Controller Installation Settings

DescriptionSetting

transfer management traffic with agent, and provideaccess to controller web UI

eth0 interface IPv4 address, netmask, and gateway

hostname for the controllereth0 interface hostname

DNS context for anomalieseth0 interface DNS servers and DNS search suffixes

synchronize time in LearningNetwork License systemNTP server IPv4 addresses

The setup script allows you the option of generating self-signed certificates. If you generate a certificate forthe controller web UI server, you can define the following subject distinguished name components:

Table 5: Self-Signed Certificate Subject Distinguished Name Options

DescriptionOption

A two-letter ISO 3166-1 country codeCountry Name

Full name of the state or province where your organization is locatedState or Province Name

The city where your organization is locatedLocality Name

Your organization's nameOrganization Name

Your organization's division's nameOrganizational Unit Name

A host and domain name associated with the certificateCommon Name

A contact email addressEmail Address

Learning Network License requires a server certificate to encrypt controller/agent communications, and aserver certificate to encrypt user connections to the controller web user interface.


Installation PrerequisitesController Installation Prerequisites

http://www.vmware.com/

http://www.vmware.com/

ISR Platform RequirementsSeveral 4000 Series ISRs support hosting an agent in a service container. You can optionally install a solidstate drive (SSD) carrier and SSD network interface module (NIM-SSD) for the agent. For more informationon the 4000 Series ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html.

ISR 4000 Series Platform Requirements

Table 6: ISR 4000 Series Platform Requirements

RequiredISR Component

• Cisco 4331

• Cisco 4351

• Cisco 4431

• Cisco 4451

Model

8192 MB (8 GB)Control Plane DRAM

If you deploy your virtual service to bootflash, noadditional equipment is required.

If you want to deploy your virtual service to a harddisk, to achieve much larger storage capacities, youmust install:

• NIM-SSD(=) - NIM carrier card for SSD drives

• SSD-SATA-200G(=) - 200 GB SATA solidstate disk for NIM-SSD, 155 GB free

See Agent Installation Prerequisites, on page 19 formore information.

Disk Storage for Service Container Hosting

Version 15010638 or greaterComplex Programmable Logic Device

IOS-XE Release 15.4(3)S1 through 15.5(3)Sx

IOS-XE Release 15.4(3)S2 and prior do notsupport deploying a virtual service tobootflash. You must deploy a virtual serviceto a NIM-SSD for these releases, or upgradeto Release 15.5(3)S to deploy the virtualservice to bootflash.

Note

Image


Installation PrerequisitesISR Platform Requirements

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html

RequiredISR Component

Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through15.5(3)S)

Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild2 or greater

NBAR2 Protocol Pack

Cisco 4331:

• SL-4330-IPB-K9 - IP Base license, and

• SL-4330-APP-K9 - AppX license

Cisco 4351:


• SL-4350-APP-K9 - AppX license

Cisco 44XX:


• SL-44-DATA-K9 or SL-44-APP-K9 - Data licenseor AppX license

See http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435 for moreinformation.

Licenses

Verifying ISR Platform Requirements

Before You Begin

• Log into the ISR console.

SUMMARY STEPS

1. enable

2. show version

3. show platform

4. show ip nbar protocol-pack active

5. exit


Installation PrerequisitesISR 4000 Series Platform Requirements

http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435



DETAILED STEPS

PurposeCommand or Action

Enable privileged EXEC mode.enable

Example:

Step 1

Router> enable

Show version information, including image version,installed ISR licenses, and control plane DRAM.

show version

Example:

Step 2

Router# show version

Show the Complex Programmable Logic Device version.show platform

Example:

Step 3

Router# show platform

Show the NBAR2 protocol pack version.show ip nbar protocol-pack active

Example:

Step 4

Router# show ip nbar protocol-pack active

Exit privileged EXEC mode.exit

Example:

Step 5

Router# exit

Example ISR Platform Requirements

Issuing the show version command to your ISR allows you to view your image version, installed licenses,and the total control plane DRAM on the ISR. These are italicized below. Note that appxk9 corresponds tothe AppX license, and ipbasek9 corresponds to the IP Base license.Router> enable

Router# show versionCisco IOS XE Software, Version 2016-05-16_22.05.pajCisco IO Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)s2, RELEASESOFTWARE (fc2)

...

Technology Package License Information:

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-Technology Technology-package Technology-package

Current Type Next reboot–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––--appxk9 appxk9 RightToUse appxk9 [AppX license]uck9 None None Nonesecurityk9 None None Noneipbase ipbasek9 Permanent ipbasek9 [IP Base license]

cisco ISR4431/K9 (1RU) processor with 7799569K/6147K bytes of memory.


Installation PrerequisitesISR 4000 Series Platform Requirements

...

Issuing the show platform command to your ISR allows you to view the Complex Programmable LogicDevice (CPLD) version, italicized below.Router# show platformChassis type: ISR4431/K9

Slot Type State Insert time (ago)–––––––––- ––––––––––––––––– –––––––––––––––––––––––– –––––––––––––––––--

...

Slot CPLD Version Firmware Version–––––––––- –––––––––––––––––––––– –––––––––––––––––––––––––––––––––––––--0 15010638 15.4(2r)SR0 15010638 15.4(2r)SF0 15010638 15.4(2r)S

Issuing the show ip nbar protocol-pack active command to your ISR allows you to view the NBAR2protocol pack version, italicized below.Router# show ip nbar protocol-pack active

Active Protocol Pack:

Name: Advanced Protocol PackVersion: 17.0Publisher: Cisco Systems Inc.

...

ISR Configuration Prerequisites

Information Needed for ISR Configuration

When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:

Table 7: ISR Configuration Settings

DescriptionSetting

configure NTP server connectivity. Use a loopbackinterface if you have one configured, or the routermanagement interface if you do not.

loopback interface IPv4 address or routermanagementinterface

synchronize time in LearningNetwork License systemNTP server IPv4 addresses

pass NetFlow packets from the ISR to the agent andtraffic between the controller and the agent

agent eth0 IPv4 address for NetFlow exporter


Installation PrerequisitesISR Configuration Prerequisites

ISR License InstallationTo run an agent on an ISR 4000 Series, you must activate an IP base (ipbasek9) IOS license, and an App(appxk9) IOS license, on the ISR. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.

Agent and ISR InteractionThe following diagram illustrates the interaction between an agent and its host ISR.

Figure 3: ISR and Agent Deployed as a Virtual Service

You configure the install.yaml properties file, and run the installation_auto.py install script, to deployagents to your ISRs. For detailed information about the diagram, and how the install script deploys agents,see Install Script Deployment, on page 56. For more information on the installation process, see DeployingAgents Using the Install Script, on page 55.


Installation PrerequisitesISR License Installation



Communication PortsLearning Network License requires several open ports for functionality, to allow communication between thecontroller and agents, and to allow users to access the controller UI. If a firewall or other security appliancesits between the controller and agents, or between the user and the controller, open these ports.

The following diagram illustrates this system functionality.

Figure 4: System Functionality Requiring Open Ports with an Agent Deployed as a Virtual Service

• Users, such as system administrators, can log into the controller web UI, and SSH login to agents.

• The controller sends information, such as mitigations, to the agent, and contacts NTP servers tosynchronize time.

• The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to thecontroller, and contacts NTP servers to synchronize time.


Installation PrerequisitesCommunication Ports

The following diagram illustrates the open ports and directionality. See Table 8: Default CommunicationPorts for Learning Network License Features and Operation, on page 18 for more information on these ports.

Figure 5: Open Ports for System Functionality with an Agent Deployed as a Virtual Service

Table 8: Default Communication Ports for Learning Network License Features and Operation

To...Is Open for any...DirectionDescriptionPort

transfer log files andconfiguration files

IP associated withthe controller,Management IPassociated with theagent

outbound fromagent eth0 interfaceManagement IP,inbound tocontroller IP

SSH/SCP22/TCP

Optionally enableremote access to theagent administratorscript when theagent is deployed asa virtual service

host IP that wants toSSH login to theagent

outbound from hostIP, inbound to agenteth0 interfaceManagement IP

SSH22/TCP

optionally enableSSH login to thecontroller

host IP that wants toSSH login to thecontroller

inbound from hostIP to controller IP

SSH22/TCP

synchronize timewith agentsdeployed as virtualservices

IP associated withthe controller

outbound from thecontroller IP to anexternal NTP server

NTP123/UDP

access the controllerUI

host IP that wants toaccess the controllerUI

inbound from userIP to controller IP

HTTPS443/TCP


Installation PrerequisitesCommunication Ports

To...Is Open for any...DirectionDescriptionPort

allow the controllerto communicatewith the agent

IP associated withthe controller

outbound fromcontroller IP toagent eth0 interfaceManagement IP

TLS9091/TCP

enable PBCIP associated withthe controller

outbound fromcontroller IP toagent eth0 interfaceManagement IP

packet buffercapture (PBC)

9092/TCP

Agent Installation PrerequisitesThe agent runs as a virtual service on your ISR. You can deploy the virtual service either to the ISR's bootflash,or to an optional 200 GB NIM-SSD. In general, agents deployed to bootflash offer less storage space for fileretention than agents deployed to a NIM-SSD. See the following table for an overview of these differences.

Table 9: Agent Deployment as Virtual Service Comparison

Agent Deployed to NIM-SSDAgent Deployed to bootflashFeature

Higher hard disk provisioned sizesetting.

Lower hard disk provisioned sizesetting.

Default virtual service settings

Greater file storage allocation forPBC. PCAP file storage is stable;if the ISR restarts, PCAPs areretained.

Lesser file storage allocation forPBC. PCAP file storage is volatile;if the ISR restarts, PCAPs are lost.

packet buffer capture (PBC)

Greater file storage allocation forlog files. Log file storage is stable;if the ISR restarts, log files areretained.

Lower file storage allocation forlog files. Log file storage isvolatile; if the ISR restarts, log filesare lost.

log files

See ISR 4000 Series Platform Requirements, on page 12 for more information.

You must download the virtual service OVA file. You cannot install the UCS E-Series blade server OVAfile as a virtual service.

Note


Installation PrerequisitesAgent Installation Prerequisites

Agent Configuration Prerequisites

Agent OVA Download

Cisco provides the agent as one of two OVA files: sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova to installon the ISR's NIM-SSD, and sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova to install on the ISR's bootflash.Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.


Note

Agent Virtual Service Settings

Each agent you deploy as a virtual service requires a certain amount of memory, CPUs, and hard disk space.The following table lists the default settings.

Table 10: Default Agent as a Virtual Service Settings

DefaultSetting

3072 MB (3 GB)memory

2virtual CPUs

250 MB (when deployed to bootflash)

150 GB (when deployed to a NIM-SSD)

hard disk provisioned size

Agent Install Script

The controller contains an agent install script you can use to deploy the agents as virtual services. See InstallScript Deployment, on page 56 and Agent Properties File Settings, on page 60 for more information.

NTP Configuration

The agent deployed as a virtual service receives time from the host router. You must configure the router andthe controller with synchronized NTP server addresses to ensure synchronized time.


Installation PrerequisitesAgent Configuration Prerequisites



Downloading the OVA Files from Cisco


Note

Step 1 In your web browser, navigate to http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html. Enter your username and password when prompted.

Step 2 Download the controller OVA file: sln-sca-k9-<ver>.ovaStep 3 Download an agent OVA file:

• sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on anISR's NIM-SSD

• sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on anISR's bootflash

Obtaining a File's Checksum from cisco.com

Before You Begin

• Go to the file download page on cisco.com.

Step 1 Click the File Information file name to view the file's details, which includes the MD5 and SHA512 checksums.Step 2 Click the ellipsis (…) to view the full SHA512 checksum.


Installation PrerequisitesDownloading the OVA Files from Cisco




Installation PrerequisitesObtaining a File's Checksum from cisco.com

C H A P T E R 3Controller Installation

The following describes the controller installation process.

• Installing the Controller, page 23

• Controller Deployment, page 24

• Controller Virtual Hard Disk Storage, page 26

• Custom Controller Web UI Certificates, page 34

• Controller Setup Script, page 37

• Resetting the Administrator Password, page 42

• Disabling Host Time Synchronization, page 43

• Logging into the Controller Web UI, page 44

• Verifying NTP Configuration on the Controller, page 44

Installing the ControllerThe controller acts as the management center of the Learning Network License system. It collates anomaliessent by all managed agents and performs a real-time analysis based on severity rating and internal relevanceto determine which are of most interest to the user. It then reports these for further user review and relevancefeedback, and displays various graphs and data to assist user analysis of anomalies. In response, the user canconfigure mitigations that match an anomaly's characteristics, including IP address or application, and takean action. The controller forwards these mitigation policies and actions to managed agents.


You must deploy a single controller on your network.

Step 1 Deploy the controller OVA file to an ESXi host in your network, and activate it. See Controller Deployment, on page24 for more information.

Step 2 If you want to use a custom SSL certificate for the controller web UI, see Custom Controller Web UI Certificates, onpage 34 for more information.

Step 3 If you want to increase the hard disk storage size, see Controller Virtual Hard Disk Storage, on page 26 for moreinformation.

Step 4 Run the setup script to configure basic network settings, NTP server addresses, and public key certificates. See Configuringthe Controller with the Setup Script, on page 38 for more information.

Step 5 Reset the controller web UI administrator user account (admin) password. See Resetting the Administrator Password,on page 42 for more information.

Step 6 Disable time synchronization with the ESXi host. See Disabling Host Time Synchronization, on page 43 for moreinformation.

Controller DeploymentCisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host runningan ESXi hypervisor.

Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space invSphere vCenter. If you increase the memory, you must start the VM, then run the setup-system script. Afteryou run the script, the VM is updated with proper memory settings.

If your controller is already running, and you want to update the memory settings, run the setup-systemscript, stop the VM, update the memory settings, and start the VM. On restart, the VM is updated with propermemory settings.

See Controller Installation Prerequisites, on page 9 for more information on recommended controller VMsettings, based on deployment size.

For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.

Note

The first time you log into the virtual machine, the system prompts you to change the default administratorpassword.

Deploying the OVA FileAs youmap destination networks to interfaces, note that only eth0 is enabled by default. For many deployments,controller management traffic, agent traffic, and controller web UI user traffic are reachable from the samecontroller network interface. In this case, you can map that destination network to the eth0 interface. Youcan also leave the eth1 and eth2 interfaces disabled, and mapped to a separate destination network.


Controller InstallationController Deployment

However, if these traffic types are reachable via different controller network interfaces, you can enable eth1,eth2, or both eth1 and eth2, then map them to the appropriate destination networks.

Before You Begin

• Download the OVA file.

• Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and installit.

Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file.Step 2 Select File > Deploy OVF Template.Step 3 Click Browse to select your OVA file, then click Next.Step 4 Review the OVF Template Details, then click Next.Step 5 Enter a Name, select an inventory location, then click Next.Step 6 Click the Thick Provision Lazy Zeroed radio button, then click Next.Step 7 Select a Destination Network from your inventory to map to a Source Network. You can map the following default

networks, then click Next.

• eth0 to Main Network

• eth1 (disconnected) to Alt1 Network

• eth2 (disconnected) to Alt2 NetworkIf you only need to configure eth0, you canmap eth1 and eth2 to the same network.Note

Step 8 Review your deployment settings and click Finish.The deployment may take 30minutes to an hour or longer, depending on your environment.Note

Step 9 Click Close after the deployment completes.

What to Do Next

• Power on the virtual machine and login, as described in the next section.


Controller InstallationDeploying the OVA File

https://my.vmware.com/web/vmware/downloads

Powering On the Virtual Machine

Before You Begin

• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.

Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.Step 2 Select Home > Inventory > VMs and Templates.Step 3 Select the virtual machine from the navigation tree.Step 4 Select Inventory > Virtual Machine > Power > Power On.Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.

To shift your focus from the virtual machine console to your local host, pressCtrl-Alt.Note

Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted,change the default administrator password.

Controller Virtual Hard Disk StorageBy default, the controller OVA ships configured with a 200 GB hard disk. Based on your deployment and therecommended settings, you can configure the deployed controller VM to expand the available hard disk storagespace by either:

• increasing the existing virtual hard disk storage allocation with an expanded partition or another partition,when the existing VMware storage area has sufficient space, or

• adding a new virtual hard disk, when the existing VMware storage area has insufficient space.

Follow the procedures carefully. Failure to follow them can result in corruption or loss of the controllerVM filesystem.

Note

Controller Virtual Hard Disk Allocation ExpansionTo add space to the controller VM hard disk, configure the VM's settings in VMware vSphere to increase thesize of the hard disk. Then, from the VM's command line, run parted to extend an existing virtual hard diskpartition. Finally, issue commands to expand the filesystem size for the new hard disk.

You can only extend a hard disk partition to 2 TB. If you need more space, you can use cfdisk to insteadadd another virtual hard disk partition.

Note


Controller InstallationPowering On the Virtual Machine

By default, the controller ships with one virtual hard disk, sda and up to partition number 5 (sda5). The firsttime you add a partition to this virtual hard disk, increment the name by one (sda6). If you want to add anotherpartition, increment the name of the most recent hard disk partition by 1 (sda7, sda8, and so on).

Editing VM Settings to Increase Virtual Hard Disk Size

Before You Begin

• Connect to the ESXi hypervisor using VMware vSphere.

Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, select Hard disk 1.Step 4 Enter a new Provisioned Size to update the virtual hard disk provision.Step 5 Click OK.Step 6 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 7 Right-click the controller VM and select Power > Power On.

Extending a Virtual Hard Disk PartitionUse parted to extend the sda5 virtual hard disk partition. The controller OVA contains one virtual hard diskby default, sda. This virtual hard disk contains partitions up to number five (sda5).

You can only extend the partition up to 2 TB. If you need more space, add another virtual hard diskpartition. See Adding a New Virtual Hard Disk Partition Larger than 2 TB, on page 29 for moreinformation.

Note

Before You Begin

• Use VMware vSphere to log into the controller VM console.

SUMMARY STEPS

1. sudo parted dev/sda resizepart 2 100%, then enter your password when prompted2. sudo parted dev/sda resizepart 5 100%, then enter your password when prompted


Controller InstallationController Virtual Hard Disk Allocation Expansion

DETAILED STEPS


Run the parted partition resizer to resize thesda2 partition.

sudo parted dev/sda resizepart 2 100%, then enter your passwordwhen prompted

Example:

Step 1

user@host:~$ sudo parted dev/sda resizepart 2 100%

Run the parted partition resizer to resize thesda5 partition.

sudo parted dev/sda resizepart 5 100%, then enter your passwordwhen prompted

Example:

Step 2

user@host:~$ sudo parted dev/sda resizepart 5 100%

Updating the Filesystem for an Extended Virtual Hard Disk Partition

The controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The followingprocedures uses the LVM2 tools to register the extended partition as a physical volume, and extend the logicalvolume over the new physical volume while simultaneously resizing the Linux filesystem to recognize theadditional space.

Before You Begin


SUMMARY STEPS

1. sudo partprobe -s

2. sudo pvresize /dev/sda5

3. sudo vgdisplay

4. sudo lvextend -r /dev/<volume-group>/root /dev/sda5

DETAILED STEPS


Update the /dev filesystem to recognize the extended/dev/sda5 virtual hard disk partition.

sudo partprobe -s

Example:user@host:~$ sudo partprobe -s

Step 1

Resize the physical volume for the sda5 partition on thesda virtual hard disk.

sudo pvresize /dev/sda5

Example:user@host:~$ sudo pvresize /dev/sda5

Step 2




View the name of the volume group.sudo vgdisplay

Example:user@host:~$ sudo vgdisplay

Step 3

Add the new volume to the root logical volume and resizethe root filesystem.

sudo lvextend -r /dev/<volume-group>/root

/dev/sda5

Example:user@host:~$ sudo lvextend -r

/dev/vg00/root /dev/sda5

Step 4

Adding a New Virtual Hard Disk Partition Larger than 2 TBUse cfdisk to create a new virtual hard disk partition larger than 2 TB. The controller OVA contains onevirtual hard disk by default, sda. This virtual hard disk contains partitions up to number five (sda5). Thefollowing task assumes you have not created another virtual hard disk partition, directing you to incrementthe highest virtual hard disk partition name by one to create the sda6 partition. If you have created other virtualhard disk partitions for the sda virtual hard disk, increment the new partition name based on the existingvirtual hard disk partitions (sda7, sda8, etc.).

Before You Begin


SUMMARY STEPS

1. sudo cfdisk /dev/sda, then enter your password when prompted2. Move your cursor to the last line containing Free space, and verify the size column roughly matches the

amount of space you added.3. n to create a new partition4. Select Logical and press Enter.5. Press Enter to accept the default size.6. t to change the filesystem type to 8E

7. W to write the new partition table, then yes to confirm8. q to quit cfdisk



DETAILED STEPS


Run the cfdisk partition editor to create the sda6partition.

sudo cfdisk /dev/sda, then enter your password whenprompted

Example:

Step 1

user@host:~$ sudo cfdisk /dev/sda

Verify that the partition size is correct. If it is not,restart the controller VM and restart this procedurefrom the beginning.

Move your cursor to the last line containing Free space,and verify the size column roughly matches the amountof space you added.

Step 2

Create a new partition.n to create a new partitionStep 3

Create a logical partition.Select Logical and press Enter.Step 4

Create the partition with the free space displayed.Press Enter to accept the default size.Step 5

Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 6

Write the new partition table.W to write the new partition table, then yes to confirmStep 7

Quit cfdisk.q to quit cfdiskStep 8

Updating the Filesystem for the New Virtual Hard Disk Partition

The controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The followingprocedures uses the LVM2 tools to register the new partition as a physical volume, add the new physicalvolume to the existing volume group, and extend the logical volume over the new physical volume whilesimultaneously resizing the Linux filesystem to recognize the additional space.

Before You Begin


SUMMARY STEPS


2. sudo pvcreate /dev/sda6

3. sudo vgdisplay

4. sudo vgextend <volume-group> /dev/sda6

5. sudo lvextend -r /dev/<volume-group>/root /dev/sda6



DETAILED STEPS


Update the /dev filesystem to include /dev/sda6 as anew virtual hard disk partition.

sudo partprobe -s


Step 1

Create a physical volume for a new partition on the sdavirtual hard disk.

sudo pvcreate /dev/sda6

Example:user@host:~$ sudo pvcreate /dev/sda6

Step 2



Step 3

Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sda6

Example:user@host:~$ sudo vgextend vg00

/dev/sda6

Step 4

Add the new volume to the root logical volume andresize the root filesystem.

sudo lvextend -r /dev/<volume-group>/root

/dev/sda6


/dev/vg00/root /dev/sda6

Step 5

Controller Virtual Hard Disk AdditionTo add a virtual hard disk on the controller VM, configure the VM's settings in VMware vSphere to recognizea new hard disk. Then, from the VM's command line, run cfdisk to create the new virtual hard disk, and issuecommands to expand the filesystem size for the new hard disk.

By default, the controller ships with one virtual hard disk, sda. The first time you add a virtual hard disk,increment the name by one (sdb). If you want to add another virtual hard disk, increment the name of the mostrecent hard disk by 1 (sdc, sdd, and so on).


Controller InstallationController Virtual Hard Disk Addition

Editing VM Settings for a New Hard Disk

Before You Begin

• Connect to the ESXi hypervisor using VMware vSphere.

Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, click Add.Step 4 Select Hard Disk and click Next.Step 5 Select Create a new virtual disk and click Next.Step 6 Enter a Disk Size and click Next.Step 7 Click Next to skip the Advanced Options screen.Step 8 Click Finish.Step 9 Click OK in the Virtual Machine Properties window.Step 10 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 11 Right-click the controller VM and select Power > Power On.

Adding a New Hard DiskUse cfdisk to create a disk partition on the new virtual hard disk. The controller OVA contains one virtualhard disk by default, sda. The following task assumes you have not created another virtual hard disk, directingyou to increment the existing virtual hard disk name by one to create the sdb virtual hard disk. If you havecreated other virtual hard disks for the controller, increment the new virtual hard disk name based on theexisting virtual hard disks (sdc, sdd, etc.).

Before You Begin


SUMMARY STEPS

1. sudo cfdisk /dev/sdb, then enter your password when prompted2. n to create a new partition3. Select Primary and press Enter.4. Press Enter to accept the default size.5. t to change the filesystem type to 8E

6. W to write the new partition table, then yes to confirm7. q to quit cfdisk



DETAILED STEPS


Run the cfdisk partition editor to create the sdb1 partitionon the sdb virtual hard disk. The table contains one line,with the free space equal to the total disk size.

sudo cfdisk /dev/sdb, then enter your passwordwhen prompted

Example:

Step 1

user@host:~$ sudo cfdisk /dev/sdb1

Create a new partition.n to create a new partitionStep 2

Create a virtual hard disk.Select Primary and press Enter.Step 3

Create the virtual hard disk with the free space displayed.Press Enter to accept the default size.Step 4

Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 5

Write the new partition table.W to write the new partition table, then yes to confirmStep 6

Quit cfdisk.q to quit cfdiskStep 7

Updating the Filesystem for the New Hard Disk

Before You Begin


SUMMARY STEPS


2. sudo pvcreate /dev/sdb1

3. sudo vgdisplay

4. sudo vgextend <volume-group> /dev/sdb1

5. sudo reboot

6. Log into the controller VM console.7. sudo lvextend -r /dev/<volume-group>/root /dev/sdb1

8. sudo reboot

DETAILED STEPS


Update the filesystem to include /dev/sdb as a newvirtual hard disk.

sudo partprobe -s


Step 1




Create a physical volume for a new partition on thesdb hard disk.

sudo pvcreate /dev/sdb1

Example:user@host:~$ sudo pvcreate /dev/sdb1

Step 2



Step 3

Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sdb1

Example:user@host:~$ sudo vgextend vg00

/dev/sdb1

Step 4

Restart the controller VM.sudo reboot

Example:user@host:~$ sudo reboot

Step 5

Log into the controller VM console.Log into the controller VM console.Step 6

Add the new volume to the root logical volume andresize the root filesystem.

sudo lvextend -r /dev/<volume-group>/root /dev/sdb1


/dev/vg00/root /dev/sdb1

Step 7

Restart the controller VM.sudo reboot

Example:user@host:~$ sudo reboot

Step 8

Custom Controller Web UI CertificatesThe controller web server uses Transport Layer Security (TLS) to encrypt connections to the controller webUI. This requires the server to present a certificate to the client browser. Using the self-signed certificateinstalled by default does not allow the browser to validate the authenticity of the controller web UI, and leadsto browser warnings about an untrusted web server. Instead of using a self-signed certificate, you can uploadto the controller a custom public key server certificate and private key generated by your organization. Thisallows clients that connect to the controller web UI to properly validate the web server's authenticity. Notethe following:

• You must upload both a server certificate and associated private key. Both must be in PEM format.

• You can also upload a trust chain of issuing CA certificates for the server certificate, concatenated withthe server certificate in a single PEM file.


Controller InstallationCustom Controller Web UI Certificates

• You can upload an encrypted private key file. You must also create an additional file (sln_ssl.pass)with the cleartext password required to unencrypt the private key file.

After you make these changes, restart the controller web UI processes.

When you run the setup-system script, do not generate a new controller web UI certificate, as this willoverwrite your custom certificate and private key. See Configuring the Controller with the Setup Script,on page 38 for more information.

Note

Uploading a Private Key PasswordIf your private key file is encrypted, you must create an sln_ssl.pass password file containing the cleartextpassword. After you create the file, you update the sln_ssl_certs.conf configuration file to point to thepassword file. See Uploading Custom Controller Web UI Certificates, on page 36 for more information.

Before You Begin

• Log into the controller VM console.

SUMMARY STEPS

1. cd /etc/ssl/private/

2. cat > sln_ssl.pass, then enter your password as cleartext, then press Ctrl + D.3. cat sln_ssl.pass to verify the password

DETAILED STEPS


Change to the /etc/ssl/private/ directory.cd /etc/ssl/private/

Example:

Step 1

user@host:~$ cd /etc/ssl/private/

Create the sln_ssl.pass password file, containingthe private key cleartext password.

cat > sln_ssl.pass, then enter your password as cleartext,then press Ctrl + D.

Example:user@host:~/etc/ssl/private$ cat > sln_ssl.passprivate-key-password

Step 2

Verify that the sln_ssl.pass password file containsthe correct cleartext password.

cat sln_ssl.pass to verify the password

Example:user@host:~/etc/ssl/private$ cat sln_ssl.pass

Step 3


Controller InstallationUploading a Private Key Password

What to Do Next

• Continue updating the configuration for your custom certificate and private key, as described in the nextsection.

Uploading Custom Controller Web UI Certificates

Before You Begin


• Upload your custom controller web UI server certificate, and chain of issuing CA certificates if applicable,in PEM format to the controller at etc/ssl/certs.

• Upload your custom controller web UI server certificate private key in PEM format to the controller at/etc/ssl/private.

SUMMARY STEPS

1. cd /opt/cisco/sln/viz/conf/

2. sudo vi sln_ssl_certs.conf, then enter your password when prompted3. Modify the ssl_certificate filepath to point to the custom server certificate PEM file.4. Modify the ssl_certificate_key filepath to point to the custom server certificat private key PEM file.5. If you uploaded an sln_ssl.pass password file, add ssl_password_file and a corresponding filepath

after the ssl_certificate_key filepath.6. Press Esc, then enter :wq!.7. sudo service ciscosln-viz restart

DETAILED STEPS


Change to the /opt/cisco/sln/viz/conf/directory.

cd /opt/cisco/sln/viz/conf/

Example:

Step 1

user@host:~$ cd /opt/cisco/sln/viz/conf/

Open ssln_ssl_certs.conf in the vi texteditor as a superuser.

sudo vi sln_ssl_certs.conf, then enter your password whenprompted

Example:

Step 2

user@host:~/opt/cisco/sln/viz/conf$ sudo vi

sln_ssl_certs.conf


Controller InstallationUploading Custom Controller Web UI Certificates


Update sln_ssl_certs.conf to point to yourcustom server certificate.

Modify the ssl_certificate filepath to point to the custom servercertificate PEM file.

Example:ssl_certificate

/etc/ssl/certs/server-certificate.pem

Step 3

Update sln_ssl_certs.conf to point to yourcustom server certificate private key.

Modify the ssl_certificate_key filepath to point to the customserver certificat private key PEM file.

Example:ssl_certificate_key

/etc/ssl/certs/server-certificate-key.pem

Step 4

Update sln_ssl_certs.conf to point to yourprivate key password file.

If you uploaded an sln_ssl.pass password file, addssl_password_file and a corresponding filepath after thessl_certificate_key filepath.

Step 5

Example:ssl_certificate_key

/etc/ssl/certs/server-certificate-key.pemssl_password_file

/etc/ssl/private/sln_ssl.pass

Save your changes, then exit the vi text editor.Press Esc, then enter :wq!.

Example:

Step 6

:wq!

Restart the controller web UI service.sudo service ciscosln-viz restart

Example:

Step 7

user@host:~/opt/cisco/sln/viz/conf$ sudo service

ciscosln-viz restart

Controller Setup ScriptThe controller setup script directs you to configure the following controller settings:

Table 11: Controller Setup Script Settings

DescriptionRequired?Setting

basic interface configurationyeseth0 interface

IP address and hostname to accessthe controller web UI

yescontroller webUI IPv4 address andhostname


Controller InstallationController Setup Script

DescriptionRequired?Setting

enables SSH loginrecommended, but not requiredSSH service

synchronizes time amongcontroller, agent, and host NetworkElement

yesNTP server

encrypts managementcommunication between controllerand agent

yescontroller self-signed certificate,generated or provided

encrypts connections to thecontroller web UI

yescontroller web UI self-signedcertificate, generated or provided

provides additional DNS-relatedcontext for anomalies

recommended, but not requiredDNS server

provides additional DNS-relatedcontext for anomalies

recommended, but not requireddomain suffix search list

After you configure these settings, you can log into the controller web user interface to verify your settings.Note that the interface does not display anomalies, as the controller does not yet manage any agents.

Configuring the Controller with the Setup ScriptIf you need multiple interfaces on multiple subnets, when configuring networking, you can also configureeth1 and eth2.

Before You Begin



Controller InstallationConfiguring the Controller with the Setup Script

SUMMARY STEPS

1. cd ~/

2. sudo ./setup-system at the command prompt to run the setup script. Enter the administrator passwordif prompted.

3. y (configure networking)4. 1 (configure eth0)5. hostname, then hostname, then y to confirm6. ipv4, then ipv4-address, then ipv4-netmask, then ipv4-gateway, then y to confirm7. dns, then dns-servers, then y to confirm8. search, then domain-suffixes, then y to confirm9. view

10. exit11. 4 (exit interface configuration)12. y (enable SSH login)13. y, then ntp-servers, then y to confirm14. y (generate a controller certificate)15. y (generate a controller web UI certificate), or n if you uploaded a custom certificate16. y (specify the distinguished name if you generated a new certificate)17. country-code, then state, then locality, then organization, then organizational-unit, then

common-name, then email if you generated a new certificate

DETAILED STEPS


Change directories.cd ~/

Example:

Step 1

user@host:~$ cd ~/

Run the setup script.sudo ./setup-system at the command prompt torun the setup script. Enter the administratorpassword if prompted.

Step 2

Example:user@host:~$ sudo ./setup-system

Configure networking.y (configure networking)Step 3

Configure the eth0 interface.1 (configure eth0)Step 4

Configure the controller VM hostname. You must enter afull qualified domain name.

hostname, then hostname, then y to confirmStep 5

Configure the interface's IPv4 address, along with a netmaskand gateway.

ipv4, then ipv4-address, then ipv4-netmask, thenipv4-gateway, then y to confirm

Step 6

Modify the virtual machine's list of DNS servers.dns, then dns-servers, then y to confirmStep 7




If you want to configure the domain suffix search list, runthe search command.

search, then domain-suffixes, then y to confirmStep 8

View the interface's network settings, hostname, and DNSsettings. If any of these are missing or incorrect, repeat thatconfiguration.

viewStep 9

Save your changes and continue with interface configuration.exitStep 10

Exit interface configuration and continue.4 (exit interface configuration)Step 11

Enable SSH login.y (enable SSH login)Step 12

Configure NTP servers used to synchronize time betweenthe controller and agent. Enter a space-delimited list of NTP

y, then ntp-servers, then y to confirmStep 13

server fully-qualified domain names (FQDNs) or IPv4addresses.

Generate a controller self-signed certificate, used forencrypting controller/agent communication.

y (generate a controller certificate)Step 14

Generate a controller web UI self-signed certificate, used forencrypting user connections to the controller web userinterface.

y (generate a controller web UI certificate), or n ifyou uploaded a custom certificate

Step 15

Optionally, specify the certificate subject distinguished name(DN).

y (specify the distinguished name if you generateda new certificate)

Step 16

Optionally, provide the DN information.country-code, then state, then locality, thenorganization, then organizational-unit, then

Step 17

common-name, then email if you generated a newcertificate

Controller Setup Script ExampleThe following displays excerpts from running the setup script, along with sample user inputs:It's best to set up networking for eth0, and also DNS servicesat this point.

Do you want to set up networking now? (y or n)[n]y

...

Enter an action (exit to exit): ipv4

Change IPv4 Address, Netmask, and Gateway

Interface eth0 is manually configured.It will be changed to a 'static' configurationusing with the parameters provided.A return (with no data) will cause the entry to remain unchanged.enter new IPv4 address (w/optional "/masklen") [ ]: 209.165.201.2enter new IPv4 netmask [ ]: 255.255.255.224enter new IPv4 gateway (or "-" to delete) [ ]: 209.165.201.1



The following attributes will be changed:

new IPv4 address: 209.165.201.2new IPv4 netmask: 255.255.255.224new IPv4 gateway: 209.165.201.1new IPv4 network: 209.165.201.0new IPv4 broadcast: 209.165.201.255

is this correct? (y or n)[n] y

...

Enter new hostname [hostname]: newhostnameThe hostname will be set to: newhostname


...

Enter an action (exit to exit): dns

Change DNS Servers

Enter multiple DNS server IP addresses separated by spaces.Enter new DNS Servers (or "-" to delete) []: 209.165.202.132 209.165.202.133

The DNS Servers will be set to: 209.165.202.132 209.165.202.133


...

Enter an action (exit to exit): search

Change the DNS Suffix Search List

The DNS Search List is a list of one or more domain suffixes,such as 'sales.example.com example.com', to allow identifyinghosts using a relative name, instead of a fully-qualified name.

Enter new DNS Search List []: sales.example.com example.com

The DNS Search List will be set to: sales.example.com example.com


...

Enter an action (exit to exit): view

The current network configuration for eth0:

Operating state: UPIPv4 Address: 209.165.201.2IPv4 Netmask: 255.255.255.224IPv4 Network: 209.165.201.0IPv4 Broadcast: 209.165.201.255

IPv4 gateway: 209.165.201.1

Hostname: newhostname

DNS Server 1: 208.67.222.222DNS Server 2: 208.67.220.220

Current interface: eth0

...

Enter an action (exit to exit): exit

...



Checking SSH service status

Do you want to enable SSH service now? (y or n)[n] y

...

Use of NTP synchronization between the SCA, DLAs, and Network Elementsis critical to the operation of SLN.

Do you want configure NTP servers now? (y or n)[n] y

Please enter a space-separated list of NTP serverFQDNs or IP addresses: 209.165.202.134 209.165.202.135

This will remove any configured NTP servers and add thespecified servers: 209.165.202.134 209.165.202.135

Do you want to proceed with this change? (y or n)[n] y

...

Do you want to make a self-signed certificate for the SCA?(y or n)[n] y

...

Do you want to generate a different Viz certificate?(y or n)[n] y

...

A simple Distinguished Name (DN) subject of "CN=Cisco_SLN_VIZ" will beused in the certificate unless you prefer to specify the DN components.Do you want to interactively specify the cert subject DN?(y or n)[n] y

...

Country Name (2 letter code) [AU]: USState or Province Name (full name) [Some-State]: StateLocality Name (eg, city) []: CityOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Example CorporationOrganizational Unit Name (eg, section) []: Example SectionCommon Name (e.g. server FQDN or YOUR name) []: www.example.comEmail Address []: [email protected]

...

Done. This script may be re-run to re-do basic setup if needed

Resetting the Administrator PasswordAfter you run the setup-system script, reset the controller webUI administrator user account (admin) password.When you reset the password, the system prints a temporary password to the console, valid for 72 hours. Youmust log into the controller web UI as the admin user account, then update your password.


Controller InstallationResetting the Administrator Password

SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca stop, then enter your password when prompted3. ./sca.sh reset-admin-password

4. sudo service ciscosln-sca start

DETAILED STEPS


Change directories to ~/SCA.cd ~/SCA

Example:

Step 1

user@host:~$ cd ~/SCA

Stop the controller processes.sudo service ciscosln-sca stop, then enter your password whenprompted

Step 2

Example:user@host:~/SCA$ sudo service ciscosln-sca stop

Reset the admin user account's password../sca.sh reset-admin-password

Example:user@host:~/SCA$ ./sca.sh reset-admin-passworduser@host:~/SCA$ Resetting the admin password in sln

Step 3

user@host:~/SCA$ New password is 'AbCd1234'user@host:~/SCA$ Admin password reset done.

Start the controller processes.sudo service ciscosln-sca start

Example:

Step 4

user@host:~/SCA$ sudo service ciscosln-sca start

Disabling Host Time SynchronizationAfter you reset the administrator password, configure the VM to disable host time synchronization. Thisensures the VM synchronizes time with the configured NTP servers, instead of the ESXi host.

Before You Begin


SUMMARY STEPS

1. vmware-toolbox-cmd timesync disable


Controller InstallationDisabling Host Time Synchronization

DETAILED STEPS


Modifies the .vmx virtual machine configuration file todisable time synchronization with the ESXi host.

vmware-toolbox-cmd timesync disable

Example:user@host:~$ vmware-toolbox-cmd timesync disable

Step 1

Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset theadministrator user account (admin) password. Log in with the temporary password printed to the controllerVM console. After you log in once, you must change the password and confirm the new password.

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username andpassword when prompted.

Verifying NTP Configuration on the ControllerBefore You Begin


SUMMARY STEPS

1. ntpq –n –p

DETAILED STEPS


Display configured NTP servers. If the system does not display configuredNTP servers, repeat NTP configuration in Configuring the Controller withthe Setup Script, on page 38.

ntpq –n –p

Example:

Step 1

user@host:~$ ntpq –n –p


Controller InstallationLogging into the Controller Web UI

What to Do Next

• Update the controller certificate configuration settings, as described in the next section.


Controller InstallationVerifying NTP Configuration on the Controller


Controller InstallationVerifying NTP Configuration on the Controller

C H A P T E R 4Controller and Agent Communications

The following describes how to configure public key certficate trust settings on your agent and controller,and how to manage agents with your controller.

• Configuring Controller/Agent Communications, page 47

• Controller and Agent Communications Overview, page 47

• Controller Certificate Management, page 48

• Updating Administrator Credentials, page 49

Configuring Controller/Agent CommunicationsThe controller and agent pass management traffic over a management connection. Enable public key certificatetrust settings on the controller. Then, log into the controller web UI to update the administrator credentials.

Step 1 Update the controller configuration file to manage certificate trust settings, including enabling TOFU and trustingself-signed agent certificates, and restart the controller processes. See Controller Certificate Management, on page 48for more information.

Step 2 Update the administrator credentials for the controller web UI. See Updating Administrator Credentials, on page 49 formore information.

Controller and Agent Communications OverviewWhen you ran the controller setup scripts, you also generated public key certificates. The Learning NetworkLicense system implements certificate pinning to identify public key certificates.

On the controller, you can enable TOFU. On first connection, the controller adds the agent public key certificateto a trusted store. For future connections, when the agent connects to the controller, the controller comparesthe certificate to those stored in the trusted store. If the certificate matches a certificate in the store, the controllerestablishes the connection.


Enable TOFU on the controller, and then restart the controller processes to ensure the controller recognizesand trusts these certificates.

Controller Certificate ManagementModify the controller configuration file to update certificate management settings. You can enable the controllerto use self-signed agent certificates, and enable TOFU. After this, restart the controller processes.

Updating the Controller ConfigurationThe sca.conf configuration file contains several layers of nested brackets. When you update the file to addor update the dla node, make sure that you nest it within the sln bracket. See the following for an example.sln {dla {security {allowSelfSignedCert = truetrustCertOnFirstUse = truecertRollover = true

}}

}You can also reference ~/SCA/sample_sca.conf for an example of syntax.

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. sudo vi sca.conf, then input your password when prompted3. Update the configuration file to include or modify the configuration.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Change to the /SCA directory.cd ~/SCA

Example:

Step 1


Edit the sca.conf configuration file.sudo vi sca.conf, then input your password whenprompted

Step 2

Example:user@host:~/SCA$ sudo vi sca.conf


Controller and Agent CommunicationsController Certificate Management


Update the configuration file to includeallowSelfSignedCert = true, trustCertOnFirstUse= true, and certRollover = true.

Update the configuration file to include or modify theconfiguration.

Step 3

Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 4

What to Do Next

• Restart the controller's processes, as described in the next section.

Restarting Controller Processes

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca restart

DETAILED STEPS



Example:

Step 1


Restart the controller processes.sudo service ciscosln-sca restart

Example:

Step 2

user@host:~/SCA$ sudo service ciscosln-sca restart

Updating Administrator CredentialsUpdate your administrator credentials to log into the controller web UI. In a later step, the install script, locatedon the controller, adds deployed agents to the controller using these updated administrator credentials.


Controller and Agent CommunicationsRestarting Controller Processes

When you installed the controller, you defined an IP address for the controller web UI. Use the default loginpassword (cisco) for the administrator user account (admin). After you log in once, you must change thepassword and confirm the new password.

In your web browser, navigate to https://sca-ip-address, then enter your controller web username and passwordwhen prompted.

What to Do Next

• Configure your ISR's NTP settings, as described in the next section.


Controller and Agent CommunicationsUpdating Administrator Credentials

C H A P T E R 5Network Element Configuration

The following describes how to configure Flexible NetFlow, NTP servers, and SSH on your ISR.

• Configuring a Network Element, page 51

• NTP Configuration, page 51

• SSH Configuration, page 53

Configuring a Network ElementConfigure NTP server addresses on the ISR to synchronize time between the controller, agent, and ISR.Whenyou deploy agents to your network using the install script, the install script also configures Flexible NetFlow.See NetFlow Configuration, on page 131 for more information.

NTP and DNS configuration are not required for deploying a virtual service. However, if you incorrectlyenter NTP or DNS domain names or IP addresses on your ISR, you cannot deploy virtual services to it.Correctly enter the NTP and DNS server domain names or IP addresses.

Note

Finally, make sure you configure outbound SSH on your ISR.

Step 1 Configure NTP on your ISR. See NTP Configuration, on page 51 for more information.Step 2 Configure outbound SSH on your ISR. See SSH Configuration, on page 53 for more information.

NTP ConfigurationTo configure NTP server addresses on the ISR, associate the router management interface with the NTPservers. Alternatively, if you have a loopback interface already configured, you can use that instead to referenceNTP servers.


Configuring NTP on the ISRThe agents deployed as a virtual service receive time from the host router. You must configure NTP serverson the ISR to ensure Learning Network License timestamps match, and to ensure that the system properlydisplays anomalies.

NTP configuration is not required for deploying a virtual service. However, if you incorrectly configureNTP server domain names or IP addresses on the ISR, you cannot deploy virtual services to it. Correctlyenter the NTP server domain names or IP addresses.

Note

You can enter each command individually. You can also paste the commands from the example below intoa text editor, update the variable, then paste all the updated commands into the command line.enablentp source GigabitEthernet0/0/0ntp server <ipv4-addresses>exitIf you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the routermanagement interface.

DETAILED STEPS


Enable privileged EXEC mode. Enter your password ifprompted.

enable

Example:

Step 1

Router> enable

Use the GigabitEthernet0/0/0 interface to connect to an NTPserver.

ntp source GigabitEthernet0/0/0

Example:

Step 2

Router# ntp source GigabitEthernet0/0/0

Use the GigabitEthernet0/0/0 interface to connect to an NTPserver. Definemultiple addresses to specify backupNTP servers.

ntp server ipv4-addresses

Example:

Step 3

Router# ntp server 209.165.202.129

209.165.202.130

Display configured NTP servers. If the system does not displaycorrectly configured NTP servers, repeat the configurationprocess.

show ntp association

Example:

Step 4

Router# show ntp association

Exit privileged EXEC mode.exit

Example:

Step 5

Router# exit


Network Element ConfigurationConfiguring NTP on the ISR

SSH ConfigurationEnsure that your Network Element has outbound SSH enabled for a username used to copy the agent OVA.When you configure the install.yaml install script properties file, you define dla_ova_copy: src_username

with this username. See http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.htmlfor more information.


Network Element ConfigurationSSH Configuration

http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html


Network Element ConfigurationSSH Configuration

C H A P T E R 6Virtual Service Install Script

The following describes how to deploy agents to your ISRs using the install script.

• Deploying Agents Using the Install Script, page 55

• ISR Hardware Configuration, page 55

• Install Script Overview, page 56

Deploying Agents Using the Install ScriptAfter you install the controller, you can use an install script to deploy agents as virtual services on your ISRs.The install script references a properties file, which you update with deployment details. When you run theinstall script, it deploys multiple agents in parallel, if you defined multiple agents in the properties file. Youcan deploy multiple agents at once, depending on how you modify the properties file.

Step 1 Download the agent OVA file to the controller. See Downloading the OVA Files from Cisco, on page 21 for moreinformation.

Step 2 Update the install and upgrade properties file with details of your deployment. See Updating the Agent Properties File,on page 69 for more information.

Step 3 Run the install script. See Running the Install Script, on page 71 for more information.

ISR Hardware ConfigurationBefore you deploy your agents as virtual services, ensure that your ISRs have enough RAM and the properhardware installed, as described in ISR 4000 Series Platform Requirements, on page 12.

For more information on hardware installation, see theHardware Installation Guide for the Cisco 4000 SeriesIntegrated Services Router, at http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html.


http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html

Install Script OverviewThe controller includes an agent install and upgrade properties file (install.yaml), and an agent install script(installation_auto.py) . Running the agent install script requires configuring the agent install and upgradeproperties file with agent, ISR, and network settings. You can configure the file to deploy multiple agents atone time. This file contains global settings, which apply to all deployed agents, and branch-specific settings,which apply only to one ISR and agent.

For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.

Note

When you run the install script, it reads the properties file, and does the following for each agent:

• uploads the OVA file to the ISR

• configures flexible NetFlow for Learning Network License

• configures a virtual service named sln and deploys the agent

• configures ISR and agent network settings

• adds the new agent to the controller

Install Script Deployment

Install Script Diagram

An agent may be installed as a virtual-service (container) in an ISR 4331, 4351, 4431, or 4451 router byrunning the installation_auto.py install and upgrade script. The controller contains the script, which yourun from the controller command line. The script issues configuration commands on the router and thenewly-created agent. It also adds the agent to the controller, so the user can issue further configuration changesfrom the controller web UI.


Virtual Service Install ScriptInstall Script Overview

The script references the install.yaml properties file, also located on the controller. The following diagramtracks the various properties in the deployment process.

Figure 6: ISR and Agent Deployed as a Virtual Service

Agent Copy

The arrow labeled copy (scp) demonstrates the install script copying the agent .ova file from a network locationof your choice to the Network Element (4331, 4351, 4431, or 4451 router). In this example, the script copiesthe file from the deployed controller using the SCP protocol to the ISR.

For all commands issued to the ISR, the script uses the configured credentials (ne_username, ne_password)to connect to the network element (ne_ctl_ip).

The following properties control how the script copies the file:

• src_host - the network location where the agent .ova file is copied from

• src_username - username used by the script to log into this network location

• src_password - password used by src_username

• src_ova_path - filepath and filename on the host where the agent .ova file is located


Virtual Service Install ScriptInstall Script Deployment

• dst_store - whether the script copies the .ova file to the branch router harddisk or bootflash

Cisco recommends you define the controller as the source host, upload the .ova to the controller, and copythe file to all branch routers.

Agent Virtual Service Creation

The center of the diagram shows the commands the script uses to create, install, and activate the agent as avirtual-service (container), and references the properties file to apply values to the variables.

The script creates the virtual-service with two virtual interfaces, using the interface VirtualPortGroup

commands:

• ctl/mgmt - The control and management interface, used for agent/controller communication, to installmitigation policies on the router, and to receive NetFlow records from the router. This isVirtualPortGroup 1 on the router, and eth0 on the agent.

The script configures the ctl/mgmt interface without an IP address, (using ip unnumbered), referencingthe name of a router interface (parent-if-name) whose IP address is reachable by the controller.

The script also configures an ip route on the agent with a routable IP address (dla_ctl_ip) so therouter forwards packets from the controller to the agent over the ctl/mgmt interface.

Note that you configure credentials for the agent to log into the router (dla_ne_login: username,dla_ne_login, password), to install mitigation policies, and collect information from the router.

• data xfer - The data transfer interface, used to send raw packet data from the router to the agent, whenpacket buffer capture (PBC) or DNS deep packet inspection (DNS/DPI) are enabled. This isVirtualPortGroup 2 on the router, and eth1 on the agent.

The script configures the data xfer interface with a private IP address (ne_ip) and netmask (ne_mask),since traffic across this interface never leaves the router.

After configuring the virtual interfaces, the script issues commands (virtual-service, vnic) to create thevirtual-service named sln with two virtual interfaces reachable by the VirtualPortGroup 1 andVirtualPortGroup 2 interfaces on the router.

The script then issues an install command to install the agent .ova into the virtual service, then an activatecommand to activate the virtual service.

Finally, the script issues the connect command to log into the virtual service console to configure the following:

• the agent hostname (dla_hostname) and default gateway (dla_ctl_gw)

• the eth0 interface with a routable IP address (dla_ctl_ip) and netmask (dla_ctl_mask). The controllermust be able to reach this address.

• the eth1 interface with a private IP address (dla_dat_ip) and netmask (dla_dat_mask



Learning Network License NetFlow Configuration

The install script also issues commands to configure Flexible NetFlow (Version 9), as required for LearningNetwork License. The following diagram illustrates this configuration.

Figure 7: NetFlow Operation on the ISR

The script creates the following:

• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fieldsto collect

• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent dla_ctl_ip IP address to sendNetFlow data to the agent

• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and outputtraffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER

The script also issues an interface command for each branch interface (branch-if1-names...) that youconfigure in the properties file. These branch interfaces are the router interfaces used to reach branch hosts.

Agent Addition to the Controller

The script adds each agent to the controller, if not already added, using the RESTful API. The script logs intothe controller using the configured credentials (sca_webui_login: username, sca_webui_login: password).



The script uses the agent hostname (dla_hostname) or the IP address (dla_ctl_host_sca) if the agent hostnameis not resolvable in DNS.

Each agent is added to the controller as Disabled. You must log into the controller web UI to enable the agent.If you register your deployment with Smart Licensing, enabling the agent also consumes a license entitlement.

Agent Properties File OverviewThe agent install and upgrade properties file (install.yaml), located on the controller, is in YAML format,and stores settings as key-value pairs. The install script uses these settings to deploy 1 or more agents. Thecontroller contains an install.yaml.example file, which contains the basic YAML format and sample settings.You can rename this file to install.yaml and update the settings for your deployment.

The file stores global settings, which apply to all agent deployments. The file also stores per-branch settings,each set of which are applied to a specific ISR and agent. Per-branch settings override global settings. If youdefine a setting both as global and as per-branch for certain branches, the install script selects the per-branchsetting when defined, and the global setting when the per-branch setting is not defined.

You define usernames and passwords in the properties file, which the install script uses to access ISRs, thecontroller, and agents. If you comment out a password property by placing a pound sign (#) at the beginningof that line, the script prompts you for that password while running. However, if you comment out thedla_password or ne_password property as a global setting, the script prompts you for the first agent wherethe property is not defined. It then uses the password you enter for every agent which does not have theproperty defined.

Usernames and passwords added to the properties file remain in the file after you finish deploying theagents. If this is a security concern, remove them after the deployment completes.

Note

Agent Properties File Settings

Global Property Settings

The following are the global property settings. You can define any of these per-branch, except for thesca_webui_login settings. If you define dla_ova_copy: src_host, dla_ova_copy: src_username, ordla_ova_copy: src_password per-branch, youmust also define each setting globally. Note that the per-branchsetting overrides the global setting.

When you run the script, it prompts you for any password you do not define.

The syntax below is presented as an example. Do not copy and paste this into the property file. Improperformatting and spacing in the property file will cause the script to fail.

Note

dla_ova_copy:src_host: <source-host-ip>src_username: <source-host-user>src_password: <source-host-password>src_ova_path: <source-host-ova-filepath>dst_store: <dest-store-location>

vir_portgroup_1:ip_unnum: <parent-interface>


Virtual Service Install ScriptAgent Properties File Overview

vrf_forwarding: <parent-interface-vrf>vir_portgroup_2:

ne_ip: <private-ip-1>ne_mask: <private-ip-1-mask>dla_dat_ip: <private-ip-2>dla_dat_mask: <private-ip-2-mask>

ne_username: <ne-user>ne_password: <ne-password>ne_port: <tcp-port>dla_password: <dla-password>dla_ne_login:

username: <dla-ne-user>password: <dla-ne-password>

sca_webui_login:username: <sca-user>password: <sca-password>

Table 12: dla_ova_copy Properties

Required?ValidationDescriptionProperty

n/an/agroup of properties usedto copy the agent OVAfrom a source host that iscapable of SCP filecopying, such as thecontroller, to the ISR

dla_ova_copy

yesIPv4 address or DNSname

IP address of the hostcontaining the agentOVA, from which thescript will copy the file

src_host

yesstringusername the script usesto log into the Linuxconsole of the hostcontaining the agent OVA

src_username

yesstring, cannot be NULLpassword forsrc_username

src_password

yesstring, must containfilepath and filename

filepath on the source hostwhere the agent OVA islocated, such as/home/sln/agent.ova, inquotation marks

src_ova_path




yesbootflash or harddisk

Specify bootflash onlyif your ISR does not havea hard drive installed. Ifyour ISR has a hard drive,and you specifybootflash, the scriptignores the setting anduploads to the hard drive.

bootflash to upload theagent OVA to the ISR'sflash memory, orharddisk to upload theagent OVA to the ISR'shard drive

dst_store

Table 13: vir_portgroup_1 Properties


n/an/agroup of properties usedto create theVirtualPortGroup 1

virtual interface

vir_portgroup_1

yesstringname of an interface onyour ISR through whichthe controller can reachthe agent. The script usesthis to configure theNetwork Element side ofthe ctl/mgmt interface.

ip_unnum

no, see Configuring VRFForwarding on the ISR,on page 68 for moreinformation

stringname of the non-defaultVRF instance on yourISR that the ip_unnuminterface belongs to. Ifyou added the interface toa non-default VRFinstance, you mustconfigure this so thescript can properly copythe OVA file to therouter.

vrf_forwarding



Table 14: vir_portgroup_2 Properties


n/an/agroup of properties usedto create theVirtualPortGroup 2

virtual interface

vir_portgroup_2

yesIPv4 addressNetwork Element IPaddress on thevirtual-service DataTransfer interface. Thescript uses this toconfigure the NetworkElement side of the DataTransfer interface.

Because traffic over thisinterface does not leavethe router, specify aprivate IP address.

ne_ip

nosubnet maskThe netmask for ne_ipne_mask

yesIPv4 addressAgent IP address on thevirtual-service DataTransfer interface. Thescript uses this toconfigure the agent sideof the Data Transferinterface.

Because traffic over thisinterface does not leavethe router, specify aprivate IP address.

dla_dat_ip

nosubnet maskthe netmask fordla_dat_ip

dla_dat_mask

Table 15: ne_username Property


yesstringa username with aprivilege level of 15 thatthe install script uses tolog into the ISR, toexecute CLI commands

ne_username



Table 16: ne_password Property


no, the script prompts youif not defined

If you do not define thene_password property asa global property, thescript prompts you thefirst time it attempts todeploy an agent where theconfigured branchproperties also do notcontain ne_password.However, the scriptreuses that password forevery remaining agentdeployment for whichne_password is notdefined.

string, cannot be NULLthe password forne_username

ne_password

Table 17: ne_port Property


nointegerthe TCP port the upgradescript uses whenconnecting via SSH to theISR. If undefined, thisdefaults to 22.

ne_port



Table 18: dla_password Property


no, the script prompts youif commented out

If you do not define thedla_password property asa global property, thescript prompts you thefirst time it attempts todeploy an agent where theconfigured branchproperties also do notcontain dla_password.However, the scriptreuses that password forevery remaining agentdeployment for whichdla_password is notdefined.

string, cannot be NULL,must be a minimum of 6characters

password configured forthe agent admin accountwhen the script deploysthe agent, to replace thedefault admin password

dla_password

Table 19: dla_ne_login Properties


n/an/agroup of properties usedto define agent credentialsto log into the NetworkElement

dla_ne_login

yesstringusername the agent usesto log into the ISR tolearn about interfaces andinstall mitigations.

username


string, cannot be NULLpassword for the agentusername

password

Table 20: sca_webui_login Properties


n/an/agroup of properties usedto define install scriptcredentials to log into thecontroller web UI

sca_webui_login




yesstringusername the script usesto log into the controllerweb UI to add agents tothe controller, andconfigure agent attributes.

username


string, cannot be NULLpassword to log into thecontroller.

password

Branch-Specific Property Settings

The following are the branch-specific property settings. For each new set of branch settings, you must prefacethem with a dash (-).

The syntax below is presented as an example. Do not copy and paste this into the property file. Improperformatting and spacing in the property file will cause the script to fail.

Note

branches:-ne_ctl_ip: <parent-interface-ip>dla_ctl_ip: <control-ip>dla_ctl_mask: <control-ip-mask>dla_ctl_gw: <control-ip-gateway>dla_hostname: <dla-hostname>dla_description: <dla-description>ne_netflow_interfaces:ifnames: ['<branch-interface-1>','<branch-interface-2>','branch-interface-N>'......]

dla_ctl_host_sca: <dla-ip-for-sca>The dla_description and ne_ctl_ip properties can only be updated through the install script on initial agentinstallation. If you want to update the agent description after installation, modify it in the controller web UI.See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.

Table 21: branches Properties


n/an/agroup of settings used toconfigure a specific agenton a branch NetworkElement

branches

yes

You can only modify thison initial agentinstallation.

IPv4 addressIP address for thephysical interface definedfor vir_portgroup_1:ip_unnum that the scriptuses to connect to thenetwork element, and toadd an agent to thecontroller

ne_ctl_ip




yesIPv4 addressa routable IP address forthe agent on the controlinterface that thene_ctl_ip can reach, sothe controller can reachthe agent

dla_ctl_ip

yessubnet maskmask for dla_ctl_ipdla_ctl_mask

yesIPv4 addressdefault gateway the agentuses for non-localdestinations, generally thesame IP address asne_ctl_ip

dla_ctl_gw

yesstringagent hostname, used bythe script to generateunique names forper-branch log files, usedby the controller toconnect to the dla_ctl_ip,and used by the controllerweb UI as the agent'sunique name

dla_hostname

no

if undefined, the scriptpopulates the descriptionwith the dla_hostnamevalue, or thedla_ctl_host_sca IPaddress if you defined it

You can only modify thison initial agentinstallation.

string, up to 256characters, surrounded bydouble quotation marks(")

agent descriptiondla_description

yesa comma-delimited array,surrounded by brackets([]), with each interfacename surrounded bysingle quotes (')

a list of ISRbranch-facing interfaceson which the scriptconfigures FlexibleNetFlow for LearningNetwork License

ne_netflow_interfaces:ifnames




noIPv4 addressagent IP address used bythe controller to reach theagent if the agenthostname is notresolvable in DNS, or ifthe agent control IPaddress is behind a NATor PAT. If you do notdefine this, the script addsthe agent to the controllerusing the dla_hostnamevalue.

dla_ctl_host_sca

Configuring VRF Forwarding on the ISR

In the install.yaml properties file, if you added the vir_portgroup_1: ip_unnum interface to a non-defaultVPN routing and forwarding (VRF) instance on your ISR, you must define the vir_portgroup_1:vrf_forwarding property in the file. This allows the script to properly copy the .ova file to the router usingSCP.

On the ISR, you must also configure the vir_portgroup_1: ip_unnum interface as the source address for anSSH client device, so the script can properly copy the .ova file.

Before You Begin

• Define vrf_forwarding in the install.yaml properties file. See Agent Properties File Settings, on page60 for more information.

• Log into the ISR console.

SUMMARY STEPS

1. enable

2. config t

3. ip ssh source-interface <ip_unnum>

4. exit

DETAILED STEPS


Enable privileged EXEC mode.enable

Example:Router> enable

Step 1




Enter global configuration mode.config t

Example:Router# config t

Step 2

Specify the ip_unnum interface as the source for an SSHclient device.

ip ssh source-interface <ip_unnum>

Example:Router(config)# ip ssh source-interfaceGigabitEthernet0/0/0

Step 3

Exit global configuration mode and return to privilegedEXEC mode.

exit

Example:Router(config)# exit

Step 4

Updating the Agent Properties File

Before You Begin

• Log into the controller VM console with the username sln.

SUMMARY STEPS

1. cd /opt/cisco/sln/install_upgrade/container

2. cp install.yaml.example install.yaml

3. vi install.yaml, then enter your password when prompted.4. Using Agent Properties File Settings, on page 60 as a guide, update the properties file with the necessary

settings.5. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Navigate to the /container directory.cd /opt/cisco/sln/install_upgrade/container

Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container

Step 1

Copy the install.yaml.example file toinstall.yaml.

cp install.yaml.example install.yaml

Example:user@host:/opt/cisco/sln/install_upgrade/container$ cpinstall.yaml.example install.yaml

Step 2




Open the install.yaml install and upgradeproperties file in the vi text editor.

vi install.yaml, then enter your password when prompted.

Example:user@host:/opt/cisco/sln/install_upgrade/container$ viinstall.yaml

Step 3

Update the properties file with the necessarysettings.

Using Agent Properties File Settings, on page 60 as a guide, updatethe properties file with the necessary settings.

Step 4

Save your changes and close the file.Press Esc, then enter :wq! and press Enter.Step 5

What to Do Next

• Run the install script, as described in Install Script Operation, on page 70.

Install Script OperationThe install script (installation_auto.py) deploys agents as virtual services based on settings in the agentinstall and upgrade properties file (install.yaml). You configure the properties file and run the install scriptfrom the controller, which contains both by default.

Based on the properties file settings and the script options you select, the script attempts to deploy agents inbatches, copying the .ova file to the ISR, then deploying it.

The script copies the .ova file to the ISR based on the properties file settings. However, if you copy the.ova file to the ISR, and configure the properties file setting to upload the .ova to the same filepath, thescript deploys the agent using the .ova file already on the ISR.

Note

As the script runs, it displays progress updates on the console every 10 seconds. These updates display thetotal number of agents to deploy, the number in progress, and the number that succeeded and failed.

If you commented out password properties in the install.yaml properties file, the script prompts you duringthe progress updates. For agent passwords, if you did not define a global password, the first time the scriptdeploys an agent without a password defined, it prompts you for the password, then uses this password forall remaining agents without a password defined. The script also logs its progress to several log files.

You can exit the script at any time by pressing Ctrl-C.

Install Script OptionsAppend the following options to the command line when running the script for the following functionality:


Virtual Service Install ScriptInstall Script Operation

Table 22: Install Script Options

DescriptionOption

Configure the script to deploy this number of agentsin a batch at one time.

The script defaults to deploying 50 agents in a batch.If you notice failed deployments when running thescript, try lowering the batch size.

-b <integer>

Reference the install.yaml properties file.-c install.yaml

Removes all LearningNetwork License configurationand the virtual service from the ISR. If you want toupgrade your agents to the same version, run the scriptusing --clean_only first, then run the script without--clean_only.

--clean_only

Copies the .ova file specified in the properties file tothe destination filepath on the ISR, even if an .ovafile with the same name is present at that destinationfilepath.

-f

Deploy all agents configured in the properties file,even if they have been previously installedsuccessfully.

If you do not define this option, the script onlydeploys agents that previously failed to deployproperly.

-i

Show help for options.-h

Perform local validation of the referenced propertiesfile.

-v

Perform validation of the referenced properties file,including connecting to the network element andvalidating interface names.

-V

Run a basic installation from the controller command line with the following command:installation_auto.py -c install.yaml

Running the Install Script

Before You Begin



Virtual Service Install ScriptInstall Script Operation

SUMMARY STEPS

1. cd /opt/cisco/sln/install_upgrade/container

2. installation_auto.py -c install.yaml, then enter your password when prompted3. If you did not update install.yaml with passwords, enter those when prompted.

DETAILED STEPS


Navigate to the /container directory.cd /opt/cisco/sln/install_upgrade/container


Step 1

Run the installation_auto.py installscript.

installation_auto.py -c install.yaml, then enter your passwordwhen prompted

Example:user@host:/opt/cisco/sln/install_upgrade/container$installation_auto.py -c install.yaml

Step 2

Provide passwords when prompted.If you did not update install.yaml with passwords, enter those whenprompted.

Step 3

Script LogsThe install script logs tomultiple files on the controller at /opt/cisco/sln/install_upgrade/container/LOGSfor virtual service agents. These files include:

• aa_summary - The pass/fail status for each agent deployment. By default, the script references this file,and only deploys agents that failed to deploy properly.

• <dla-hostname>_commands - The ISR and agent commands the script ran successfully for this agent.

• <dla-hostname>_logs - The installation information logged as the script ran for this agent, includingerror information.

Each time you run the install script, it moves the existing log files to/opt/cisco/sln/install_upgrade/container/PREV_RUN, deletes the files in that folder, and generates newlog files in the LOGS folder.

Accessing the Install Script Logs

Before You Begin



Virtual Service Install ScriptScript Logs

SUMMARY STEPS

1. cd /opt/cisco/sln/install_upgrade/container/LOGS

2. vi <logfile>

DETAILED STEPS


Navigate to the /LOGS directory.cd /opt/cisco/sln/install_upgrade/container/LOGS

Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container/LOGS

Step 1

Open the log file in the vi text editor.vi <logfile>

Example:user@host:/opt/cisco/sln/install_upgrade/container/LOGS$ viaa_summary

Step 2





C H A P T E R 7Agent Management

The following describes how to enable Smart Licensing on your controller and manage agents.

• Managing and Licensing Agents, page 75

• Smart Licensing Overview, page 75

• Interface Configuration, page 81

• Enabling Agents on the Controller, page 83

• Configuring Agent Network Settings, page 83

• Agent Configuration Templates, page 84

Managing and Licensing AgentsAfter you run the install script, you can register Smart Licensing on your controller, then enable the managedagents.

Step 1 Log into the controller and register Smart Licensing. See Smart Licensing Overview, on page 75 for more information.Step 2 Enable your agents on the controller. See Enabling Agents on the Controller, on page 83for more information.

Smart Licensing OverviewTo deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. Ifyou do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10managed agents, and disables new functionality when the 90 days expire.

Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorizationkey (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensinglets you assess your license usage and needs at a glance.


In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent andpurchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase orderapproval.

Smart Software ManagerWhen you purchase one or more Smart Licenses, you manage them in the Cisco Smart Software Manager:http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager letsyou create a master account for your organization.

By default, your licenses are assigned to the Default Virtual Account under your master account. As theaccount administrator, you can create additional virtual accounts; for example, for regions, departments, orsubsidiaries. Multiple virtual accounts help you manage large numbers of licenses and appliances.

You manage licenses and appliances by virtual account. Only that virtual account’s appliances can use thelicenses assigned to the account. If you need additional licenses, you can transfer an unused license fromanother virtual account. You can also transfer appliances between virtual accounts.

For each virtual account, you can create a Product Instance Registration Token. Enter this token ID when youregister a controller. You can create a new token if an existing token expires. An expired token does not affecta registered controller that used this token for registration, but you cannot use an expired token to register acontroller. Also, a registered controller becomes associated with a virtual account based on the token you use.You can also create a new token, and use it to reregister even if the current token is still valid.

For more information about the Cisco Smart Software Manager, see Cisco Smart Software Manager UserGuide.

Smart License TypesEach Learning Network License component has a corresponding license entitlement, as described in thefollowing table:

Table 23: Smart License Entitlement Types




sln-sca-k9-<ver>.ova - singlecontroller OVA

L-SW-SCA-K9 - SCA VirtualManager

controller









Agent ManagementSmart Software Manager












sln-dla-ucse-k9-<ver>.ova -agent deployed to a UCS E-Seriesblade server

L-SW-LN-UCS-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 1 Yr Term

L-SW-LN-UCS-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 3 Yr Term

agent installed on a UCS E-Seriesblade server

You must obtain one license entitlement for each controller and agent deployed to your environment.

The controller web UI displays license entitlement counts for your agents. When you enable a managed agentwith the controller, the Smart Licensing Agent automatically requests a license entitlement for that agent,specific to that installation type. It also updates the license count. Similarly, when you disable a managedagent from the controller, the Smart Licensing Agent requests to free the license entitlement, and updates thelicense count.

For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.

Smart Licensing ConfigurationBy default, the controller connects directly to the Licensing Authority servers. You can configure thesa.properties Smart Licensing configuration file to connect to the Licensing Authority servers through anHTTP or HTTPS proxy server.

By default, the controller logs information about Smart Licensing. You can disable this in the sa.propertiesconfiguration file.

Smart Licensing Configuration File SettingsIf you want to change how your controller connects to the Licensing Authority servers, you can configure anHTTP proxy or HTTPS proxy. You cannot configure more than one.

Table 24: sa.properties Configuration File Settings

Allowed ValuesDescriptionField

not configurable, do not modifythis property even if blank

A globally unique identifier for thecontroller generated by the systemduring the installation process

PRODUCT_SN


Agent ManagementSmart Licensing Configuration



Allowed ValuesDescriptionField

URL of the HTTP proxy

Do not configure this if youconfigured HTTPS_PROXY_HOST.

URL of the HTTP proxy used toconnect to the Licensing Authorityservers

HTTP_PROXY_HOST

HTTP proxy port

Do not configure this unless youconfigured HTTP_PROXY_HOST

HTTP proxy port used to connectto the Licensing Authority servers

HTTP_PROXY_PORT

URL of the HTTPS proxy

Do not configure this if youconfigured HTTP_PROXY_HOST.

URL of the HTTPS proxy used toconnect to the Licensing Authorityservers

HTTPS_PROXY_HOST

HTTPS proxy port

Do not configure this unless youconfigured HTTPS_PROXY_HOST

HTTPS proxy port used to connectto the Licensing Authority servers

HTTPS_PROXY_PORT

true to enable logging, false todisable logging

Whether Smart Licensing loggingis enabled or disabled

LOGGER_ON

Updating the Smart Licensing Configuration File

Before You Begin


SUMMARY STEPS

1. cd ~/SCA/services/sa-server

2. sudo vi sa.properties, then enter your password when prompted3. You have the following options:

• To connect to the License Authority servers through an HTTP proxy, configure the HTTP_PROXY_HOSTsetting with the HTTP proxy URL, and optionally configure the HTTP_PROXY_PORT setting with aport to use.

• To connect to the License Authority servers through an HTTPS proxy, configure theHTTPS_PROXY_HOST setting with the HTTPS proxy URL, and optionally configure theHTTPS_PROXY_PORT setting with a port to use.

4. If you want to disable Smart Licensing logging, update LOGGER_ON to false.5. Press Esc, then enter :wq! and press Enter.6. more sa.properties, to review the file for errors



DETAILED STEPS


Change directories to the /sa-serverdirectory.

cd ~/SCA/services/sa-server

Example:user@host:~$cd ~/SCA/services/sa-server

Step 1

Open the sa.properties in the vi texteditor with super user privileges.

sudo vi sa.properties, then enter your password when prompted

Example:

Step 2

user@host:~/SCA/services/sa-server$ sudo vi sa.properties

Update the configuration file to change theSmart Licensing servers connectionmethod.

You have the following options:Step 3

• To connect to the License Authority servers through an HTTP proxy,configure the HTTP_PROXY_HOST setting with the HTTP proxy URL,and optionally configure the HTTP_PROXY_PORT setting with a portto use.

• To connect to the License Authority servers through an HTTPSproxy, configure the HTTPS_PROXY_HOST setting with the HTTPSproxy URL, and optionally configure the HTTPS_PROXY_PORT settingwith a port to use.

Example:HTTP_PROXY_HOST = <http-proxy-url> HTTP_PROXY_PORT =

<http-proxy-port>

Example:HTTPS_PROXY_HOST = <https-proxy-url> HTTPS_PROXY_PORT =

<https-proxy-port>

Update the configuration file to disablelogging.

If you want to disable Smart Licensing logging, update LOGGER_ON tofalse.

Example:

Step 4

LOGGER_ON = false


Open the file in read-only mode to reviewthe entries for errors.

more sa.properties, to review the file for errors

Example:

Step 6

user@host:~/SCA/services/sa-server$ more sa.properties



What to Do Next

• Restart the controller processes, as described in the next section.

Restarting the Controller Processes

SUMMARY STEPS

1. cd ~/SCA


DETAILED STEPS



Example:

Step 1



Example:

Step 2


Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset theadministrator user account (admin) password. Log in with the temporary password printed to the controllerVM console. After you log in once, you must change the password and confirm the new password.

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username andpassword when prompted.

Registering the Controller Instance

Before You Begin

• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).


Agent ManagementLogging into the Controller Web UI



• Log into the controller web UI.

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Click Register.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it

is already registered.Step 6 Click Register.

Interface ConfigurationWhen you configure a Network Element's interface, select a traffic direction, whether you want to enablemitigations on the interface, and whether you want to enable packet buffer capture (PBC) or deep packetinspection (DPI).

Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.Note

Interface Traffic DirectionTheDirection you select for an interface determines how the agent tracks traffic origin from within or outsidethe branch, populates clusters, and models traffic to identify anomalies. Label each interface based on thefollowing guidelines:

• An Internal interface faces the branch and branch hosts. The system applies Learning NetworkLicense-related NetFlow on this interface.

• An External interface faces the core. This interface passes traffic outside the branch, including otherbranches, headquarters, or the Internet.

• An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is areason you do not want to monitor the traffic over this interface.

An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters externalhosts, those residing on External interfaces, separately from internal hosts, those residing on Internalinterfaces. Traffic between clusters is monitored for anomaly detection.

The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which representsthe branch host traffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internalinterface is not modeled. See the following table for more information.


Agent ManagementInterface Configuration

Table 25: Interface Direction and Modeled Traffic

...to an Unconfiguredinterface...

...to an Externalinterface...

...to an Internalinterface...

...is modeled andinspected for anomaloustraffic.



Traffic from an Internalinterface...

...is not modeled andinspected for anomaloustraffic.



Traffic from anExternal interface...




Traffic from anUnconfiguredinterface...

Enable MitigationYou can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not supportenabling mitigation on tunnel interfaces with multipoint GRE (mGRE) enabled.

Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction.This provides maximum protection if the agent detects an anomaly, and you want to install a QoS policy onthe Network Element to prevent the anomaly from being forwarded. If you configure a mitigation tailored tothis anomalous traffic, the system installs the corresponding QoS policy on all Network Element interfaceson which you enabled mitigation.

By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnelinterfaces.

Note

If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at theparent interface level, you can only enable mitigation policies at the parent level for that interface family.Similarly, if the subinterfaces have a QoS policy installed, you can only enable mitigation policies at thesubinterface level for that interface family. If you enable a mitigation on a subinterface, the system automaticallyenables the mitigation on all sibling subinterfaces.

If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interfaceor subinterface level. Once you configure a mitigation for a parent interface or a subinterface, however, youcan only subsequently create mitigations at that level for the interface family.

Enable PBC/DPIYou can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:

• You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic(ip traffic-export). If you configured IP traffic export on the interface, remove the configurationfrom the interface before enabling PBC and DPI.

• You can only enable PBC or DPI on a 4000 Series ISR parent interface.

This allows you to capture and download PCAP files, or capture DNS query information from traffic.


Agent ManagementInterface Configuration

On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for allsub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables itfor the parent interface and all sibling subinterfaces.

Note

Enabling Agents on the ControllerIf you do not register your controller with Smart Licensing before you enable agents, your deployment is inEvaluation Mode, and you are limited to managing 10 agents with your controller for 90 days.

When you register your controller with Smart Licensing and enable the agents, ensure you have enough licenseentitlements.

Before You Begin


Step 1 Select AGENTS.Step 2 For each managed agent, click Enable, then click Continue to enable the agent.

Configuring Agent Network SettingsYou can update an agent's network settings, including the host router's IP address and directionality of therouter's interfaces.

Before You Begin

• See Interface Configuration, on page 81 for information on configuring your agents.

Step 1 Select AGENTS.Step 2 Click Configure next to an agent.Step 3 Enter the VirtualPortGroup1 virtual service eth0 IPv4 address in the Network Element IP field.Step 4 Click the expand icon ( ) next to an interface to view the router interface configuration.Step 5 For an interface, choose from the drop-down:

• Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)

• External if the interface faces the core (generally, if the interface is passing traffic)


Agent ManagementEnabling Agents on the Controller

• Unconfigured if you interface is unused, or the interface faces neither the branch nor the core

Step 6 Check Enable mitigation to apply mitigation actions to this interface.Step 7 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:

• Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.

• Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the networkelement passes raw packets to the agent

• Select a agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receivesraw packets from the network element.

Step 8 If you want to enable the packet buffer capture (PBC) feature, checkEnable PBC. You must enable capturing raw packetdata.

Step 9 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data.Step 10 Click Submit.Step 11 Click Submit.Step 12 If you want to create a template to apply this configuration to other agents, click Create template.

What to Do Next

• Allow the system time to perform the initial learning phase, as described in Initial Learning PhaseOverview, on page 87.

Agent Configuration TemplatesAfter you configure an agent, you can save a configuration template with that agent's configured settings. Ifyou apply that template to another agent, the system updates the agent's configuration with those saved settings.You can apply a configuration template to one agent at a time.


Agent ManagementAgent Configuration Templates

Applying a Template to an Agent

Before You Begin

• Configure at least one agent and create a configuration template.

Step 1 Select AGENTS.Step 2 Check the checkbox for one agent.Step 3 Enter a template name in the Select a configuration template to apply field. The field updates to showmatching results

as you type.Step 4 Click Apply configuration to selected Agent, then confirm your selection.


Agent ManagementApplying a Template to an Agent


Agent ManagementApplying a Template to an Agent

C H A P T E R 8Initial Learning Phase

The following describes the system's initial learning phase, used to develop a baseline model of your networktraffic.

• Initial Learning Phase Overview, page 87

Initial Learning Phase OverviewAfter you manage your agents with the controller, allow the system to run for seven days, inspect your networktraffic, and build a baseline traffic model.

The Learning Network License system identifies anomalies by comparing detected traffic to the baselinemodel, and noting deviations. After system deployment, each agent inspects traffic traversing the router.During this initial learning phase, the agent builds a baseline traffic model. The model includesdynamically-generated clusters of hosts, and what types of application traffic are transmitted between clustersat what times of day.

If you log into the controller web UI while the system is learning about your network, you may see very fewor no reported anomalies, as the system cannot compare against a baseline yet. Towards the end of the initiallearning phase, the system may start reporting anomalies, but without a complete baseline, these anomaliesmay not be relevant. After the initial learning phase, when each agent completes its baseline model, the systemcan properly identify anomalous traffic that deviates from the baseline.

For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.



Initial Learning PhaseInitial Learning Phase Overview

C H A P T E R 9Next Steps

The following describes next steps to take after deploying the Learning Network License system.

• Next Steps, page 89

• For Assistance, page 89

Next StepsAfter you deploy the Learning Network License system, you can perform the following:

• Log into the controller web UI to configure user display settings, view anomalies and assign relevancefeedback, configure mitigations for an anomaly, and configure external system integration. See theCiscoStealthwatch Learning Network License Configuration Guide for more information.

For AssistanceThank you for using Cisco products.

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a servicerequest, and gathering additional information about the Firepower System, seeWhat’s New in Cisco ProductDocumentation at http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe toWhat’s New in Cisco Product Documentation, which lists all new and revised Cisco technicaldocumentation, as an RSS feed and deliver content directly to your desktop using a reader application. TheRSS feeds are a free service.

If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system,please contact Cisco Support:

• Visit the Cisco Support site at http://support.cisco.com.

• Email Cisco Support at [email protected].

• Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.


http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

http://support.cisco.com


Next StepsFor Assistance

A P P E N D I X ALogging Configuration

The following describes how to enable audit and event logging on the controller.

• Logging Configuration Overview, page 91

Logging Configuration OverviewThe Learning Network License system enables audit, event, and general logging by default on the controller.It also automatically enables Smart Licensing logging after you register your controller with Smart Licensing.See the following table for descriptions and default file output locations.

Table 26: Controller Logging Descriptions and Default Output Locations

Default Output LocationsDescriptionLog Type

~/SCA/logs/sca.log

console (ERROR severity andabove)

system transactionsaudit logging

/var/log/user.log

~/SCA/logs/sca.log


events the system generates,tracking:

• agents connecting to ordisconnecting from thecontroller

• anomaly events (INFOseverity)

• updated anomaly eventswhere the severity increases

event logging

~/SCA/logs/sca.log


general system informationgeneral logging


Default Output LocationsDescriptionLog Type

/var/log/user.log

~/SCA/services/sa-server/sa-server.log

Smart Licensing transactions,including when you register thecontroller, and when you use agentlicense entitlements

Smart Licensing logging

~/SCA/services/pxgrid/pxg.loglogging related to pxGridintegration with ISE

pxGrid logging

The agent logs general system information to multiple log files, located on the agent at ~/DLA/LOG.

The Controller Logging Configuration FileThe controller uses the logback logging framework to log information, including anomaly events,agent/controller connection and disconnection events, audit logging, general system logging, and SmartLicensing logging. Cisco provides a sample configuration file on the controller at ~/SCA/sample_logback.xml.This file provides an example of logging configuration syntax. If you copy this file and rename it tosca-logback.xml, you can update the logging configuration settings.

If you incorrectly configure sca-logback.xml due to invalid or malformed XML syntax, the system logsan error message to the console, but does not start logging. If you incorrectly configure sca-logback.xmldue to unrecognized nodes, options, or class names, the system logs an error message to the console. Itthen loads the remaining valid configuration in the file, and otherwise loads default logging settings.

Note

Beneath the parent configuration node are the following:

• logger - the class that provides the level of log messages

• root - the root logger class

• appender - the class that output the log message

By default, the root logger is configured to log INFO messages to the console and the ~/SCA/logs/sca.loglog file. However, note that the console appender is configured to log ERROR and above by default, so INFOmessages are not displayed on the console.

The com.cisco.sln.utils.log.ScaCefLogger logger does not have a logging level configured, but inheritslogging INFO messages. By default, this logger logs the CEF messages, which are INFO level, to the/var/log/user.log log file, ~/SCA/logs/sca.log log file, and the console.

For more information on logback, see http://logback.qos.ch/documentation.html.

syslog Export to External HostsWithin the sample_logback.xml configuration file, the ScaCefLogger logger controls logging anomaly CEFevents to syslog. You can modify this configuration to change the host that receives these events.


Logging ConfigurationThe Controller Logging Configuration File

http://logback.qos.ch/documentation.html

sca-logback.xml Creation

To update the logging configuration, first copy the sample_logback.xml file and rename it to sca-logback.xml,then open it and view the markup.

General Configuration

By default, the system checks sca-logback.xml for changes every minute. If it detects changes, the systemupdates the logging configuration. To disable this check, set the scan attribute equal to false.

If you set the scan attribute equal to false, you must restart the controller's processes before the systemupdates logging configuration.

Note

The following default configuration root element configuration controls this setting.<configuration scan="true"></configuration>If you want to change the sca-logback.xml check frequency, add the scanPeriod attribute to theconfiguration element, and set it equal to a number of seconds, minutes, hours, or days. The followingprovides an example.<configuration scan="true" scanPeriod="10 seconds"></configuration>

ScaCefLogger Logger Configuration

The following is the ScaCefLogger default configuration.<logger name="com.cisco.sln.utils.log.ScaCefLogger">

<appender-ref ref="SYSLOG" /></logger>

If you need to change logging level, add a level attribute to the ScaCefLogger logger element. The followingprovides an example.

<logger name="com.cisco.sln.utils.log.ScaCefLogger" level="TRACE"><appender-ref ref="SYSLOG" />

</logger>If you need to stop logging, add level="OFF" as an attribute to the ScaCefLogger logger element. The followingprovides an example.

<logger name="com.cisco.sln.utils.log.ScaCefLogger" level="OFF"><appender-ref ref="SYSLOG" />

</logger>

The system logs anomaly event CEF messages with an INFO logging level. The ScaCefLogger loggerinherits INFO logging level from the parent root logger. If you change the ScaCefLogger logging level,select a level that contains INFOmessages (TRACE, DEBUG, INFO). If you override this with a level that doesnot include INFO messages (WARN, ERROR), the system cannot write anomaly event messages to syslog.

Note

The appender-ref element references the SYSLOG appender which controls the host that receives these anomalyevents.



SYSLOG Appender Configuration

The SYSLOG appender, by default, logs to the syslog on the local host. The following is the default SYSLOGappender configuration.

<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender"><syslogHost>localhost</syslogHost><facility>USER</facility><suffixPattern>%msg</suffixPattern>

</appender>The syslogHost element controls the target for the logged anomaly events. Update this to the hostname ofyour external host or SIEM to export syslog to that host.

The facility element controls the syslog facility. LOCAL0 through LOCAL7 are unused facilities you can definefor custom purposes.

Because the USER facility generates the events, Cisco recommends you keep this setting.Note

The suffixPattern element controls the format of the non-standard message component. See http://logback.qos.ch/manual/layouts.html for the discussion of PatternLayout and more information on how toconfigure suffixPattern.

To define a port on the host other than the default port 514, you can add the port element as a child of theappender element and define a different port in that element's text. The following provides an example.

<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender"><syslogHost>externalHostName</syslogHost><port>515</port><facility>USER</facility><suffixPattern>%msg</suffixPattern>

</appender>

Changes Saved

Save your changes to the file. The system updates the logging configuration the next time it checks the file.

Log File Location

The system by default outputs the anomaly events to /var/log/user.log.

Updating a syslog Target Host

Before You Begin




http://logback.qos.ch/manual/layouts.html

http://logback.qos.ch/manual/layouts.html

SUMMARY STEPS

1. cd ~/SCA

2. cp sample_logback.xml sca-logback.xml

3. vi sca-logback.xml

4. If you want to change the logging level, add level="TRACE" or level="DEBUG" as an attribute to theScaCefLogger logger element, or level="OFF" as an attribute to the ScaCeflogger logger element todisable anomaly event logging.

5. If you want to define a port for the syslog host other than the default port 514, add a port element as achild of the SYSLOG appender element, then add the port number as the port element text.

6. Press Esc, then enter :wq!, then press Enter.

DETAILED STEPS


Change to the ~/SCA directory.cd ~/SCA

Example:

Step 1


Make a copy of the sample_logback.xmlconfiguration file, and name itsca-logback.xml.

cp sample_logback.xml sca-logback.xml

Example:user@host:~/SCA$ cp sample_logback.xml sca-logback.xml

Step 2

Open the sca-logback.xml configurationfile in vi.

vi sca-logback.xml

Example:

Step 3

user@host:~/SCA$ vi sca-logback.xml

Change the logging level, or disable it.If you want to change the logging level, add level="TRACE" orlevel="DEBUG" as an attribute to the ScaCefLogger logger element, or

Step 4

level="OFF" as an attribute to the ScaCeflogger logger element todisable anomaly event logging.

Example:<logger name="com.cisco.sln.utils.log.ScaCefLogger"

level="TRACE">

Update the target syslog host port.If you want to define a port for the syslog host other than the defaultport 514, add a port element as a child of the SYSLOG appender element,then add the port number as the port element text.

Step 5

Example:<port>515</port>

Save your changes and close the file.Press Esc, then enter :wq!, then press Enter.

Example:

Step 6




:wq!

What to Do Next

• View ~/SCA/logs/console.log to verify that the controller updated the logging configuration.

• View the logs to see syslog messages. The log destination depends on the facility you defined in theSyslogAppender appender. By default, the USER facility logs to /var/log/user.log.

Logging TimestampsBy default, sca.log and console.log use Coordinated Universal Time (UTC) timestamps.

In contrast, pxg.log, saserver.log, and sca_monitor.log use timestamps based on your current localtimezone. You can edit the logging properties files and run sed to update those logs to use UTC timestamps.

Updating Logging Configuration Files for UTC TimestampsUpdate the log4j.properties files to update timestamps from your local configured timezone to UTCtimezones. Find the following lines:

log4j.appender.file.layout=org.apache.log4j.PatternLayoutlog4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L -

%m%n

And update the lines to add the bold text:log4j.appender.file.layout=org.apache.log4j.EnhancedPatternLayoutlog4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss}{UTC} %-5p %c{1}:%L

- %m%n

Before You Begin


SUMMARY STEPS

1. cd ~/SCA/services/pxgrid

2. sudo vi log4j.properties, then enter your password when prompted3. Update the lines listed above.4. Press Esc, then enter :wq!.5. cd ~/SCA/services/sa-server

6. sudo vi log4j.properties, then enter your password when prompted7. Update the lines listed above.8. Press Esc, then enter :wq!.


Logging ConfigurationLogging Timestamps

DETAILED STEPS


Change to the ~/SCA/services/pxgriddirectory.

cd ~/SCA/services/pxgrid

Example:user@host:~$ cd ~/SCA/services/pxgrid

Step 1

Open log4j.properties in the vi texteditor as a superuser.

sudo vi log4j.properties, then enter your password when prompted

Example:user@host:~/SCA/services/pxgrid$ sudo vi log4j.properties

Step 2

Update the log4j.properties file touse UTC timestamps.

Update the lines listed above.

Example:

log4j.appender.file.layout=org.apache.log4j.EnhancedPatternLayout

Step 3

log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-ddHH:mm:ss}{UTC} %-5p %c{1}:%L - %m%n

Save your changes, then exit the vi texteditor.

Press Esc, then enter :wq!.Step 4

Change to the~/SCA/services/sa-server directory.

cd ~/SCA/services/sa-server

Example:user@host:~$ cd ~/SCA/services/sa-server

Step 5

Open log4j.properties in the vi texteditor as a superuser.

sudo vi log4j.properties, then enter your password when prompted

Example:user@host:~/SCA/services/sa-server$ sudo vi log4j.properties

Step 6

Update the log4j.properties file touse UTC timestamps.

Update the lines listed above.

Example:

log4j.appender.file.layout=org.apache.log4j.EnhancedPatternLayout

Step 7

log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-ddHH:mm:ss}{UTC} %-5p %c{1}:%L - %m%n

Save your changes, then exit the vi texteditor.

Press Esc, then enter :wq!.Step 8

Updating UTC Timestamps for the Controller Monitor LogsRun sed to display UTC timestamps in the sca_monitor.log log file.

Before You Begin



Logging ConfigurationLogging Timestamps

DETAILED STEPS


Run sed to update how the sca_monitor.log logfile displays timestamps.

sed -ie 's/(date /(date --utc /' SCA/sca_monitor.sh

Example:user@host:~$ sed -ie 's/(date /(date --utc /'SCA/sca_monitor.sh

Step 1

Accessing Audit and Event Log Files

Before You Begin

• Log into the controller VM console on the ESXi hypervisor.

SUMMARY STEPS

1. cd ~/var/log

2. vi syslog or vi user.log

DETAILED STEPS


Change to the /var/log directory.cd ~/var/log

Example:

Step 1

user@host:~$ cd ~/var/log

Edit the syslog or user.log log file.vi syslog or vi user.log

Example:

Step 2

user@host:~/var/log$ vi syslog

Example:user@host:~/var/log$ vi user.log

Audit Log FieldsFor Version 1.0, the system logs each audit log message in the following format:

userId [timestamp] category > {jsonData}


Logging ConfigurationAccessing Audit and Event Log Files

Table 27: Audit Log Version 1.0 Field Descriptions

DescriptionField

ID of the user associated with the transactionuserId

Date and time the transaction occurredtimestamp

The type of transactioncategory

Information associated with the transaction typejsonData

For Version 1.1 and greater, the system logs each audit log message in the following format:

[timestamp] - User(userInfo) - source: category > {jsonData}

Table 28: Audit Log Version 1.1 and Greater Field Descriptions

DescriptionField

ISO8061 timestamp when the transaction occurredtimestamp

One of the following values related to users:

• unknown - an unknown user

• id - a user's ID (username unknown)

• id, username - a user's ID and username

userInfo

the source that generated the audit log message:

• authentication - user authentication duringlogin, user logout, and user account passwordchange

• configuration - configuration applied to anagent by the controller

• dla - agent configuration, such as enable,disable, and certificate pinning

• download - PCAP file download

• mitigation - mitigation creation, deletion, andreversion

• pbc - PCAP file download requests

• user - user account creation, update, andconversion to an API user

• whitelisting - whitelist rule creation anddeletion

source



DescriptionField

the type of transaction task requested by the user, andthe success or failure, depending on the source

category

information associated with the transaction type,depending on the source

jsonData

Event Log Fields

Table 29: Event Log Field Descriptions

DescriptionField

The date and time the system detected the event.timestamp

The host that logged the message.host

The CEF version, always 0.version

The associated vendor, always Cisco.deviceVendor

The associated vendor product, always SLN.deviceProduct

The controller version.deviceVersion

The event type:

• SLN_ANOMALY for anomaly events

• SLN_DLA for agent health status events

signatureID

Description of the event log message.name

Integer representing the event severity:

• 0 for low

• 5 for medium

• 10 for high

severity

Information related to the anomaly event. If this is anagent health status event, this contains no data.

extension



Event Log Message Examples

The system logs each event log message in CEF. When the system adds an event log message to the syslog,it prepends a timestamp and host, in the following format:timestamp host CEF:version|deviceVendor|deviceProduct|deviceVersion|signatureID|name|severity|extension

The following describes a connection between agent and controller has gone down:Jan 1 00:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_DLA|CON_DOWN|0|deviceExternalId=1

The following describes an agent in safe mode:Jan 1 21:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_DLA|DLA is in safe mode|0|

The following describes an updated agent configuration:Jan 1 11:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_DLA_INTERFACES|Interfaces have changed on dla 2|5|

The following describes a user asking for more anomalies:Jan 1 21:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_MORE_LESS|User admin asked for more anomalies|0|

The following describes a sample anomaly:Jan 1 22:12:34 exampleHost CEF:0|Cisco|SLN|92-prod-1.0|SLN_ANOMALY|Small total number of bytes (10.00 bytes)from an external mixed host in Chile (RM) 200.10.9.23 in Chile (anomalous trafficenters and exits the branch)|10|deviceExternalId=1 dst=192.0.2.14 dvchost=samplenameexternalId=1923 startTime=2016-01-01T22:08:00Z

Smart Licensing Log FieldsThe system logs each Smart Licensing log message in the following format:

timestamp hostname userId: %CISCO-SMART-LIC% message

Table 30: Smart Licensing Log Field Descriptions

DescriptionField

Date and time the transaction occurredtimestamp

Name of the host where the transaction occurredhostname

ID of the user associated with the transactionuserId

The log messagemessage

Accessing Controller General Log Files

Before You Begin

• Log into the controller VM console on the ESXi hypervisor.


Logging ConfigurationAccessing Controller General Log Files

SUMMARY STEPS

1. cd ~/SCA

2. vi SCA.log

DETAILED STEPS



Example:

Step 1


Edit the SCA.log general controller log file.vi SCA.log

Example:

Step 2

user@host:~/SCA$ vi SCA.log

Accessing Agent Log Files

Before You Begin

• For an agent deployed to a UCS E-Series blade server, log into the agent VM console on the ESXihypervisor. For an agent deployed as a virtual service, log into the virtual service console, then exit theinitial menu to access the administrator settings.

SUMMARY STEPS

1. 1) File access

2. 1) Log files

3. 1) List log files

4. 2) View log file

5. Enter a log file name. You can use the asterisk character (*) as a wild card.6. :qto exit

DETAILED STEPS


Access the File access menu options.1) File access

Example:

Step 1

Enter a number: 1


Logging ConfigurationAccessing Agent Log Files


Access the log files options.1) Log files

Example:

Step 2

Enter a number: 1

List the available agent log files.1) List log files

Example:

Step 3

Enter a number: 1

View log files.2) View log file

Example:

Step 4

Enter a number: 2

Select a log file to view.Enter a log file name. You can use the asterisk character (*) asa wild card.

Step 5

Example:Enter filename, or a pattern for a menu of files:

log-name

Exit viewing the log file.:qto exit

Example:

Step 6

:q

Exporting Agent Troubleshooting FilesYou can export your agent troubleshooting files to an external host. Do this when directed by Cisco Support.

Before You Begin

• For an agent deployed to a UCS E-Series blade server, log into the agent VM console on the ESXihypervisor. For an agent deployed as a virtual service, log into the virtual service console, then exit theinitial menu to access the administrator settings.

SUMMARY STEPS

1. 1) File access

2. 5) ML debug files

3. 1) List ML debug files

4. 2) Send ML debug files to remote system, then ip-address, then username, then press Enter, thenpassword


Logging ConfigurationExporting Agent Troubleshooting Files

DETAILED STEPS


Access the File access menu options.1) File access

Example:

Step 1

Enter a number: 1

Access the log files options.5) ML debug files

Example:

Step 2

Enter a number: 5

List the available debugging files.1) List ML debug files

Example:

Step 3

Enter a number: 1

Export the debugging files to a remotesystem.

2) Send ML debug files to remote system, then ip-address, thenusername, then press Enter, then password

Example:Enter a number: 2Name or address of remote host []? 192.168.0.1

Step 4

Destination username []? adminThe destination filename path can absolute, or relativeto home dir.Destination filename [scala.out]:admin@remotehost's password: <password>


Logging ConfigurationExporting Agent Troubleshooting Files

A P P E N D I X BpxGrid Integration

The following describes how to integrate the Learning Network License system with pxGrid and IdentityServices Engine (ISE).

• Integrating pxGrid, page 105

• ISE pxGrid Demo, page 106

• Controller pxGrid Client Certificates, page 108

• pxGrid Properties Configuration, page 113

• pxGrid Activation, page 115

• ISE Server Settings Update, page 117

• Controller Process Restart, page 117

Integrating pxGridYou can integrate your Learning Network License deployment with an ISE server to populate detected hostsin anomalies with user identity information. This involves integrating pxGrid by generating public keycertificates, trusting controller and ISE certificates, configuring pxGrid properties, and updating the controller'sconfiguration.


If you have not deployed an ISE server, you can instead enable an ISE pxGrid integration demo. This demopopulates endpoints detected in anomalies with sample user identity information. You update demo pxGridproperties, and update the controller's configuration. See ISE pxGrid Demo, on page 106 for more information.

Step 1 Manage the controller pxGrid and ISE public key certificates, adding them to keystores on the controller VM. SeeController pxGrid Client Certificates, on page 108 for more information.

Step 2 Update the pxGrid properties configuration file. See pxGrid Properties Configuration, on page 113 for more information.Step 3 Update the controller pxGrid configuration, then restart the controller's processes. See pxGrid Activation, on page 115

for more information.Step 4 Add the SLNpxGridClient to the Session group on your ISE server. See ISE Server Settings Update, on page 117 for

more information.Step 5 Restart the controller's processes again. See Controller Process Restart, on page 117 for more information.

ISE pxGrid DemoThe ISE pxGrid integration demo populates anomaly endpoints with sample user identity information, andprovides an example of the additional context ISE provides to the Learning Network License system. As youreview anomalies in the controller web UI, you can view the sample user identity information for hosts involvedin the anomaly.

To enable the demo, you update a pxGrid properties file with demo settings, then update a controllerconfiguration file to enable ISE integration. Finally, you restart controller processes.

pxGrid Demo Properties Table

Table 31: pxGrid Demo Properties Table

Enter...DescriptionProperty

.conf/pxgrid_demo.csvpxGrid integration demo file,which contains sample user identityvalues populated into anomalyendpoints.

PXGRID_DEMOFILENAME_IN

truepxGrid integration demo IP addresssetting.

PXGRID_DEMOIP


pxGrid IntegrationISE pxGrid Demo

Configuring an ISE pxGrid Demo

Before You Begin

• Log into the controller VM console from the ESXi hypervisor.

SUMMARY STEPS

1. cd SCA/services/pxgrid

2. sudo vi app.properties, then enter your administrator password when prompted.3. Update the pxGrid demo properties in the app.properties file.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Navigate to the pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1

user@host:~$ cd SCA/services/pxgrid

Edit the app.properties file with super userprivileges.

sudo vi app.properties, then enter your administrator password whenprompted.

Example:

Step 2

user@host:~/SCA/services/pxgrid$ sudo vi app.properties

Update PXGRID_DEMOFILENAME_IN with./conf/pxgrid_demo.csv. UpdatePXGRID_DEMOID with true.

Update the pxGrid demo properties in the app.properties file.

Example:PXGRID_HOSTNAMES=PXGRID_USERNAME=

Step 3

PXGRID_DESCRIPTION=sln_pxgrid_clientPXGRID_KEYSTORE_FILENAME=PXGRID_KEYSTORE_PASSWORD=PXGRID_TRUSTSTORE_FILENAME=PXGRID_TRUSTSTORE_PASSWORD=PXGRID_APP_PORT=7072PXGRID_DEMOFILENAME_IN=./conf/pxgrid_demo.csvPXGRID_DEMOIP=true

Save your changes and exit vi.Press Esc, then enter :wq! and press Enter.Step 4

What to Do Next

• Enable the ISE pxGrid demo, as described in the next section.


pxGrid IntegrationConfiguring an ISE pxGrid Demo

Enable the pxGrid Demo

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. sudo vi sca.conf, then enter your password when prompted3. Update the ise enabled setting to true.4. Press Esc, then enter :wq! and press Enter.5. sudo ./sca.sh restart

DETAILED STEPS


Change the directory.cd ~/SCAStep 1

Open the sca.conf file in vi as a super user.sudo vi sca.conf, then enter your password when promptedStep 2

Enable pxGrid integration.Update the ise enabled setting to true.

Example:modules {ise {

Step 3

enabled = true}

}


Restart the controller processes.sudo ./sca.sh restart

Example:

Step 5

user@host:~/SCA$ sudo ./sca.sh restart

Controller pxGrid Client CertificatesThe controller contains a pxGrid client which retrieves user information from the ISE server. To integrateLearning Network License with ISE, you first generate a private key and public key certificate signing request(CSR), then have a certificate authority (CA) sign the certificate, using a custom pxGrid certificate template.You then export an ISE identity certificate from the ISE server to the controller. Finally, you create a pxGridclient identity keystore and a Learning Network License controller trusted keystore, and import the appropriatecertificates into each.


pxGrid IntegrationEnable the pxGrid Demo

When you submit the CSR to the CA, the CA must use a custom pxGrid certificate template to sign thecertificate. Create this certificate template with an enhanced key usage (EKU) object identifier (OID) forclient authentication (1.3.6.1.5.5.7.3.2) and for server authentication (1.3.6.1.5.5.7.3.1).

Generating pxGrid Client Certificates

Before You Begin

• Create a custom certificate template with the proper EKU OIDs for client authentication and serverauthentication.

• Log into the controller VM console as a user with privileges to run OpenSSL.

SUMMARY STEPS


2. openssl genrsa -out pxGridClient.key 4096

3. openssl req -new -key pxGridClient.key -out pxGridClient.csr

4. Optionally, enter country-code, then state, then locality, then organization, thenorganizational-unit, then common-name, then email, then challenge-password, then company-name

5. Submit pxGridClient.csr and the certificate template to a CA.6. Receive the signed certificate and the CA root certificate.7. Upload pxGridClient.cer and ca_root.cer to the controller, in the SCA/services/pxgrid folder.8. On the controller VM, navigate to the SCA/services/pxgrid directory.9. openssl pkcs12 -export -out pxGridClient.pl2 -inkey pxGridClient.key -in

issued-certificate.cer -CAfileroot-ca-certificate.cer, then enter and verify a p12-passwordwhen prompted

DETAILED STEPS


Navigate to the /pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1


Generate the pxGridClient.key private key for thecontroller pxGrid client.

openssl genrsa -out pxGridClient.key 4096

Example:

Step 2

user@host:~/SCA/services/pxgrid$ openssl genrsa -out

pxGridClient.key 4096

Enter the certificate signing request (CSR) wizardto generate a CSR for the pxGrid client.

openssl req -new -key pxGridClient.key -out

pxGridClient.csr

Example:

Step 3


pxGrid IntegrationGenerating pxGrid Client Certificates


user@host:~/SCA/services/pxgrid$ openssl req -new -key

pxGridClient.key -out pxGridClient.csr

If you want to specify the certificate subjectdistinguished name (DN), provide the information.

Optionally, enter country-code, then state, then locality, thenorganization, then organizational-unit, then common-name,then email, then challenge-password, then company-name

Step 4

If you want to specify a challenge password, enter achallenge-password. Determine what informationyour CA requires for a CSR.Example:

Country Name (2 letter code) [AU]: country-codeState or Province Name (full name) [Some-State]: stateLocality Name (eg, city) []: localityOrganization Name (eg, company) [Internet Widgits PtyLtd]: organizationOrganizational Unit Name (eg, section) []:organizational-unitCommon Name (e.g. server FQDN or YOUR name) []:common-nameEmail Address []: email

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: challenge-passwordAn optional company name []: company-name

Submit the certificate signing request to the CA. TheCA signs the request, and uses the certificate

Submit pxGridClient.csr and the certificate template to a CA.Step 5

template to add the EKU OIDs for clientauthentication and server authentication.

Receive the pxGridClient.cer signed certificatefile and the ca_root.cerCA root certificate file fromthe CA.

Receive the signed certificate and the CA root certificate.Step 6

Upload the signed certificate and root CA certificateto the pxgrid folder on the controller VM.

Upload pxGridClient.cer and ca_root.cer to the controller, inthe SCA/services/pxgrid folder.

Step 7

Change directories.On the controller VM, navigate to the SCA/services/pxgriddirectory.

Step 8

Add the pxGridClient.key private key,issued-certificate.cer signed client certificate,

openssl pkcs12 -export -out pxGridClient.pl2 -inkey

pxGridClient.key -in issued-certificate.cer

Step 9

and root-ca-certificate.cer root CA certificateto the pxGridClient.p12 archive file.

-CAfileroot-ca-certificate.cer, then enter and verify ap12-password when prompted

Example:user@host:~/SCA/services/pxgrid$ openssl pkcs12-export -out pxGridClient.pl2 -inkey pxGridClient.key-inpxGridClient.cer -CAfile ca_root.cer

Enter Export Password: p12-passwordVerifying - Enter Export Password: p12-password


pxGrid IntegrationGenerating pxGrid Client Certificates

What to Do Next

• Export the ISE identity public key certificate to the controller, as described in the next section.

Exporting an ISE Identity Certificate

Before You Begin

• Log into the ISE server.

SUMMARY STEPS

1. From the System Certificates page, select the Default self-signed server certificate and click Export.2. Select Export Certificate Only and click Export. Rename the file to isemnt.pem.3. Upload isemnt.pem to the controller, in the SCA/services/pxgrid folder.4. Repeat the procedure for any remaining ISE servers in your network deployment. Give each exported

certificate file a different name.

DETAILED STEPS

Step 1 From the System Certificates page, select the Default self-signed server certificate and click Export.

Step 2 Select Export Certificate Only and click Export. Rename the file to isemnt.pem.Step 3 Upload isemnt.pem to the controller, in the SCA/services/pxgrid folder.Step 4 Repeat the procedure for any remaining ISE servers in your network deployment. Give each exported certificate file a

different name.

What to Do Next

• Add certificates to keystores, as described in the next section.

Adding pxGrid Certificates to Stores

Before You Begin



pxGrid IntegrationExporting an ISE Identity Certificate

SUMMARY STEPS


2. keytool -importkeystore -srckeystore pxGridClient.p12 -destkeystore

./certificates/pxGridClient.jks -srcstoretype PKCS12, then enter and verify apxgrid-keystore-password, then enter the p12-password

3. keytool -import -alias pxGridSLNClient -keystore ./certificates/pxGridClient.jks -file

issued-certificate.cer

4. openssl x509 -outform der -in isemnt.pem -out isemnt.der

5. keytool -import -alias isemnt -keystore ./certificates/root3.jks -file isemnt.der, thenenter and verify a pxgrid-truststore-password, then yes to trust the certificate

6. Repeat the previous 2 steps for any remaining ISE identity certificates.7. keytool -import -alias ca_root1 -keystore ./certificates/root3.jks -file ca_root.cer, then

yes to trust the certificate

DETAILED STEPS


Navigate to the /pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1


Create the pxGridClient.jks pxGrid clientidentity keystore from the pxGridClient.p12archive file.

keytool -importkeystore -srckeystore pxGridClient.p12

-destkeystore ./certificates/pxGridClient.jks -srcstoretype

PKCS12, then enter and verify a pxgrid-keystore-password, then enterthe p12-password

Step 2

Example:user@host:~/SCA/services/pxgrid$ keytool -importkeystore-srckeystore pxGridClient.p12 -destkeystore./certificates/pxGridClient.jks-srcstoretype PKCS12

Enter destination keystore password: pxgrid-keystore-passwordRe-enter new password: pxgrid-keystore-passwordEnter source keystore password: p12-password

Import the issued-certificate.cercertificate file into the pxGridClient.jkspxGrid client identity keystore.

keytool -import -alias pxGridSLNClient -keystore

./certificates/pxGridClient.jks -file issued-certificate.cer

Example:user@host:~/SCA/services/pxgrid$ keytool -import -aliaspxGridSLNClient -keystore ./certificates/pxGridClient.jks -file

Step 3

pxGridClient.cer

Enter keystore password: pxgrid-keystore-password

...

Trust this certificate? [no]: yes


pxGrid IntegrationAdding pxGrid Certificates to Stores


Convert the isemnt.pem certificate file toDER format.

openssl x509 -outform der -in isemnt.pem -out isemnt.der

Example:

Step 4

user@host:~/SCA/services/pxgrid$ openssl x509 -outform der -in

isemnt.pem -out isemnt.der

Import the isemnt.der ISE identity certificateinto the root3.jksLearningNetwork Licensecontroller trusted keystore.

keytool -import -alias isemnt -keystore

./certificates/root3.jks -file isemnt.der, then enter and verify apxgrid-truststore-password, then yes to trust the certificate

Example:user@host:~/SCA/services/pxgrid$ keytool -import -alias isemnt-keystore

Step 5

./certificates/root3.jks -file isemnt.der

Enter keystore password: pxgrid-truststore-passwordRe-enter new password: pxgrid-truststore-password

...


Convert other ISE identity certificate files toDER format, then import them into the

Repeat the previous 2 steps for any remaining ISE identity certificates.Step 6

root3.jks Learning Network Licensecontroller trusted keystore.

Import the ca_root.cer root CA certificateinto the root3.jksLearningNetwork Licensecontroller trusted keystore.

keytool -import -alias ca_root1 -keystore

./certificates/root3.jks -file ca_root.cer, then yes to trust thecertificate

Example:user@host:~/SCA/services/pxgrid$ keytool -import -aliasca_root1 -keystore

Step 7

./certificates/root3.jks -file ca_root.cer

Enter keystore password: pxgrid-truststore-password

...


What to Do Next

• Configure the pxGrid properties, as described in the next section.

pxGrid Properties ConfigurationAfter you add certificates to keystores on the controller, configure the pxGrid properties file to allow thecontroller to trust the certificates, and log into the ISE server to retrieve user identity information.


pxGrid IntegrationpxGrid Properties Configuration

pxGrid Properties Table

Table 32: pxGrid Properties Table

Enter...DescriptionProperty

an IPv4 addressThe ISE server IP address toconnect to.

PXGRID_HOSTNAMES

an ISE server usernameThe username the controller usesto contact the ISE server.

PXGRID_USERNAME

SLNpxGridClient (do not modify)The description associated with theusername, visible on the ISEserver.

PXGRID_DESCRIPTION

./certificates/pxGridClient.jks

or the filename and filepath whereyou created the keystore

The controller pxGrid clientidentity keystore location.

PXGRID_KEYSTORE_FILENAME

the keystorepxgrid-keystore-password

The controller pxGrid clientidentity keystore password.

PXGRID_KEYSTORE_PASSWORD

./certificates/root3.jks or thefilename and filepath where youcreated the trust store

The Learning Network Licensecontroller pxGrid trusted keystorelocation.

PXGRID_TRUSTSTORE_FILENAME

the trusted keystorepxgrid-truststore-password

The Learning Network Licensecontroller pxGrid trusted keystorepassword.

PXGRID_TRUSTSTORE_PASSWORD

7072 (do not modify)Port used by the controller tointernally connect to the controllerpxGrid client.

PXGRID_APP_PORT

Configuring pxGrid

Before You Begin

• Log into the controller VM console from the ESXi hypervisor.


pxGrid IntegrationpxGrid Properties Table

SUMMARY STEPS


2. sudo vi app.properties, then enter your administrator password when prompted.3. Update the pxGrid properties in the app.properties file.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Navigate to the pxgrid directory.cd SCA/services/pxgrid

Example:

Step 1


Edit the app.properties file with super user privileges.sudo vi app.properties, then enter your administrator passwordwhen prompted.

Step 2

Example:user@host:~/SCA/services/pxgrid$ sudo vi app.properties

Update PXGRID_HOSTNAMES with the ISE server IPaddress. Update PXGRID_USERNAME with a username

Update the pxGrid properties in the app.properties file.

Example:PXGRID_HOSTNAMES=192.0.2.2PXGRID_USERNAME=<username>

Step 3

the controller uses to log into the ISE server. UpdatePXGRID_KEYSTORE_FILENAME with the keystorelocation. Update PXGRID_KEYSTORE_PASSWORD with

PXGRID_DESCRIPTION=sln_pxgrid_clientthe pxgrid-keystore-password. UpdatePXGRID_KEYSTORE_FILENAME=./certificates/pxGridClient.jksPXGRID_TRUSTSTORE_FILENAME with the keystorePXGRID_KEYSTORE_PASSWORD=pxgrid-keystore-password

PXGRID_TRUSTSTORE_FILENAME=./certificates/root3.jks location. Update PXGRID_TRUSTSTORE_PASSWORDwiththe pxgrid-truststore-password.

PXGRID_TRUSTSTORE_PASSWORD=pxgrid-truststore-passwordPXGRID_APP_PORT=7072


pxGrid ActivationAfter you configure the pxGrid properties, update the controller configuration file to enable pxGrid integration,then restart the controller processes.

Activating pxGrid Integration

Before You Begin



pxGrid IntegrationpxGrid Activation

SUMMARY STEPS

1. cd SCA

2. sudo vi sca.conf, then enter your password when prompted3. Update the ise enabled setting to true.4. Press Esc, then enter :wq! and press Enter.

DETAILED STEPS


Change the directory.cd SCA

Example:

Step 1

user@host:~$ cd SCA

Open the sca.conf file in vi as a super user.sudo vi sca.conf, then enter your password when prompted

Example:

Step 2

user@host:~/SCA$ sudo vi sca.conf

Enable pxGrid integration.Update the ise enabled setting to true.

Example:modules {ise {

Step 3

enabled = true}

}


What to Do Next

• Restart the controller processes, as described in the next section.

Restarting Controller Processes

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. sudo ./sca.sh restart


pxGrid IntegrationRestarting Controller Processes

DETAILED STEPS



Example:

Step 1


Restart the controller processes.sudo ./sca.sh restart

Example:

Step 2

user@host:~/SCA$ sudo ./sca.sh restart

ISE Server Settings UpdateAfter you activate pxGrid integration, log into your ISE server. Approve the registration for theSLNpxGridClient client if it is in a pending state, then assign SLNpxGridClient to the Session group. Seehttp://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html for more information on approving a client's registration, and https://communities.cisco.com/docs/DOC-68291 for more information on updating the group membership.

Controller Process RestartAfter you update the SLNpxGridClient client group membership in ISE, restart the controller's processesagain. See Restarting Controller Processes, on page 116 for more information.


pxGrid IntegrationISE Server Settings Update

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html

https://communities.cisco.com/docs/DOC-68291

https://communities.cisco.com/docs/DOC-68291


pxGrid IntegrationController Process Restart

A P P E N D I X CController Database Cleanup

The following describes the controller database cleanup process.

• Controller Database Cleanup, page 119

Controller Database CleanupThe controller runs a cleanup script daily against the PostgreSQL database, log files, and stored PCAP files,to make disk space available, and in cases of larger disk space usage, to reclaim disk space for the controller.

The actions the script takes depends on disk usage. If less than 75% of available disk space is used, the cleanupscript:

• Saves table data based on the following retention times, and marks rows outside these retention timesas deleted:

◦up to 180 days' worth of anomaly event and related IP information, including DNS queries, Talosthreat intelligence, geolocation, and the like, if those anomalies are presented in the controller webUI

◦up to 30 days' worth of unpulled anomaly event and related IP information, including DNS queries,Talos threat intelligence, geolocation, and the like, if those anomalies are not presented to endusers

◦up to 180 days' worth of events displayed in the anomaly inbox

◦up to 30 days' worth of user authentication and login data, and associated logs

◦up to 7 days' worth of agent-related files for warm starts

◦up to 7 days' worth of various statistics and agent status

• Creates a database backup at ~/SCA/backups (without the statistics, agent status, stored PCAP files, orthe sca.conf configuration file), and deletes backups older than the 15 most recent

• Rotates the controller's log files, and deletes logs older than 15 days

• Deletes saved PCAP files for anomalies presented in the controller web UI that are older than 180 days

• Deletes saved PCAP files for anomalies that are not presented to end users and older than 30 days


Rows marked as deleted can be reused after the PostgreSQL autovacuum daemon runs VACUUM on thetables.

Note

If disk usage is between 75% and 89%, the cleanup script takes the above steps, but also runs VACUUM on thetables.

If disk usage is at or above 90%, the cleanup script takes the following steps on a first pass:

• Saves table data based on the same retention times as if under 75% of available disk space is used, andmarks rows outside those retention times as deleted

• Runs VACUUM FULL on the database tables, which frees the rows marked as deleted and reclaims the diskspace for the controller

• Creates a database backup, without the statistics and agent status, at ~/SCA/backups, and deletes backupsolder than the 3 most recent

• Rotates the controller's log files, and deletes logs older than 3 days

After the first pass, the cleanup script checks the disk space. If over 90% of disk space is still used, the cleanupscript:

• runs TRUNCATE on the statistics table, emptying it

• Runs VACUUM FULL on the database tables again

• saves only the most recent database backup at ~/SCA/backups

If the controller disk space usage remains over 90% after the cleanup script runs, then the controller serviceshuts down. If this happens, determine which files are using the most space. Clear log files from thecontroller to free disk space. If disk space usage still remains over 90%, addmore disk space. See ControllerVirtual Hard Disk Storage, on page 26 for more information on increasing the available disk space.

Note

Controller Database Cleanup Notes• Consider backing up files on external storage. Database backups are stored in ~/SCA/backups. PCAPfiles are stored in ~/SCA/pbc. The controller configuration is stored in ~/SCA/sca.conf.

• Database backups do not include statistics. If you restore a controller database using a database backup,the dashboard will not display graph information or clusters on the dashboard for a period. Wait for thecontroller to gather more statistics to populate the dashboard.

Checking Disk UsageIf controller disk space usage exceeds 90%, and the cleanup script cannot reduce this below 90%, the controllershuts down. Check the disk usage of various system components to determine the areas of highest usage, thenprune files in those areas.


Controller Database CleanupController Database Cleanup Notes

Before You Begin


SUMMARY STEPS

1. du -chs /opt/cisco/sln/sca

2. du -chs /opt/cisco/sln/viz

3. sudo du -chs /var/lib/postgresql, then enter your password when prompted4. sudo du -chs /var/log, then enter your password when prompted

DETAILED STEPS


Check disk usage in the /sca folder, forcontroller-related components.

du -chs /opt/cisco/sln/sca

Example:user@host:~$ du -chs /opt/cisco/sln/sca

Step 1

Check disk usage in the /viz folder, for controllerweb UI-related components.

du -chs /opt/cisco/sln/viz

Example:user@host:~$ du -chs /opt/cisco/sln/viz

Step 2

Check disk usage in the /postgresql folder, fordatabase-related components.

sudo du -chs /var/lib/postgresql, then enter yourpassword when prompted

Example:user@host:~$ sudo du -chs /var/lib/postgresql

Step 3

Check disk usage in the /log folder, for log files.sudo du -chs /var/log, then enter your password whenprompted

Step 4

Example:user@host:~$ sudo du -chs /var/log

What to Do Next

• Based on disk usage, prune backups and logs as necessary.


Controller Database CleanupChecking Disk Usage


Controller Database CleanupChecking Disk Usage

A P P E N D I X DDatabase Backup Restore

The following describes how to restore the controller database after a failed upgrade, and reinstall the upgrade.

• Database Backup Restore, page 123

Database Backup RestoreIf a controller upgrade fails, you can uninstall the upgrade, restore the controller database from a saved backup,and reinstall the upgrade.

The database backup restore only restores database information. You must backup PCAP files and thecontroller configuration separately, then reupload them after the database backup restore is complete.PCAP files are stored in ~/SCA/pbc. The controller configuration is stored in ~/SCA/sca.conf.

Note

Reinstalling Failed Upgrade PackagesIf your controller upgrade fails, you can uninstall the Debian packages, clear the controller database, thenreinstall them.

Before You Begin

• Log into the controller VM console


SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca stop

3. ./sca.sh clean

4. dpkg -l 'ciscosln*'

5. sudo dpkg --purge ciscosln-setup-scripts ciscosln-install-upgrade ciscosln-sca

ciscosln-viz, then enter your password when prompted6. dpkg -l 'ciscosln*'

7. cd /opt/cisco/sln/install_upgrade/sca, if you created this directory and stored the Debian upgradepackages here, or change to the directory that contains the Debian upgrade packages

8. sudo dpkg -i *

9. dpkg -l 'ciscosln*'

DETAILED STEPS



Example:user@host:~$ cd ~/SCA

Step 1

Stop the controller service.sudo service ciscosln-sca stop


Step 2

Clear the logs and the database../sca.sh clean

Example:user@host:~/SCA$ ./sca.sh clean

Step 3

List all installed Debian packages that start withciscosln. Ensure that you see

dpkg -l 'ciscosln*'

Example:user@host:~/SCA$ dpkg -l 'ciscosln*'

Step 4

ciscosln-setup-scripts,ciscosln-install-upgrade, ciscosln-sca, andciscosln-viz.

Remove the ciscosln-setup-scripts,ciscosln-install-upgrade, ciscosln-sca, andciscosln-viz Debian packages.

sudo dpkg --purge ciscosln-setup-scripts

ciscosln-install-upgrade ciscosln-sca ciscosln-viz,then enter your password when prompted

Example:user@host:~/SCA$ sudo dpkg --purgeciscosln-setup-scripts ciscosln-install-upgradeciscosln-sca ciscosln-viz

Step 5


Database Backup RestoreReinstalling Failed Upgrade Packages


List all installed Debian packages that start withciscosln. Ensure that you see no results.

dpkg -l 'ciscosln*'


Step 6

Change to the directory containing the Debian upgradepackages.

cd /opt/cisco/sln/install_upgrade/sca, if you createdthis directory and stored the Debian upgrade packages here,or change to the directory that contains the Debian upgradepackages

Step 7

Example:user@host:~/SCA$ cd/opt/cisco/sln/install_upgrade/sca

Install all Debian packages in the directory.sudo dpkg -i *

Example:user@host:/opt/cisco/sln/install_upgrade/sca$ sudodpkg -i *

Step 8

List all installed Debian packages that start withciscosln. Ensure that you see

dpkg -l 'ciscosln*'


Step 9

ciscosln-setup-scripts,ciscosln-install-upgrade, ciscosln-sca, andciscosln-viz.

What to Do Next

• Restore the database from a backup, as described in the next section.

Restoring a Database from a BackupAfter reinstalling the failed upgrade packages, clear the database, restore a backup, upgrade the database, andrestart the controller. Optionally, reset the admin administrator user password if your database backup is anolder backup, as your passwords may expire upon restore.

Before You Begin


• Note the file name of the database backup you want to restore, located at ~/SCA/backups.


Database Backup RestoreRestoring a Database from a Backup

SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca stop

3. ./sca.sh clean

4. ./sca.sh restore backups/sln-db-<date>.sql.gz

5. ./sca.sh dbupgrade

6. ./sca.sh reset-admin-password to reset the admin password, if your restored database backup is anolder backup


DETAILED STEPS



Example:user@host:~$ cd ~/SCA

Step 1

Stop the controller service.sudo service ciscosln-sca stop


Step 2

Clear the logs and the database../sca.sh clean

Example:user@host:~/SCA$ ./sca.sh clean

Step 3

Restore the database backup../sca.sh restore backups/sln-db-<date>.sql.gz

Example:user@host:~/SCA$ ./sca.sh restorebackups/sln-db-2016-10-10-120000.sql.gz

Step 4

Upgrade the database schema for the installedversion.

./sca.sh dbupgrade

Example:user@host:~/SCA$ ./sca.sh dbupgrade

Step 5

Reset the admin administrator user accountpassword.

./sca.sh reset-admin-password to reset the admin password, ifyour restored database backup is an older backup

Example:user@host:~/SCA$ ./sca.sh reset-admin-password

Step 6

Start the controller service.sudo service ciscosln-sca start

Example:user@host:~/SCA$ sudo service ciscosln-sca start

Step 7







A P P E N D I X EAdditional Controller Configuration

The following describes the controller sca.conf configuration file.

• Additional Controller Configuration, page 129

Additional Controller ConfigurationYou can configure the sca.conf configuration file, located on the controller at ~/SCA, beyond what is requiredfor installation and external system integration, to further customize your deployment. The sample_sca.conffile, also at ~/SCA, contains example settings most useful to users. These include:

• HTTP server configuration

• user session timeout settings

• database configuration

• agent public key certificate management settings

• logging configuration

• agent polling frequency

• external system integration settings

Before making changes to the sca.conf file, make a backup of your existing file. Rollback the file if thereare issues.

Note

After you save your changes, you must restart the controller's processes for the changes to take effect. SeeRestarting the Controller Processes, on page 130 for more information.


Restarting the Controller Processes

SUMMARY STEPS

1. cd ~/SCA


DETAILED STEPS



Example:

Step 1



Example:

Step 2



Additional Controller ConfigurationRestarting the Controller Processes

A P P E N D I X FNetFlow Configuration Overview

The following describes the Flexible NetFlow configuration performed by the installation_auto.py installscript.

• NetFlow Configuration, page 131

NetFlow ConfigurationTo capture information about traffic traversing your network, as you deploy agents to your network, the systemconfigures the following Flexible NetFlow components in order:

• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fieldsto collect

• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent Management and Control IPaddress to send NetFlow data to the agent

• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and outputtraffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER


The following diagram illustrates NetFlow operation on the ISR.

Figure 8: NetFlow Operation on the ISR

As input and output traffic passes over the branch facing interfaces, the SLN-NF-MONITOR flow monitor,referencing the SLN-NF-RECORD flow record, monitors the traffic for the key fields. It collects the non-keyfields defined in the flow record. The flow monitor sends the flow record to the SLN-NF-EXPORTER flowexporter, which then sends it to the configured virtual service eth0 Management and Control IP address.

NetFlow Configuration Fields

Flow Record

The following describes the fields configured for the SLN-NF-RECORD flow record.

Table 33: SLN-NF-RECORD Flow Record Fields

DescriptionConfigured Field

Configures the flow protocol as a key field to matchon.

match ipv4 protocol


NetFlow Configuration OverviewNetFlow Configuration Fields


Configures the flow source IPv4 address as a key fieldto match on.

match ipv4 source address

Configures the flow destination IPv4 address as a keyfield to match on.

match ipv4 destination address

Configures the flow source port as a key field tomatch on.

match transport source-port

Configures the flow destination port as a key field tomatch on.

match transport destination-port

Configures the source MAC address received on aninput interface as a nonkey field to collect.

collect datalink mac source address input

Configures the destination MAC address transmittedon an output interface as a nonkey field to collect.

collect datalink mac destination address

output

Configures the TCP flags as a nonkey field to collect.collect transport tcp flags

Configures the router interfaces on which a packetentered the router as a nonkey field to collect.

collect interface input

Configures the router interfaces on which a packetexited the router as a nonkey field to collect.

collect interface output

Configures the flow direction as a nonkey field tocollect.

collect flow direction

Configures the total number of bytes in the flow as anonkey field to collect.

collect counter bytes

Configures the total number of packets in the flow asa nonkey field to collect.

collect counter packets

Configures the first time the system saw a packet ina flow as a nonkey field to collect.

collect timestamp sys-uptime first

Configures the last time the system saw a packet ina flow as a nonkey field to collect.

collect timestamp sys-uptime last

Configures the name of the application used in theflow as a nonkey field to collect.

collect application name

Configures the packet forwarding status as a nonkeyfield to collect.

collect routing forwarding-status



Flow Exporter

The following describes the fields configured for the SLN-NF-EXPORTER flow record.

Table 34: SLN-NF-EXPORTER Flow Exporter Fields


Configures the IP address to which the exporter willsend flow records.

destination <dla-ip-address>

Configures the UDP port on which the destinationhost listens for UDP traffic.

transport udp 6666

Configures sending the flow record template every300 seconds.

template data timeout 60

Flow Monitor

The following describes the fields configured for the SLN-NF-MONITOR flow monitor.

Table 35: SLN-NF-MONITOR Flow Monitor Fields


Associates themonitorwith the SLN-NF-EXPORTERflow exporter you created.

exporter SLN-NF-EXPORTER

Configures the cache timeout for active flows at 60seconds.

cache timeout active 60

Configures the cache to store a maximum of 512000flows.

cache entries 512000

Associates the monitor with the SLN-NF-RECORDflow record you created.

record SLN-NF-RECORD



A P P E N D I X GTroubleshooting

The following describes the most common troubleshooting scenarios.

• Time Synchronization, page 135

• Initial Anomaly Display Issues, page 135

• Maximum Managed Agents, page 136

• Disabled Functionality, page 136

• Controller Administrator Password Reset, page 136

• Performance Issues, page 137

• Certificate Fingerprint Retrieval, page 137

• Connectivity Issues, page 139

• Agent Status Messages, page 139

Time SynchronizationYour controller, agents, and Network Elements should all reference the same NTP servers for proper timesynchronization, and to report anomalies correctly.

If you deploy your agents to a UCS E-Series blade server, you must configure NTP on each agent.

If you do not configure NTP servers on a agent deployed as a virtual service, configure them on your NetworkElements, as the agents pull time from the host Network Element.

Initial Anomaly Display IssuesIf you have installed the Learning Network License system and you do not see any reported anomalies, waitfor seven days. The system requires an initial learning phase to create a baseline model of your network trafficand identify anomalies. Note that during this initial learning phase, the system may start reporting anomalies.Because the baseline is not yet complete, these anomalies may not be of interest or relevant to you.


Maximum Managed AgentsIf you have not registered your controller with Smart Licensing, you are in Evaluation Mode, and limited tomanaging 10 agents with that controller. Register the controller with Smart Licensing before the 90-dayEvaluation Mode expires to remove the limit.

Disabled FunctionalityIf the system no longer detects or reports new anomalies, or you can no longer create mitigations, or modifyexisting mitigations, system registration is expired. If the 90-day Evaluation Mode elapsed, make sure youhave the proper license entitlements, and register your controller with the Licensing Authority. Otherwise, ifyour controller has not communicated with the Licensing Authority in more than 90 days, manually renewyour registration with the Licensing Authority.

Controller Administrator Password ResetIf you forget the admin user account's password for the controller web UI, you can reset it from the controllerCLI. When you reset the password, the system prints a randomly generated password to the console. Thisnew password is valid for 3 days, by default. When you next login to the controller web UI as admin, thesystem prompts you to change the password.

You must have access to the ~/SCA/sca.sh script to reset the password.

Resetting the Controller Administrator Password

Before You Begin

• Log into the controller VM as a user with access to the ~/SCA/sca.sh script.

SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca stop, then enter your password when prompted3. ./sca.sh reset-admin-password


DETAILED STEPS


Change directories to ~/SCA.cd ~/SCA

Example:

Step 1



TroubleshootingMaximum Managed Agents


Stop the controller processes.sudo service ciscosln-sca stop, then enter your password whenprompted

Step 2


Reset the admin user account's password../sca.sh reset-admin-password

Example:user@host:~/SCA$ ./sca.sh reset-admin-passworduser@host:~/SCA$ Resetting the admin password in sln

Step 3

user@host:~/SCA$ New password is 'AbCd1234'user@host:~/SCA$ Admin password reset done.

Start the controller processes.sudo service ciscosln-sca start

Example:

Step 4

user@host:~/SCA$ sudo service ciscosln-sca start

What to Do Next

• Log into the controller web UI as admin, then update the password.

Performance IssuesIf you are having performance issues, remember that there are several factors that affect your virtual appliances.See System Performance, on page 4 for a list of factors that may affect your performance. To monitor ESXihost performance, you can use your vSphere Client and the information found under the Performance tab.

Certificate Fingerprint RetrievalTo help troubleshoot public key certificate issues, you can retrieve stored certificate fingerprints from thecontroller VM console, controller web UI, and agent VM console.

Viewing a Controller Client Certificate Fingerprint from the Agent

Before You Begin

• Log into the agent VM console.


TroubleshootingPerformance Issues

DETAILED STEPS


View the stored controller client certificate SHA256fingerprint in the console.

cat DLA/certificates/authorized_cert

Example:user@host:~$ cat DLA/certificates/authorized_cert

Step 1

Viewing a Controller Client Certificate Fingerprint from the Controller

Before You Begin


DETAILED STEPS


View the stored controller client certificateSHA256 fingerprint in the console.

keytool -v -list -storepass <password> -keystore

SCA/keystore.jks | egrep "Alias|SHA256"

Example:user@host:~$ keytool -v -list -storepass sln123 -keystoreSCA/keystore.jks | egrep "Alias|SHA256"

Step 1

Viewing an Agent Server Certificate Fingerprint from the Agent

Before You Begin

• Log into the agent VM console.

DETAILED STEPS


View the stored agent server certificate SHA256fingerprint in the console.

openssl x509 -in DLA/certificates/server.pem -noout

-fingerprint -sha256

Example:user@host:~$ openssl x509 -in DLA/certificates/server.pem-noout -fingerprint -sha256

Step 1


TroubleshootingViewing a Controller Client Certificate Fingerprint from the Controller

Viewing an Agent Server Certificate Fingerprint from the Controller Web UI

Before You Begin


Step 1 Click AGENTS.Step 2 Click Certificate next to an agent.

Connectivity IssuesYou can view and confirm connectivity for management and sensing interfaces using VMware vSphere Client.

If a firewall or other security appliance sits between the controller and agents, or between the user and thecontroller, ensure that certain communication ports are open. See Communication Ports, on page 17 for moreinformation.

Confirming Interface Connectivity

Step 1 Right-click the name of the virtual appliance in vSphere Client and select Edit Settings.Step 2 Select Network adapter 1 in the Hardware list and make sure the Connect at power on check box is selected.Step 3 Repeat step 2 for each remaining network adapter.

Agent Status MessagesThe following lists the various agent status codes and messages that the system logs during agent configurationin the controller web UI, as well as recommended steps to resolve the error. You can also view the agent logfile at LOG/DLC.log to determine which error occurred, and resolve the issue.

Status Code: 2000• Status Message - Agent Not Responding


TroubleshootingViewing an Agent Server Certificate Fingerprint from the Controller Web UI

• Description - The controller tried to establish a connection with the agent, and did not receive a response,possibly because the agent is down or unreachable.

• RecommendedResolution - From the controller VM console, ping the agent by IP address and hostnameto verify the controller can reach the agent. If you do not receive a response, check your networkdeployment settings.

Before You Begin


SUMMARY STEPS

1. ping <agent-IP-address> -c 5

2. ping <agent-hostname> -c 5

DETAILED STEPS


Send five packets to the agent's IP address and receive aresponse for each packet.

ping <agent-IP-address> -c 5

Example:user@host:~$ ping <agent-IP-address> -c 5

Step 1

Send five packets to the agent's host name and receive aresponse for each packet.

ping <agent-hostname> -c 5

Example:user@host:~$ ping <agent-hostname> -c 5

Step 2

Status Code: 2001• Status Message - Agent Certificate Rejected

• Description - The controller rejected the agent certificate, possibly for one of the following reasons:

◦The agent certificate does not match the certificate fingerprint pinned in the controller web UI.

◦The agent certificate is self-signed, and the system is not configured to support self-signedcertificates.

◦The agent certificate is not self-signed, and a CA or root certificate in the chain of trust is missingfrom the controller's truststore.

◦The certificate is expired.

• Recommended Resolution - Take the following actions:


TroubleshootingStatus Code: 2001

◦If you recently upgraded the agent, generate an agent certificate fingerprint, and upload it to thecontroller web UI. See Uploading an Agent Certificate Fingerprint, on page 141 for moreinformation.

◦If your certificate is self-signed, enable support for self-signed certificates. See Enabling Supportfor Self-Signed Certificates, on page 143 for more information.

◦If your certificate is not self-signed, verify the truststore contains the necessary root and CAcertificates.

◦If your certificate is expired, renew your certificate.

Uploading an Agent Certificate Fingerprint

SUMMARY STEPS

1. Log into the agent virtual service console.2. 4) Certificate and trust management

3. 6) Export DLA certificate

4. 1) Export to remote system, then hostname, then username, then ~/SCA/filename, then password5. 11) Exit

6. Log into the controller VM console.7. cd ~/SCA

8. open ssl x509 -in <dla-filename>.pem -noout -fingerprint -sha256

9. Copy the fingerprint into a text editor.10. Log into the controller web UI.11. Click AGENTS.12. Click Certificate next to an agent.13. Delete the Hash value and enter your new certificate fingerprint hash.14. Check theCheck to overwrite the active certificate checkbox to overwrite the existing pinned certificate

fingerprint.15. Click Pin certificate.

DETAILED STEPS


Log into the agent virtual service console.Step 1

Access the CertificateManagement menu options.4) Certificate and trust management

Example:

Step 2

Enter a number: 4

Export the certificate associated with the agent.6) Export DLA certificate

Example:

Step 3




Enter a number:

Export the certificate to the controller. Give eachseparate certificate you export a different name,such as the agent's hostname.

1) Export to remote system, then hostname, then username,then ~/SCA/filename, then password

Example:Enter a number: 1Name or address of remote host []? remotehost

Step 4

Destination username []? adminThe destination filename path can absolute, orrelativeto home dir.Destination filename [server.pem]:~/SCA/<dla-filename>.pemadmin@remotehost's password: <password>

Quit the admin script and return to the commandprompt.

11) Exit

Example:

Step 5

Enter a number: 11

Log into the controller VM console.Step 6


Example:

Step 7


Generate a SHA256 fingerprint for the agentcertificate.

open ssl x509 -in <dla-filename>.pem -noout

-fingerprint -sha256

Example:user@host:~$ open ssl x509 -in <dla-filename>.pem-noout -fingerprint -sha256

Step 8

Store the fingerprint in a text editor file.Copy the fingerprint into a text editor.Step 9

Log into the controller web UI.Log into the controller web UI.Step 10

The agents management window appears.Click AGENTS.Step 11

The certificate management window appears.Click Certificate next to an agent.Step 12

The displayed certificate fingerprint is updated.Delete the Hash value and enter your new certificatefingerprint hash.

Step 13

The pinned certificate fingerprint is overwritten.Check theCheck to overwrite the active certificate checkboxto overwrite the existing pinned certificate fingerprint.

Step 14

The system pins the certificate fingerprint.Click Pin certificate.Step 15



Enabling Support for Self-Signed CertificatesThe sca.conf configuration file contains several layers of nested brackets. When you update the file to addor update the dla node, make sure that you nest it within the sln bracket. See the following for an example.sln {dla {security {allowSelfSignedCert = true

}}

}

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. sudo vi sca.conf, then input your password when prompted3. Update the configuration file to include or modify the configuration.4. Press Esc, then enter :wq! and press Enter.5. sudo service ciscosln-sca restart

DETAILED STEPS



Example:

Step 1


Edit the sca.conf configuration file.sudo vi sca.conf, then input your password when prompted

Example:

Step 2

user@host:~/SCA$ sudo vi sca.conf

Update the configuration file to includeallowSelfSignedCert = true.

Update the configuration file to include or modify theconfiguration.

Step 3



Example:

Step 5




Status Code: 2002• Status Message - Connection Refused or Closed

• Description - The agent refused to accept or closed the connection with the controller, possibly for oneof the following reasons:

◦The controller certificate does not match the certificate fingerprint pinned on the agent.

◦The controller certificate is self-signed, and the agent is not configured to support self-signedcertificates.

◦The controller certificate is not self-signed, and a CA or root certificate in the chain of trust ismissing from the agent's truststore.

◦The controller certificate is expired.


◦If the fingerprint pinned on the agent does not match the certificate, you enabled TOFU, and youdo not want to upload the new controller certificate fingerprint to the agent, clear the pinnedcontroller certificate from the agent, and manage your agent with the controller. See Clearing aPinned Controller Certificate from an Agent, on page 144 for more information.

If TOFU is enabled, and you clear the pinned controller certificate fingerprint, the agentis vulnerable to any entity that connects to it over TLS with a trustable certificate.Manage the agent from the controller as soon as possible after you clear the fingerprint.

Note

◦If the fingerprint pinned on the agent does not match the controller certificate, and you did notenable TOFU, generate a controller certificate fingerprint, and pin it on the agent, as described inUploading a Controller Certificate Fingerprint, on page 146.

◦If your certificate is self-signed, enable support for self-signed certificates. See Enabling Trust onFirst Use, on page 147 for more information.

◦If your certificate is not self-signed, verify the trusted CA certificates on the agent hold the issuingCA certificate.

◦If your certificate is expired, renew your certificate.

Clearing a Pinned Controller Certificate from an AgentIf you enabled TOFU, and you clear the pinned controller certificate fingerprint, make sure you connect theagent to the controller as soon as possible, or pin the new controller certificate fingerprint.

Before You Begin

• Log into the agent virtual service console.



SUMMARY STEPS

1. 4) Certificate and trust management

2. 1) Manage Certificate Pinning

3. 6) Clear Trusted SCA certificate fingerprint

4. y to confirm

DETAILED STEPS


Access the certificate and trust management options.4) Certificate and trust management

Example:

Step 1

Enter a number: 4

Access the certificate pinning options.1) Manage Certificate Pinning

Example:

Step 2

Enter a number: 1

Choose to clear the pinned controller certificatefingerprint.

6) Clear Trusted SCA certificate fingerprint

Example:

Step 3

Enter a number: 6

Clear the pinned controller certificate fingerprint.y to confirm

Example:

Step 4

Confirm removal of existing SCA certificate

fingerprint [confirm] y

What to Do Next

• If you enabled TOFU, log into the controller web UI and manage the agent with the controller. SeeConfiguring Agent Network Settings, on page 83 for more information.

• If you did not enable TOFU, pin the controller certificate fingerprint to the agent. See the next sectionfor more information.



Uploading a Controller Certificate Fingerprint

SUMMARY STEPS

1. Log into the controller VM console on the ESXi hypervisor.2. cd ~/SCA

3. open ssl x509 -in sca_cert.pem -noout -fingerprint -sha256

4. Copy the fingerprint into a text editor.5. Log into the agent virtual service console.6. 4) Certificate and trust management


8. 5) Set Trusted SCA certificate fingerprint

9. SHA256

10. sca-fingerprint

DETAILED STEPS


Log into the controller VM console on the ESXi hypervisor.Step 1

Change directories.cd ~/SCA

Example:

Step 2


Generate a SHA256 certificatefingerprint.

open ssl x509 -in sca_cert.pem -noout -fingerprint -sha256

Example:

Step 3

user@host:~/SCA$ open ssl x509 -in sca_cert.pem -noout -fingerprint

-sha256

Store the fingerprint in a text editorfile.

Copy the fingerprint into a text editor.

Example:SHA256Fingerprint=37:9A:DD:72:B6:91:8F:3E:D7:26:63:86:96:42:83:C3:39:AE:86:96:8F:3C:B8:CA:63:66:65:37:90:0C:51:DC

Step 4

Log into the agent virtual service console.Step 5

Access the certificate and trustmanagement options.

4) Certificate and trust management

Example:

Step 6

Enter a number: 4

Access the certificate pinningoptions.

1) Manage Certificate Pinning

Example:

Step 7

Enter a number: 1




Pin the controller certificatefingerprint.

5) Set Trusted SCA certificate fingerprint

Example:

Step 8

Enter a number: 1

Enter the SHA256 hash algorithm.SHA256

Example:

Step 9

Please enter hash algorithm name: SHA256

Enter the sca-fingerprint.sca-fingerprint

Example:Please enter hash value as XX:XX:XX:XX...:37:9A:DD:72:B6:91:8F:3E:D7:26:63:86:96:42:83:C3:39:AE:86:96:8F:3C:B8:CA:63:66:65:37:90:0C:51:DC

Step 10

Enabling Trust on First Use

Before You Begin

• Log into the agent virtual service console as sln.

SUMMARY STEPS

1. 4) Certificate and trust management


3. 1) Enable Trust SCA Certificate on First Use

DETAILED STEPS


Enter the Certificate and trust management menu.4) Certificate and trust management

Example:

Step 1

Enter a number: 4

Enter the Certificate Pinning menu.1) Manage Certificate Pinning

Example:

Step 2

Enter a number: 1




Enable TOFU, to trust the controller certificate the firsttime it is detected.

1) Enable Trust SCA Certificate on First Use

Example:

Step 3

Enter a number: 1

Status Code: 2003• Status Message - Message Decode Error

• Description - The controller cannot decode a message from the agent.

• Recommended Resolution - Ensure that the controller and agent are on the same version. Upgrade theout-of-band component. See theCisco Stealthwatch Learning Network License Virtual Service InstallationGuide, theCisco Stealthwatch Learning Network License UCS E-Series Blade Server Installation Guide,and the Cisco Stealthwatch Learning Network License Release Notes for more information.

Status Code: 2004• Status Message - Message ACK Timeout

• Description - The agent did not send an ACK in time, cause the controller to close the agent connectionand reconnect to the agent.

• Recommended Resolution - Make sure that your agent is turned on, and ping it from the controller.

Before You Begin


SUMMARY STEPS

1. ping <agent-IP-address> -c 5

2. ping <agent-hostname> -c 5

DETAILED STEPS


Send five packets to the agent's IP address and receive aresponse for each packet.

ping <agent-IP-address> -c 5

Example:user@host:~$ ping <agent-IP-address> -c 5

Step 1




Send five packets to the agent's host name and receive aresponse for each packet.

ping <agent-hostname> -c 5

Example:user@host:~$ ping <agent-hostname> -c 5

Step 2

Status Code: 2005• Status Message - Message Too Big

• Description - The controller received a message from the agent that exceeded the maximum supportedmessage size.

• Recommended Resolution - Contact Cisco Support for more information.

Status Code: 2006• Status Message - Secure connection misconfigured

• Description - The controller cannot create an SSL context to validate the certificate.

• Recommended Resolution - View the keystore and truststore contents, and provide the store passwordto check their integrity.

Before You Begin


SUMMARY STEPS

1. cd ~/SCA

2. keytool -list -keystore keystore.jks, then provide your password when prompted3. keytool -list -keystore truststore.jks, then provide your password when prompted

DETAILED STEPS



Example:

Step 1





View the keystore contents, and provide thepassword to check the keystore's integrity

keytool -list -keystore keystore.jks, then provide yourpassword when prompted

Example:user@host:~/SCA$ keytool -list -keystore keystore.jks

Step 2

View the truststore's contents, and provide thepassword to check the keystore's integrity

keytool -list -keystore truststore.jks, then provide yourpassword when prompted

Example:user@host:~/SCA$ keytool -list -keystoretruststore.jks

Step 3

Status Code: 2010• Status Message - Unknown Connection error

• Description - The connection with the agent closed for an unexpected reason.

• Recommended Resolution - If this issue persists, contact Cisco Support for more information.

Status Code: ALLOCFAIL• Status Message - Failed to allocate memory

• Description - The agent failed to allocate memory.


Status Code: DNSQEVENTSPERBINLIMIT• Status Message - Too many events have been observed for too many 1-minute bins in the

recent past, for DNS queries.

• Description - The agent reached the maximum on observed unique DNS queries and stopped trackingsome DNS queries.

• Recommended Resolution - Check the maximum detected flows and DNS query capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.



Status Code: DNSQKEYSPERBINLIMIT• Status Message - Too many different keys have been observed for too many 1-minute bins

in the recent past, for DNS queries.

• Description - The agent groups DNS queries using unique keys. It reached the maximum on observedDNS query groups and stopped tracking DNS queries that do not have a key, and thus do not belong toa tracked group.

• Recommended Resolution - Check the maximum detected flows and DNS query capacity and scalingrecommendations in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendations.

Status Code: DNSREVENTSPERBINLIMIT• Status Message - Too many events have been observed for too many 1-minute bins in the

recent past, for DNS replies.

• Description - The agent reached the maximum on observed unique DNS query replies and stoppedtracking some DNS query replies.


Status Code: DNSRKEYSPERBINLIMIT• Status Message - Too many different keys have been observed for too many 1-minute bins

in the recent past, for DNS replies.

• Description - The agent groups DNS query replies using unique keys. It reached the maximum onobserved DNS query reply groups and stopped tracking DNS query replies that do not have a key, andthus do not belong to a tracked group.


Status Code: HOSTLIMITEXT• Status Message - Limit of tracked external hosts has been reached for too long in the

recent past

• Description - The agent reached the maximum number of tracked external hosts and stopped trackingsome hosts.


TroubleshootingStatus Code: DNSQKEYSPERBINLIMIT

• Recommended Resolution - Check the maximum external host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.

Status Code: HOSTLIMITINT• Status Message - Limit of tracked internal hosts has been reached for too long in the

recent past

• Description - The agent reached the maximum number of tracked internal hosts and stopped trackingsome hosts.

• Recommended Resolution - Check the maximum internal host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.

Status Code: HOSTSDROPPEDEXT• Status Message - Too many external hosts have been observed in the recent past

• Description - The agent reached the maximum number of tracked unique external hosts and stoppedtracking some hosts.

• Recommended Resolution - Check the maximum external host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.

Status Code: HOSTSDROPPEDINT• Status Message - Too many internal hosts have been observed in the recent past

• Description - The agent reached the maximum number of tracked unique internal hosts and stoppedtracking some hosts.

• Recommended Resolution - Check the maximum internal host capacity and scaling recommendationin the Cisco Stealthwatch Learning Network License Data Sheet, and verify that your environment fallswithin the recommendation.

Status Code: IPLOCCHANGED• Status Message - Too many recently seen hosts have a changed IP locality

• Description - The agent identified hosts as internal or external, and the classification of those hosts laterchanged, possibly due to router configuration updates.

• Recommended Resolution - Take the following steps:


TroubleshootingStatus Code: HOSTLIMITINT

◦From the Network Element, verify your interface configuration, especially if you reconfigured aninterface's direction from internal to external or vice versa.

◦From the controller web UI, verify theDirection configuration of all Network Element interfaces,including recently reconfigured interfaces.

◦If the updated Network Element interface configuration changed a subnet's label from internal toexternal or external to internal, the traffic models must be updated. Shut down the agent and restartit.

Step 1 From the Network Element, verify your interface configuration by running the following commands:enableshow interfacesexit

Step 2 From the controller web UI, verify the Direction configuration of the Network Element interfaces.

• Click Configure next to the agent.

• For each interface, choose Internal if the interface faces the branch, External if the interface faces the core, orUnconfigured if the interface should be ignored.

• Click Submit.

• Click Submit.

Step 3 If a subnet's label changed from internal to external or external to internal, shut down and restart the agent.

Status Code: IPLOCINVAL• Status Message - Too many recently seen hosts have an invalid IP locality

• Description - The agent detects hosts behind interfaces that are not labeled as internal or external,possibly due to newly enabled or reconfigured interfaces on the Network Element.

• Recommended Resolution - Take the following steps:

◦From the Network Element, verify your interface configuration, especially if you enabled orreconfigured an interface.

◦From the controller web UI, verify theDirection configuration of all Network Element interfaces,including recently enabled or reconfigured interfaces.

Step 1 From the Network Element, verify your interface configuration by running the following commands:enableshow interfacesexit


TroubleshootingStatus Code: IPLOCINVAL

Step 2 From the controller web UI, verify the Direction configuration of the Network Element interfaces.



• Click Submit.

• Click Submit.

Status Code: NECONNFAIL• Status Message - Network Element connection failure

• Description - The agent cannot establish an SSH connection with the Network Element, due to one ormore of the following causes:

◦The configured Network Element IP address is incorrect.

◦The Network Element is not configured for SSHv2 access.

◦An access control list is preventing SSH access from the agent.

◦The Network Element configuration does not allocate sufficient Virtual Teletype (VTY) resourcesfor SSH.


◦Examine the Network Element's log to determine a specific error.

◦Ensure the Network Element has SSHv2 configured.

◦Ensure the Network Element does not have an access control list preventing SSH access from theagent.

◦Ensure the Network Element has sufficient VTY resources.

◦From the controller web UI, configure the Network Element IP address for the agent.

Step 1 Review the Network Element's logged error messages to for SSH connection failure.Step 2 From the Network Element command line, run the following commands to verify that SSHv2 is configured:

enableshow sshexit


TroubleshootingStatus Code: NECONNFAIL

Step 3 From the Network Element command line, run show access-lists and verify that none of the access control lists blocksthe agent's IP address.

Step 4 From the Network Element command line, run the following commands to verify there are sufficient VTY resources:enableshow usersexit

Step 5 From the controller web UI, take the following steps to configure the Network Element IP address:

• Select AGENTS.

• Click Configure next to an agent.

• Enter the IPv4 address in the Network Element IP field.

• Click Submit.

• Click Submit.

Status Code: NENOAUTH• Status Message - Unable to authenticate to Network Element

• Description - The agent cannot authenticate the SSH connection with the Network Element becausethe credentials are incorrect or not configured.

• RecommendedResolution - From the agent, use the administrator menu to correct the Network Elementcredentials for SSH login.

Step 1 Access the administrator menu. You have the following options:

• If your agent is deployed as a virtual service, log into the agent VM.

• If you agent is installed on a UCS-E server, log into the agent VM, then run the following commands:cd ~/DLA./dla_admin

Step 2 Select the following options in the administrator menu. Enter the Network Element username and password whenprompted.5) Password management1) Change router credentials

Status Code: NENOIP• Status Message - Network Element IP not configured


TroubleshootingStatus Code: NENOAUTH

• Description - The agent configuration does not have a Network Element IP address.

• Recommended Resolution - From the controller web UI, configure the Network Element IP addressfor the agent.

Step 1 From the controller web UI, select AGENTS.Step 2 Click Configure next to an agent.Step 3 Enter the IPv4 address in the Network Element IP field.Step 4 Click Submit.Step 5 Click Submit.

Status Code: NFDRPFLD• Status Message - Dropping NetFlow: required fields missing

• Description - The NetFlow flow record is missing required fields.

• Recommended Resolution - Ensure that the SLN-NF-RECORD flow record configuration is correct. Afteryou verify the flow record configuration, save the Network Element running configuration as a startupconfiguration.

Step 1 From the Network Element command line, run the following commands and verify that the flow record is properlyconfigured:enableconfigure terminalshow running-config flow record SLN-NF-RECORDexit

Step 2 If the flow record is improperly configured, from the Network Element command line, run the following commands toconfigure the flow record:enableconfigure terminalflow record SLN-NF-RECORD

match ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portcollect datalink mac source address inputcollect datalink mac destination address outputcollect transport tcp flagscollect interface inputcollect interface outputcollect flow directioncollect counter bytes


TroubleshootingStatus Code: NFDRPFLD

collect counter packetscollect timestamp [absolute | sys-uptime] firstcollect timestamp [absolute | sys-uptime] lastcollect application namecollect routing forwarding-statusend

Step 3 From the Network Element command line, run the following commands to copy the current running configuration tothe startup configuration:enablecopy running-config startup-configend

Status Code: NFDRPNOINTF• Status Message - Dropping NetFlow: internal intfs not configured

• Description - The Network Element interface Direction configuration has not been performed, or hasnot been pushed to the agent.

• Recommended Resolution - From the controller web UI, check the agent Configured status. If it isWaiting, wait for the controller to push the configuration to the agent. If it is Incomplete or Error,verify and correct the interface configuration.

Step 1 From the controller web UI, select AGENTS.Step 2 If the Configured status for an agent isWaiting, wait for the controller to push the configuration to the agent.Step 3 If the Configured status is Incomplete or Error, take the following steps:


• Enter the IPv4 address in the Network Element IP field.


• Click Submit.

• Click Submit.

Status Code: NFDRPSYNT• Status Message - Dropping NetFlow: config file syntax error


TroubleshootingStatus Code: NFDRPNOINTF

• Description - The agent cannot parse the internal_ranges.csv internal IP address file due to a syntaxerror.


◦If you have not intentionally added the file, remove the file from the agent, then restart the agent.

◦If you have intentionally added the file, verify the file format and syntax, then log into the agentVM console, and use the dla_admin script to reimport the file.

Step 1 If you have not intentionally added internal_ranges.csv, from the agent command line, run rm {internal_ranges.csv}

to remove the file, then power down and start the agent VM.Step 2 If you intentionally added internal_ranges.csv, verify that the file is well-formed. Copy the well-formed file to the

agent VM and overwrite the file at /CONF/internal_ranges.csv.Step 3 You have the following options:

• If your agent is deployed as a virtual service, log into the agent VM.

• If your agent is installed on a UCS-E server, log into the agent VM, then run the following commands:cd ~/DLA./dla_admin

Step 4 From the administrator menu, select the following options to copy the file. Provide an IP address, username, filepath forinternal_ranges.csv, and password when prompted.1) File access3) Configuration files3) Get config file from remote system2) internal_ranges.csv

Status Code: NFDRPVER• Status Message - Dropping NetFlow: unsupported version

• Description - The configured NetFlow version does not match the version the system expects.

• Recommended Resolution - Ensure NetFlow v9 is configured on the Network Element.

From the Network Element command line, run the following commands to configure NetFlow version 9 on an interface,and repeat for all interfaces:enableconfigure terminalip flow-export version 9interface interface-type interface-numberip flow {ingress | egress}exitend


TroubleshootingStatus Code: NFDRPVER

Status Code: NFEVENTSPERBINLIMIT• Status Message - Too many events have been observed for too many 1-minute bins in the

recent past, for NetFlow events.

• Description - The agent reached the maximum on observed unique NetFlow flows and stopped trackingsome NetFlow flows.

• Recommended Resolution - Check the maximum detected NetFlow flows capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.

Status Code: NFKEYSPERBINLIMIT• Status Message - Too many different keys have been observed for too many 1-minute bins

in the recent past, for NetFlow events.

• Description - The agent groups NetFlow flows using unique keys. It reached the maximum on observedNetFlow flow groups and stopped tracking NetFlow flows that do not have a key, and thus do not belongto a tracked group.

• Recommended Resolution - Check the maximum detected NetFlow flows capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.

Status Code: NFNORCV• Status Message - Not receiving NetFlow

• Description - The agent has not received NetFlow packets from the Network Element in over 10minutes,possibly due to NetFlow misconfiguration.

• Recommended Resolution - From the Network Element, ensure that the Network Element is running,that NetFlow v9 is configured, and that the Learning Network License flow exporter is properlyconfigured.

Step 1 Ensure that the Network Element is running.Step 2 From the Network Element command line, run the following commands and verify that NetFlow version 9 is configured.

enableshow mls ndeexit


TroubleshootingStatus Code: NFEVENTSPERBINLIMIT

Step 3 From the Network Element command line, run the following commands and verify that the flow exporter is properlyconfigured and exporting to the agent IP address on port 6666.enableconfigure terminalshow running-config flow exporter SLN-NF-EXPORTERexit

Step 4 If the flow exporter is incorrectly configured, from the Network Element command line, run the following commandsto configure the flow exporter, replacing <dla-ip-address> with your agent's IP address.configure terminalflow exporter SLN-NF-EXPORTER

destination <dla-ip-address>transport udp 6666template data timeout 300exit

end

Status Code: SOLTCOLLECTIONSLIMIT1• Status Message - The maximum number of level 1 model collections has been reached,

therefore no more model may be created.

• Description - The agent reached the maximum on observable application groups, and cannot createadditional traffic models based on the excess application groups.

• Recommended Resolution - Check the maximum detected application group capacity and scalingrecommendation in the Cisco Stealthwatch Learning Network License Data Sheet, and verify that yourenvironment falls within the recommendation.

Status Code: SOLTCOLLECTIONSLIMIT2• Status Message - The maximum number of level 2 model collections has been reached,

therefore no more model may be created.

• Description - The agent reached the maximum on observable source cluster and application group pairs,and cannot create additional traffic models based on the excess source cluster and application grouppairs.

• Recommended Resolution - Check the maximum detected cluster and application group capacity andscaling recommendations in the Cisco Stealthwatch Learning Network License Data Sheet, and verifythat your environment falls within the recommendations.

Status Code: TOPOFAIL• Status Message - Failed to read required topology file

• Description - A topology file, used to process network traffic information, is missing or corrupt.


TroubleshootingStatus Code: SOLTCOLLECTIONSLIMIT1

• Recommended Resolution - From the agent, check the log at LOG/DLC.log to determine the specificerror.

◦If the custom clusters file is missing or corrupted and the agent is deployed as a virtual service,reinstall the agent.

◦If the custom clusters file is missing or corrupted and the agent is installed on a UCS-E server,copy the file from another UCS-E-based agent.

◦If the internal_hosts file is in the error message, use the controller web UI to verify thatconfig.json does not reference internal_hosts_filename file. Contact Cisco Support for moreinformation on whether you should be using the internal_ranges.csv file.

Step 1 If the clusters file is missing or corrupted, and your agent is deployed as a virtual service, reinstall the agent. See theCisco Stealthwatch Learning Network License Virtual Service Installation Guide and the Cisco Stealthwatch LearningNetwork License Release Notes for more information.

Step 2 If the clusters file is missing or corrupted, and your agent is deployed on a UCS-E server, copy the file from anotheragent deployed on a UCS-E server.

Step 3 If the internal_hosts file is in the error message, verify that config.json does not reference internal_hosts_filename.

• From the controller web UI, select AGENTS.

• Next to the affected agent, click Configure.

• Click Edit raw JSON configuration.

Status Code: VERSCOMPONENT• Status Message - Incompatible DLA component versions

• Description - The agent has component executables at different versions from each other.

• Recommended Resolution - Download an upgrade file and upgrade your agent to that version.

Do NOT manually copy a component executable file from one agent to another.Note

Download an upgrade file and upgrade your agent to that version. See the Cisco Stealthwatch Learning Network LicenseVirtual Service Installation Guide, the Cisco Stealthwatch Learning Network License UCS E-Series Blade ServerInstallation Guide, and the Cisco Stealthwatch Learning Network License Release Notes for more information.


TroubleshootingStatus Code: VERSCOMPONENT

Status Code: WARMBADFILE• Status Message - Failed to load warmstart model file

• Description - The agent failed to load a warmstart file.


Status Code: WARMNOFILE• Status Message - Required warmstart file is missing

• Description - The agent is configured with the force_load setting enabled, and a warmstart file ismissing.

• Recommended Resolution - From the controller web UI, remove the force_load setting fromconfig.json.

Step 1 From the controller web UI, select AGENTS.Step 2 Next to the affected agent, click Configure.Step 3 Click Edit raw JSON configuration.Step 4 Remove the force_load setting and save your changes.

Status Code: WARMSTATEVAL• Status Message - Invalid model state before saving warmstart file

• Description - The agent could not save the internal traffic model state, because it was invalid orinconsistent.



TroubleshootingStatus Code: WARMBADFILE

A P P E N D I X HUninstallation

The following details how to remove the Learning Network License deployment from your network.

• Uninstalling the Learning Network License System, page 163

• Controller Removal from an ESXi Host, page 168

Uninstalling the Learning Network License SystemUninstalling the Learning Network License system involves removing Learning Network License-relatedconfiguration from the Network Element on which an agent is deployed, removing the agent from the hostNetwork Element, and removing the controller from the ESXi host.

From the controller web UI, delete all mitigations. This directs the agents to remove the QoS policyconfiguration from the host Network Element. Then, disable PBC/DPI on all interfaces. This directs the agentto remove the IP traffic export configuration from the interfaces. Disable the agents to halt controller/agentcommunications. Finally, deregister Smart Licensing.

Next, from the controller VM command line, modify install configuration files, and use the install script toremove the agents from the Network Elements. This also removes the Learning Network License-relatedFlexible NetFlow flow record, flow monitor, and flow exporter configuration.


Finally, delete the controller from the ESXi host.

Step 1 From the controller web UI, delete the mitigation policies from the mitigation table. See Deleting All Mitigations, onpage 164 for more information.

Step 2 From the controller web UI, disable PBC/DPI for every Network Element interface. See Disabling PBC/DPI on anInterface, on page 165 for more information.

Step 3 From the controller web UI, disable every agent. See Disabling All Agents, on page 165 for more information.Step 4 From the controller web UI, deregister Smart Licensing. See Deregistering a Controller from Smart Licensing, on page

165 for more information.Step 5 From the controller VM command line interface, modify the install.yaml agent install and upgrade properties file to

include all agents. See Modifying the Install Properties File, on page 166 for more information.Step 6 From the controller VM command line interface, rename the aa_summary file to aa_summary_backup. See Renaming an

Install Log File, on page 167 for more information.Step 7 From the controller VM command line interface, run installation_auto.py -c install.yaml --clean_only to

remove all agents from the host Network Elements, as well as the SLN-NF-RECORD flow record, SLN-NF-EXPORTER flowexporter, and SLN-NF-MONITOR flow monitor Flexible NetFlow configuration. See Uninstalling Agents Using the InstallScript, on page 167 for more information.

Step 8 From the ESXi host hosting the controller, remove the controller VM. See Removing a VM from an ESXi Host, on page168 for more information.

Controller Web UI UninstallationTo uninstall the Learning Network License system, perform the following tasks from the controller web UIin order:

• Delete all mitigations

• Disable PBC/DPI on all Network Element interfaces

• Disable all managed agents

• Deregister Smart Licensing

Deleting All Mitigations

Before You Begin

• Ensure that the agents that enforce the mitigation policies are enabled.

Step 1 SelectMitigation.Step 2 Click Delete all mitigations to delete all mitigations.


UninstallationController Web UI Uninstallation

Disabling PBC/DPI on an Interface

Before You Begin

• Ensure that the agent on the Network Element is enabled.

Step 1 Select AGENTS.Step 2 Click Configure next to an agent.Step 3 Uncheck Enable PBC/DPI on each interface to disable raw packet capture.Step 4 Uncheck Enable PBC.Step 5 Uncheck Enable DPI/DPS.Step 6 Click Submit.Step 7 Click Submit.

Disabling All AgentsIf you registered your controller with the Smart Licensing Authority, then disable an agent, the system freesthe license entitlement allocated to that agent.

Before You Begin


Step 1 Select AGENTS.Step 2 Check the select all checkbox at the top of the list to select all agents.Step 3 Click Disable.

What to Do Next

• Unregister your controller from the Licensing Authority, as described in the next section.

Deregistering a Controller from Smart LicensingDeregistering your controller from Smart Licensing also frees the controller license entitlement.


UninstallationController Web UI Uninstallation

Before You Begin


Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Choose Deregister from the Actions drop-down menu.Step 4 Click Deregister to confirm the deregistration.

Agent Removal from a Virtual ServiceRemoving an agent deployed as a virtual service from a Network Element involves modifying the install andupgrade configuration settings file, renaming an install log file, then running the install and upgrade scriptwith a command line option to remove the agent.

Modifying the Install Properties FileModify the install.yaml install properties file so the install script can locate and remove the agents fromthe Network Elements.

Before You Begin


DETAILED STEPS


Navigate to the /install_upgrade/containerdirectory.

cd /opt/cisco/sln/install_upgrade/container

Example:user@host:~$ cd/opt/cisco/sln/install_upgrade/container

Step 1

Open the install.yaml properties file in the vitext editor.

vi install.yaml

Example:user@host:~/opt/cisco/sln/install_upgrade/container$vi install.yaml

Step 2

Ensure that your install.yaml properties file has aper-branch setting entry for each Network Elementand agent.

Verify that each of your Network Elements and agents has aper-branch setting entry. See the Cisco Stealthwatch LearningNetwork License Release Notes for more information.

Step 3

Save your changes and close the file.Press Esc, then enter :wq! and press Enter.Step 4


UninstallationAgent Removal from a Virtual Service

Install and Update Properties File Storage

When you deployed the agents as virtual services, you configured the install.yaml properties file withdeployment settings. If you plan on deploying the Learning Network License system again, you can log intothe controller, save the properties file, and upload it to the controller to redeploy your agents. See https://www.vmware.com/support/ws3/doc/ws32_running9.html for more information.

Renaming an Install Log FileRename the aa_summary install log file so the install script does not reference it and only attempt to clean upthose agents which failed to properly install.

Before You Begin


DETAILED STEPS


Navigate to the/install_upgrade/container directory.



Step 1

Rename the aa_summary file toaa_summary_backup.

mv aa_summary aa_summary_backup

Example:user@host:~/opt/cisco/sln/install_upgrade/container$ mvaa_summary aa_summary_backup

Step 2

Uninstalling Agents Using the Install ScriptRun the installation_auto.py install script, referencing the install.yaml install properties file, to removeall agents deployed as virtual services.

Before You Begin



UninstallationAgent Removal from a Virtual Service

https://www.vmware.com/support/ws3/doc/ws32_running9.html

https://www.vmware.com/support/ws3/doc/ws32_running9.html

DETAILED STEPS


Navigate to the /install_upgrade/containerdirectory.


Example:user@host:~$ cd/opt/cisco/sln/install_upgrade/container

Step 1

Run the installation_auto.py install script with the--clean_only command line option to remove the

installation_auto.py -c install.yaml --clean_only

Example:user@host:~/opt/cisco/sln/install_upgrade/container$installation_auto.py -c install.yaml --clean_only

Step 2

agents from the host Network Elements referenced ininstall.yaml.

Controller Removal from an ESXi HostRemoving a controller from an ESXi host requires connecting to the ESXi host and deleting the controllerVM.

Removing a VM from an ESXi Host

Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to remove the VM.Step 2 Select View > Inventory > Hosts and Clusters.Step 3 Highlight the VM you want to remove.Step 4 Select Inventory > Virtual Machine > Power > Power Off and wait for the VM to power off.Step 5 Right-click the VM you want to remove, and select Delete from Disk. Confirm the deletion.


UninstallationController Removal from an ESXi Host

Date post:	19-Jul-2018
Category:	Documents
Upload:	phamcong
View:	226 times
Download:	0 times

Cisco Stealthwatch Learning Network License Virtual ... · StatusCode:HOSTLIMITINT 152...

Documents