cisco stealthwatch learning network license virtual ... · cisco stealthwatch learning network...

Cisco Stealthwatch Learning Network License Virtual Service QuickStart Guide, Version 1.1

Cisco Stealthwatch Learning Network License Quick Start Guide 2

Learning Network License Introduction 2

Installing the Learning Network License System 2

Installation Prerequisites 3

Controller Deployment 16

Controller Certificate Management 28

Updating Administrator Credentials 30

NTP Configuration 30

Install Script Overview 31

Verifying NTP Configuration on the Agent 46

Smart Licensing Overview 47

Enabling Agents on the Controller 48

Interface Configuration 48

Initial Learning Phase Overview 51

Next Steps 51

For Assistance 51

Revised: March 15, 2017,

Cisco Stealthwatch Learning Network License Quick StartGuideThe following details essential information on deploying and configuring your Cisco Stealthwatch Learning Network License system.

Learning Network License IntroductionThe Learning Network License system is a hyper-distributed analytics architecture that inspects your network traffic and appliesmachine learning algorithms to perform a behavioral analysis. As a result, the system can identify anomalous behavior, such asmalware, distributed botnets, data exfiltration, and more.

You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controllerfor additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporatesinto internal traffic models. This allows the system to better identify and report anomalies of interest.

You can also configure mitigations based on anomaly properties, such as hosts involved and application traffic transferred. Thesemitigations reduce or eliminate the impact of detected anomalies now and in the future. The combination of behavioral analysis, userfeedback, and traffic mitigation customizes the system to address the threats specific to your network and better protect your users.

Installing the Learning Network License SystemThe following provides a high-level overview to installing the Learning Network License system.

Procedure

Step 1 Ensure your ISRs support installing the Learning Network License system, and have the proper licenses and hardware.See Installation Prerequisites, on page 3 for more information.

Step 2 Deploy a separate ESXi host to run the controller. See Controller Host Requirements, on page 6 for more information.Step 3 Download the agent and controller OVA files at http://www.cisco.com/c/en/us/support/security/

stealthwatch-learning-network-license/tsd-products-support-series-home.html. See Downloading the OVA Files fromCisco, on page 15 for more information.

Step 4 Deploy the controller to the ESXi host using vSphere Client. Power on the virtual machine, and log into the controller VMconsole using the default administrator username (sln) and default administrator password (cisco). See ControllerDeployment, on page 16 for more information.

Step 5 Run the setup-system setup script from the controller command line. Follow the script prompts to configure the networkconnection, NTP servers, and generate public key certificates. Verify your NTP configuration from the controller VM

2

http://www.cisco.com/c/en/us/support/security/ stealthwatch-learning-network-license/tsd-products-support-series-home.html

http://www.cisco.com/c/en/us/support/security/ stealthwatch-learning-network-license/tsd-products-support-series-home.html

console. See Configuring the Controller with the Setup Script, on page 25 and Verifying NTP Configuration on theController, on page 28 for more information.

Step 6 Update the sca.conf controller configuration file to configure public key certificate management settings, then restart thecontroller processes. See Updating the Controller Configuration, on page 28 and Restarting Controller Processes, onpage 29 for more information.

Step 7 Log into the controller web UI with the default administrator login (admin) and the default administrator password (cisco),then update administrator credentials. See Updating Administrator Credentials, on page 30 for more information.

Step 8 Configure NTP servers on your ISR. See NTP Configuration, on page 30 for more information.Step 9 From the controller VM console, configure the install.yaml agent install properties file. See Agent Properties File

Settings, on page 36 and Updating the Agent Properties File, on page 44 for more information.Step 10 Run the installation_auto.py install and upgrade script from the controller to deploy the agent as a virtual service to

an ISR. See Running the Install Script, on page 46 for more information.Step 11 Log into the controller web UI with your updated administrator credentials. Register your controller with Smart Licensing.

From the controller VM console, restart the controller's processes. See Registering the Controller Instance, on page 47and Restarting the Controller Processes, on page 48 for more information.

Step 12 From the controller web UI, enable and configure your agents with the controller as described in Enabling Agents on theController, on page 48 and Configuring Agent Network Settings, on page 50.

Step 13 Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning PhaseOverview, on page 51 for more information.

Installation PrerequisitesWhen you deploy the Learning Network License system, obtain or configure the following:

• open ports for system functionality

• an ESXi host for the controller

• a Network Element capable of running the agent as a virtual service (container)

• the proper licensing for your Network Element

• the controller and agent OVA files

Communication PortsLearning Network License requires several open ports for functionality, to allow communication between the controller and agents,and to allow users to access the controller UI. If a firewall or other security appliance sits between the controller and agents, orbetween the user and the controller, open these ports.

3

The following diagram illustrates this system functionality.

Figure 1: System Functionality Requiring Open Ports with an Agent Deployed as a Virtual Service

• Users, such as system administrators, can log into the controller web UI, and SSH login to agents.

• The controller sends information, such as mitigations, to the agent, and contacts NTP servers to synchronize time.

• The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to the controller, and contactsNTP servers to synchronize time.

The following diagram illustrates the open ports and directionality. See Table 1: Default Communication Ports for Learning NetworkLicense Features and Operation, on page 5 for more information on these ports.

Figure 2: Open Ports for System Functionality with an Agent Deployed as a Virtual Service

4

Table 1: Default Communication Ports for Learning Network License Features and Operation

To...Is Open for any...DirectionDescriptionPort

transfer log files andconfiguration files

IP associated with thecontroller,ManagementIP associated with theagent

outbound from agenteth0 interfaceManagement IP,inbound to controller IP

SSH/SCP22/TCP

Optionally enableremote access to theagent administratorscript when the agent isdeployed as a virtualservice

host IP that wants toSSH login to the agent

outbound from host IP,inbound to agent eth0interface ManagementIP

SSH22/TCP

optionally enable SSHlogin to the controller

host IP that wants toSSH login to thecontroller

inbound from host IP tocontroller IP

SSH22/TCP

synchronize time withagents deployed asvirtual services

IP associated with thecontroller

outbound from thecontroller IP to anexternal NTP server

NTP123/UDP

access the controller UIhost IP that wants toaccess the controller UI

inbound from user IP tocontroller IP

HTTPS443/TCP

allow the controller tocommunicate with theagent

IP associated with thecontroller

outbound fromcontroller IP to agenteth0 interfaceManagement IP

TLS9091/TCP

enable PBCIP associated with thecontroller

outbound fromcontroller IP to agenteth0 interfaceManagement IP

packet buffer capture(PBC)

9092/TCP

Learning Network License and LicensingTo properly deploy your Learning Network License system, you must obtain the proper IOS Licenses for your ISRs, as well as theproper Smart Licenses for Learning Network License.

To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App (appxk9) IOS license.See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating thelicenses.

You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.

5

http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html

Table 2: Smart License Entitlement Types

Associated File Downloads andDescription

License Entitlement and DescriptionLearning Network License Component

sln-sca-k9-<ver>.ova - singlecontroller OVA

L-SW-SCA-K9 - SCA Virtual Managercontroller

sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova

- agent deployed as a virtual service tothe ISR's NIM-SSD

sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova

- agent deployed as a virtual service tothe ISR's bootflash

L-SW-LN-43-1Y-K9 - Cisco StealthwatchLearning Network License for 4300Series 1 Yr Term


agent deployed as a virtual service on anISR 43XX

sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova

- agent deployed as a virtual service tothe ISR's NIM-SSD

sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova

- agent deployed as a virtual service tothe ISR's bootflash



agent deployed as a virtual service on anISR 44XX

After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.

Note

For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.

In addition, you must generate a registration token in the Cisco Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html), then use this to register your controller. Each time you manage and enable an agent with thecontroller, the controller automatically requests a license entitlement for the agent.

For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.

Controller Host RequirementsYou can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You can also enable VMware toolson all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see the VMware ESXi documentation.

Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtual appliances in OpenVirtual Appliance (OVA) format, an archive version of the OVF file.

The computer that serves as the controller ESXi host must meet the following requirements:

• It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology (VT) or AMDVirtualization™ (AMD-V™) technology.

• Virtualization must be enabled in the BIOS settings.

6

http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html

http://www.cisco.com/web/ordering/smart-software-manager/index.html


http://www.VMware.com

http://www.VMware.com

• To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers (such as PRO 1000MTdual port server adapters or PRO 1000GT desktop adapters).

• This host must have network connectivity to all Network Elements where you will install your agents.

• Users such as administrators and analysts should be able to establish a connection to this host, to access the controller userinterface.

For more information, see the VMware website: http://www.vmware.com/resources/guides.html.

Installing the controller on a Network Element is not supported.Note

Controller Installation Prerequisites

Controller Download

Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.


Note

You must also download and install the latest version of VMware vSphere Client to install the virtual machine. Cisco recommendsyou also download and install VMware ESXi version 5.5 to run the virtual machine. Download the files at https://my.vmware.com/web/vmware/downloads.

Controller Virtual Appliance Settings

Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on the ESXi host. Do not decreasethe default settings, as they are the minimum required to run the system software. The following table lists the default settings.

Table 3: Default Controller Virtual Appliance Settings

DefaultSetting

24576 MB (24 GB)memory

4virtual CPUs (vCPU)

• vNIC 0 - Main Network

• vNIC 1 (disconnected) - Alt1Network

• vNIC 2 (disconnected) - Alt2Network

virtual NICs

7

http://www.vmware.com/resources/guides.html

http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html


https://my.vmware.com/web/vmware/downloads


DefaultSetting

200 GBhard disk provisioned size

When you start the VM, the controller determines the amount of physical RAM available, and updates the configuration to allow useof up to half of that RAM.

Cisco recommends you increase VM settings, depending on the size of your Learning Network License deployment. See the followingtable for recommendations.

Table 4: Recommended Controller VM Settings

Recommended VM SettingsLearning Network License Deployment Size

24576 MB (24 GB) of RAM

8 vCPU

400 GB of hard disk provisioned size

1 to 50 agents

65536 MB (64 GB) of RAM

16 vCPU

4 TB of hard disk provisioned size

51 to 1000 agents

The number of vCPUs is determined by multiplying the number of virtual sockets by the number of coresper socket.

Note

If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http://www.vmware.com/for more information and best practices.

Information Needed During Installation

When you run the setup script, provide the following information to configure the controller:

Table 5: Controller Installation Settings

DescriptionSetting

transfer management traffic with agent, and provide access tocontroller web UI

eth0 interface IPv4 address, netmask, and gateway

hostname for the controllereth0 interface hostname

DNS context for anomalieseth0 interface DNS servers and DNS search suffixes

synchronize time in Learning Network License systemNTP server IPv4 addresses

8

http://www.vmware.com/

The setup script allows you the option of generating self-signed certificates. If you generate a certificate for the controller web UIserver, you can define the following subject distinguished name components:

Table 6: Self-Signed Certificate Subject Distinguished Name Options

DescriptionOption

A two-letter ISO 3166-1 country codeCountry Name

Full name of the state or province where your organization is locatedState or Province Name

The city where your organization is locatedLocality Name

Your organization's nameOrganization Name

Your organization's division's nameOrganizational Unit Name

A host and domain name associated with the certificateCommon Name

A contact email addressEmail Address

Learning Network License requires a server certificate to encrypt controller/agent communications, and a server certificate to encryptuser connections to the controller web user interface.

ISR Platform RequirementsSeveral 4000 Series ISRs support hosting an agent in a service container. You can optionally install a solid state drive (SSD) carrierand SSD network interfacemodule (NIM-SSD) for the agent. For more information on the 4000 Series ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html.

ISR 4000 Series Platform Requirements

Table 7: ISR 4000 Series Platform Requirements

RequiredISR Component

• Cisco 4331

• Cisco 4351

• Cisco 4431

• Cisco 4451

Model

8192 MB (8 GB)Control Plane DRAM

9

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html

RequiredISR Component

If you deploy your virtual service to bootflash, no additionalequipment is required.

If you want to deploy your virtual service to a hard disk, toachieve much larger storage capacities, you must install:

• NIM-SSD(=) - NIM carrier card for SSD drives

• SSD-SATA-200G(=) - 200 GB SATA solid state diskfor NIM-SSD, 155 GB free

See Agent Installation Prerequisites, on page 14 for moreinformation.

Disk Storage for Service Container Hosting

Version 15010638 or greaterComplex Programmable Logic Device

IOS-XE Release 15.4(3)S1 through 15.5(3)Sx

IOS-XE Release 15.4(3)S2 and prior do not supportdeploying a virtual service to bootflash. You mustdeploy a virtual service to a NIM-SSD for thesereleases, or upgrade to Release 15.5(3)S to deploy thevirtual service to bootflash.

Note

Image

Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through 15.5(3)S)

Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild 2 orgreater

NBAR2 Protocol Pack

Cisco 4331:

• SL-4330-IPB-K9 - IP Base license, and

• SL-4330-APP-K9 - AppX license

Cisco 4351:


• SL-4350-APP-K9 - AppX license

Cisco 44XX:


• SL-44-DATA-K9 or SL-44-APP-K9 - Data license or AppXlicense

See http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435 formore information.

Licenses

Verifying ISR Platform Requirements

10

http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435



Before You Begin

• Log into the ISR console.

Procedure

PurposeCommand or Action

Enable privileged EXEC mode.enable

Example:

Step 1

Router> enable

Show version information, including image version,installed ISR licenses, and control plane DRAM.

show version

Example:

Step 2

Router# show version

Show the Complex Programmable Logic Device version.show platform

Example:

Step 3

Router# show platform

Show the NBAR2 protocol pack version.show ip nbar protocol-pack active

Example:

Step 4

Router# show ip nbar protocol-pack active

Exit privileged EXEC mode.exit

Example:

Step 5

Router# exit

Example ISR Platform RequirementsIssuing the show version command to your ISR allows you to view your image version, installed licenses, and the total control planeDRAM on the ISR. These are italicized below. Note that appxk9 corresponds to the AppX license, and ipbasek9 corresponds to theIP Base license.Router> enable

Router# show versionCisco IOS XE Software, Version 2016-05-16_22.05.pajCisco IO Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)s2, RELEASE SOFTWARE (fc2)

...

Technology Package License Information:

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-Technology Technology-package Technology-package

Current Type Next reboot–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––--appxk9 appxk9 RightToUse appxk9 [AppX license]uck9 None None Nonesecurityk9 None None None

11

ipbase ipbasek9 Permanent ipbasek9 [IP Base license]

cisco ISR4431/K9 (1RU) processor with 7799569K/6147K bytes of memory.

...

Issuing the show platform command to your ISR allows you to view the Complex Programmable Logic Device (CPLD) version,italicized below.Router# show platformChassis type: ISR4431/K9

Slot Type State Insert time (ago)–––––––––- ––––––––––––––––– –––––––––––––––––––––––– –––––––––––––––––--

...

Slot CPLD Version Firmware Version–––––––––- –––––––––––––––––––––– –––––––––––––––––––––––––––––––––––––--0 15010638 15.4(2r)SR0 15010638 15.4(2r)SF0 15010638 15.4(2r)S

Issuing the show ip nbar protocol-pack active command to your ISR allows you to view the NBAR2 protocol pack version,italicized below.Router# show ip nbar protocol-pack active

Active Protocol Pack:

Name: Advanced Protocol PackVersion: 17.0Publisher: Cisco Systems Inc.

...

ISR Configuration Prerequisites

Information Needed for ISR Configuration

When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:

Table 8: ISR Configuration Settings

DescriptionSetting

configure NTP server connectivity. Use a loopback interfaceif you have one configured, or the router management interfaceif you do not.

loopback interface IPv4 address or router management interface

synchronize time in Learning Network License systemNTP server IPv4 addresses

pass NetFlow packets from the ISR to the agent and trafficbetween the controller and the agent

agent eth0 IPv4 address for NetFlow exporter

12

ISR License Installation

To run an agent on an ISR 4000 Series, you must activate an IP base (ipbasek9) IOS license, and an App (appxk9) IOS license, onthe ISR. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activatingthe licenses.

Agent and ISR InteractionThe following diagram illustrates the interaction between an agent and its host ISR.

Figure 3: ISR and Agent Deployed as a Virtual Service

The diagram shows an agent deployed as a virtual service, named sln, on the host ISR. The virtual service contains two virtualinterfaces:

• VirtualPortGroup1, used as the virtual service's eth0 interface. This is theManagement interface, which handles controller/agentcommunication, includingmitigations and anomalies. This is also the Control interface, which handles agent/router communication,including passing NetFlow packets from the router to the agent, and passing mitigations from the agent to the router.

13

http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html

Configure eth0 on the virtual service with a routable IP address, so the controller can reach the agent. ConfigureVirtualPortGroup1 using ip unnumbered, and a router interface that the controller can reach.

• VirtualPortGroup2, used as the virtual service's eth1 interface. This is the Data Transfer interface, which handles raw packetdata passed from the router to the agent. These raw packets are used for packet buffer capture and deep packet inspection.

Traffic over the data connection does not leave the router. Configure the virtual service interface and VirtualPortGroup2 usingprivate IP addresses.

Agent Installation PrerequisitesThe agent runs as a virtual service on your ISR. You can deploy the virtual service either to the ISR's bootflash, or to an optional 200GBNIM-SSD. In general, agents deployed to bootflash offer less storage space for file retention than agents deployed to a NIM-SSD.See the following table for an overview of these differences.

Table 9: Agent Deployment as Virtual Service Comparison

Agent Deployed to NIM-SSDAgent Deployed to bootflashFeature

Higher hard disk provisioned size setting.Lower hard disk provisioned size setting.Default virtual service settings

Greater file storage allocation for PBC.PCAP file storage is stable; if the ISRrestarts, PCAPs are retained.

Lesser file storage allocation for PBC.PCAP file storage is volatile; if the ISRrestarts, PCAPs are lost.

packet buffer capture (PBC)

Greater file storage allocation for logfiles. Log file storage is stable; if the ISRrestarts, log files are retained.

Lower file storage allocation for log files.Log file storage is volatile; if the ISRrestarts, log files are lost.

log files

See ISR 4000 Series Platform Requirements, on page 9 for more information.

You must download the virtual service OVA file. You cannot install the UCS E-Series blade server OVAfile as a virtual service.

Note

Agent Configuration Prerequisites

Agent OVA Download

Cisco provides the agent as one of two OVA files: sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova to install on the ISR's NIM-SSD,and sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova to install on the ISR's bootflash. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.


Note

14



Agent Virtual Service Settings

Each agent you deploy as a virtual service requires a certain amount of memory, CPUs, and hard disk space. The following table liststhe default settings.

Table 10: Default Agent as a Virtual Service Settings

DefaultSetting

3072 MB (3 GB)memory

2virtual CPUs

250 MB (when deployed to bootflash)

150 GB (when deployed to a NIM-SSD)

hard disk provisioned size

Agent Install Script

The controller contains an agent install script you can use to deploy the agents as virtual services. See Install Script Deployment, onpage 32 and Agent Properties File Settings, on page 36 for more information.

NTP Configuration

The agent deployed as a virtual service receives time from the host router. You must configure the router and the controller withsynchronized NTP server addresses to ensure synchronized time.

Downloading the OVA Files from Cisco


Note

Procedure

Step 1 In your web browser, navigate to http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html. Enter your username and password when prompted.

Step 2 Download the controller OVA file: sln-sca-k9-<ver>.ovaStep 3 Download an agent OVA file:

• sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on an ISR'sNIM-SSD

• sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on an ISR'sbootflash

15



Obtaining a File's Checksum from cisco.com

Before You Begin

• Go to the file download page on cisco.com.

Procedure

Step 1 Click the File Information file name to view the file's details, which includes the MD5 and SHA512 checksums.Step 2 Click the ellipsis (…) to view the full SHA512 checksum.

Controller DeploymentCisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host running an ESXi hypervisor.

Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space in vSphere vCenter. If youincrease the memory, you must start the VM, then run the setup-system script. After you run the script, the VM is updated withproper memory settings.

If your controller is already running, and you want to update the memory settings, run the setup-system script, stop the VM, updatethe memory settings, and start the VM. On restart, the VM is updated with proper memory settings.

See Controller Installation Prerequisites, on page 7 for more information on recommended controller VM settings, based ondeployment size.

For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.

Note

The first time you log into the virtual machine, the system prompts you to change the default administrator password.

Deploying the OVA FileAs youmap destination networks to interfaces, note that only eth0 is enabled by default. For many deployments, controller managementtraffic, agent traffic, and controller web UI user traffic are reachable from the same controller network interface. In this case, you canmap that destination network to the eth0 interface. You can also leave the eth1 and eth2 interfaces disabled, and mapped to a separatedestination network.

However, if these traffic types are reachable via different controller network interfaces, you can enable eth1, eth2, or both eth1 andeth2, then map them to the appropriate destination networks.

Before You Begin

• Download the OVA file.

• Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and install it.

16


Procedure

Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file.Step 2 Select File > Deploy OVF Template.Step 3 Click Browse to select your OVA file, then click Next.Step 4 Review the OVF Template Details, then click Next.Step 5 Enter a Name, select an inventory location, then click Next.Step 6 Click the Thick Provision Lazy Zeroed radio button, then click Next.Step 7 Select a Destination Network from your inventory to map to a Source Network. You can map the following default

networks, then click Next.

• eth0 to Main Network

• eth1 (disconnected) to Alt1 Network

• eth2 (disconnected) to Alt2 NetworkIf you only need to configure eth0, you canmap eth1 and eth2 to the same network.Note

Step 8 Review your deployment settings and click Finish.The deployment may take 30minutes to an hour or longer, depending on your environment.Note

Step 9 Click Close after the deployment completes.

What to Do Next

• Power on the virtual machine and login, as described in the next section.

Powering On the Virtual Machine

Before You Begin

• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.

Procedure

Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.Step 2 Select Home > Inventory > VMs and Templates.Step 3 Select the virtual machine from the navigation tree.Step 4 Select Inventory > Virtual Machine > Power > Power On.Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.

To shift your focus from the virtual machine console to your local host, pressCtrl-Alt.Note

17

Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted,change the default administrator password.

Controller Virtual Hard Disk StorageBy default, the controller OVA ships configured with a 200 GB hard disk. Based on your deployment and the recommended settings,you can configure the deployed controller VM to expand the available hard disk storage space by either:

• increasing the existing virtual hard disk storage allocation with an expanded partition or another partition, when the existingVMware storage area has sufficient space, or

• adding a new virtual hard disk, when the existing VMware storage area has insufficient space.

Follow the procedures carefully. Failure to follow them can result in corruption or loss of the controllerVM filesystem.

Note

Controller Virtual Hard Disk Allocation Expansion

To add space to the controller VM hard disk, configure the VM's settings in VMware vSphere to increase the size of the hard disk.Then, from the VM's command line, run parted to extend an existing virtual hard disk partition. Finally, issue commands to expandthe filesystem size for the new hard disk.

You can only extend a hard disk partition to 2 TB. If you need more space, you can use cfdisk to insteadadd another virtual hard disk partition.

Note

By default, the controller ships with one virtual hard disk, sda and up to partition number 5 (sda5). The first time you add a partitionto this virtual hard disk, increment the name by one (sda6). If you want to add another partition, increment the name of the mostrecent hard disk partition by 1 (sda7, sda8, and so on).

Editing VM Settings to Increase Virtual Hard Disk Size

Before You Begin

• Connect to the ESXi hypervisor using VMware vSphere.

18

Procedure

Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, select Hard disk 1.Step 4 Enter a new Provisioned Size to update the virtual hard disk provision.Step 5 Click OK.Step 6 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 7 Right-click the controller VM and select Power > Power On.

Adding a New Virtual Hard Disk Partition Larger than 2 TBUse cfdisk to create a new virtual hard disk partition larger than 2 TB. The controller OVA contains one virtual hard disk by default,sda. This virtual hard disk contains partitions up to number five (sda5). The following task assumes you have not created anothervirtual hard disk partition, directing you to increment the highest virtual hard disk partition name by one to create the sda6 partition.If you have created other virtual hard disk partitions for the sda virtual hard disk, increment the new partition name based on theexisting virtual hard disk partitions (sda7, sda8, etc.).

Before You Begin

• Use VMware vSphere to log into the controller VM console.

Procedure


Run the cfdisk partition editor to create the sda6partition.

sudo cfdisk /dev/sda, then enter your password whenprompted

Example:

Step 1

user@host:~$ sudo cfdisk /dev/sda

Verify that the partition size is correct. If it is not,restart the controller VM and restart this procedurefrom the beginning.

Move your cursor to the last line containing Free space,and verify the size column roughly matches the amountof space you added.

Step 2

Create a new partition.n to create a new partitionStep 3

Create a logical partition.Select Logical and press Enter.Step 4

Create the partition with the free space displayed.Press Enter to accept the default size.Step 5

Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 6

Write the new partition table.W to write the new partition table, then yes to confirmStep 7

Quit cfdisk.q to quit cfdiskStep 8

Updating the Filesystem for the New Virtual Hard Disk Partition

19

The controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The following procedures uses the LVM2tools to register the new partition as a physical volume, add the new physical volume to the existing volume group, and extend thelogical volume over the new physical volume while simultaneously resizing the Linux filesystem to recognize the additional space.

Before You Begin


Procedure


Update the /dev filesystem to include /dev/sda6 as anew virtual hard disk partition.

sudo partprobe -s

Example:user@host:~$ sudo partprobe -s

Step 1

Create a physical volume for a new partition on the sdavirtual hard disk.

sudo pvcreate /dev/sda6

Example:user@host:~$ sudo pvcreate /dev/sda6

Step 2

View the name of the volume group.sudo vgdisplay

Example:user@host:~$ sudo vgdisplay

Step 3

Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sda6

Example:user@host:~$ sudo vgextend vg00

/dev/sda6

Step 4

Add the new volume to the root logical volume andresize the root filesystem.

sudo lvextend -r /dev/<volume-group>/root

/dev/sda6

Example:user@host:~$ sudo lvextend -r

/dev/vg00/root /dev/sda6

Step 5

Controller Virtual Hard Disk Addition

To add a virtual hard disk on the controller VM, configure the VM's settings in VMware vSphere to recognize a new hard disk. Then,from the VM's command line, run cfdisk to create the new virtual hard disk, and issue commands to expand the filesystem size forthe new hard disk.

By default, the controller ships with one virtual hard disk, sda. The first time you add a virtual hard disk, increment the name by one(sdb). If you want to add another virtual hard disk, increment the name of the most recent hard disk by 1 (sdc, sdd, and so on).

Editing VM Settings for a New Hard Disk

20

Before You Begin

• Connect to the ESXi hypervisor using VMware vSphere.

Procedure

Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, click Add.Step 4 Select Hard Disk and click Next.Step 5 Select Create a new virtual disk and click Next.Step 6 Enter a Disk Size and click Next.Step 7 Click Next to skip the Advanced Options screen.Step 8 Click Finish.Step 9 Click OK in the Virtual Machine Properties window.Step 10 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 11 Right-click the controller VM and select Power > Power On.

Adding a New Hard DiskUse cfdisk to create a disk partition on the new virtual hard disk. The controller OVA contains one virtual hard disk by default, sda.The following task assumes you have not created another virtual hard disk, directing you to increment the existing virtual hard diskname by one to create the sdb virtual hard disk. If you have created other virtual hard disks for the controller, increment the newvirtual hard disk name based on the existing virtual hard disks (sdc, sdd, etc.).

Before You Begin


Procedure


Run the cfdisk partition editor to create the sdb1 partitionon the sdb virtual hard disk. The table contains one line,with the free space equal to the total disk size.

sudo cfdisk /dev/sdb, then enter your passwordwhen prompted

Example:

Step 1

user@host:~$ sudo cfdisk /dev/sdb1

Create a new partition.n to create a new partitionStep 2

Create a virtual hard disk.Select Primary and press Enter.Step 3

Create the virtual hard disk with the free space displayed.Press Enter to accept the default size.Step 4

Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 5

Write the new partition table.W to write the new partition table, then yes to confirmStep 6

21


Quit cfdisk.q to quit cfdiskStep 7

Updating the Filesystem for the New Hard Disk

Before You Begin


Procedure


Update the filesystem to include /dev/sdb as a newvirtual hard disk.

sudo partprobe -s

Example:user@host:~$ sudo partprobe -s

Step 1

Create a physical volume for a new partition on thesdb hard disk.

sudo pvcreate /dev/sdb1

Example:user@host:~$ sudo pvcreate /dev/sdb1

Step 2

View the name of the volume group.sudo vgdisplay

Example:user@host:~$ sudo vgdisplay

Step 3

Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sdb1

Example:user@host:~$ sudo vgextend vg00

/dev/sdb1

Step 4

Restart the controller VM.sudo reboot

Example:user@host:~$ sudo reboot

Step 5

Log into the controller VM console.Log into the controller VM console.Step 6

Add the new volume to the root logical volume andresize the root filesystem.

sudo lvextend -r /dev/<volume-group>/root /dev/sdb1

Example:user@host:~$ sudo lvextend -r

/dev/vg00/root /dev/sdb1

Step 7

Restart the controller VM.sudo reboot

Example:user@host:~$ sudo reboot

Step 8

22

Custom Controller Web UI CertificatesThe controller web server uses Transport Layer Security (TLS) to encrypt connections to the controller web UI. This requires theserver to present a certificate to the client browser. Using the self-signed certificate installed by default does not allow the browserto validate the authenticity of the controller web UI, and leads to browser warnings about an untrusted web server. Instead of usinga self-signed certificate, you can upload to the controller a custom public key server certificate and private key generated by yourorganization. This allows clients that connect to the controller web UI to properly validate the web server's authenticity. Note thefollowing:

• You must upload both a server certificate and associated private key. Both must be in PEM format.

• You can also upload a trust chain of issuing CA certificates for the server certificate, concatenated with the server certificate ina single PEM file.

• You can upload an encrypted private key file. You must also create an additional file (sln_ssl.pass) with the cleartext passwordrequired to unencrypt the private key file.

After you make these changes, restart the controller web UI processes.

When you run the setup-system script, do not generate a new controller web UI certificate, as this willoverwrite your custom certificate and private key. See Configuring the Controller with the Setup Script,on page 25 for more information.

Note

Uploading a Private Key Password

If your private key file is encrypted, you must create an sln_ssl.pass password file containing the cleartext password. After youcreate the file, you update the sln_ssl_certs.conf configuration file to point to the password file. See Uploading Custom ControllerWeb UI Certificates, on page 24 for more information.

Before You Begin

• Log into the controller VM console.

Procedure


Change to the /etc/ssl/private/ directory.cd /etc/ssl/private/

Example:

Step 1

user@host:~$ cd /etc/ssl/private/

Create the sln_ssl.pass password file, containingthe private key cleartext password.

cat > sln_ssl.pass, then enter your password as cleartext,then press Ctrl + D.

Example:user@host:~/etc/ssl/private$ cat > sln_ssl.passprivate-key-password

Step 2

23


Verify that the sln_ssl.pass password file containsthe correct cleartext password.

cat sln_ssl.pass to verify the password

Example:user@host:~/etc/ssl/private$ cat sln_ssl.pass

Step 3

What to Do Next

• Continue updating the configuration for your custom certificate and private key, as described in the next section.

Uploading Custom Controller Web UI Certificates

Before You Begin


• Upload your custom controller web UI server certificate, and chain of issuing CA certificates if applicable, in PEM format tothe controller at etc/ssl/certs.

• Upload your custom controller web UI server certificate private key in PEM format to the controller at /etc/ssl/private.

Procedure


Change to the /opt/cisco/sln/viz/conf/directory.

cd /opt/cisco/sln/viz/conf/

Example:

Step 1

user@host:~$ cd /opt/cisco/sln/viz/conf/

Open ssln_ssl_certs.conf in the vi texteditor as a superuser.

sudo vi sln_ssl_certs.conf, then enter your password whenprompted

Example:

Step 2

user@host:~/opt/cisco/sln/viz/conf$ sudo vi

sln_ssl_certs.conf

Update sln_ssl_certs.conf to point to yourcustom server certificate.

Modify the ssl_certificate filepath to point to the custom servercertificate PEM file.

Example:ssl_certificate

/etc/ssl/certs/server-certificate.pem

Step 3

24


Update sln_ssl_certs.conf to point to yourcustom server certificate private key.

Modify the ssl_certificate_key filepath to point to the customserver certificat private key PEM file.

Example:ssl_certificate_key

/etc/ssl/certs/server-certificate-key.pem

Step 4

Update sln_ssl_certs.conf to point to yourprivate key password file.

If you uploaded an sln_ssl.pass password file, addssl_password_file and a corresponding filepath after thessl_certificate_key filepath.

Step 5

Example:ssl_certificate_key

/etc/ssl/certs/server-certificate-key.pemssl_password_file

/etc/ssl/private/sln_ssl.pass

Save your changes, then exit the vi text editor.Press Esc, then enter :wq!.

Example:

Step 6

:wq!

Restart the controller web UI service.sudo service ciscosln-viz restart

Example:

Step 7

user@host:~/opt/cisco/sln/viz/conf$ sudo service

ciscosln-viz restart

Configuring the Controller with the Setup ScriptIf you need multiple interfaces on multiple subnets, when configuring networking, you can also configure eth1 and eth2.

Before You Begin


Procedure


Change directories.cd ~/

Example:

Step 1

user@host:~$ cd ~/

Run the setup script.sudo ./setup-system at the command prompt torun the setup script. Enter the administratorpassword if prompted.

Step 2

25


Example:user@host:~$ sudo ./setup-system

Configure networking.y (configure networking)Step 3

Configure the eth0 interface.1 (configure eth0)Step 4

Configure the controller VM hostname. You must enter afull qualified domain name.

hostname, then hostname, then y to confirmStep 5

Configure the interface's IPv4 address, along with a netmaskand gateway.

ipv4, then ipv4-address, then ipv4-netmask, thenipv4-gateway, then y to confirm

Step 6

Modify the virtual machine's list of DNS servers.dns, then dns-servers, then y to confirmStep 7

If you want to configure the domain suffix search list, runthe search command.

search, then domain-suffixes, then y to confirmStep 8

View the interface's network settings, hostname, and DNSsettings. If any of these are missing or incorrect, repeat thatconfiguration.

viewStep 9

Save your changes and continue with interface configuration.exitStep 10

Exit interface configuration and continue.4 (exit interface configuration)Step 11

Enable SSH login.y (enable SSH login)Step 12

Configure NTP servers used to synchronize time betweenthe controller and agent. Enter a space-delimited list of NTP

y, then ntp-servers, then y to confirmStep 13

server fully-qualified domain names (FQDNs) or IPv4addresses.

Generate a controller self-signed certificate, used forencrypting controller/agent communication.

y (generate a controller certificate)Step 14

Generate a controller web UI self-signed certificate, used forencrypting user connections to the controller web userinterface.

y (generate a controller web UI certificate), or n ifyou uploaded a custom certificate

Step 15

Optionally, specify the certificate subject distinguished name(DN).

y (specify the distinguished name if you generateda new certificate)

Step 16

Optionally, provide the DN information.country-code, then state, then locality, thenorganization, then organizational-unit, then

Step 17

common-name, then email if you generated a newcertificate

Resetting the Administrator PasswordAfter you run the setup-system script, reset the controller web UI administrator user account (admin) password. When you reset thepassword, the system prints a temporary password to the console, valid for 72 hours. You must log into the controller web UI as theadmin user account, then update your password.

26

Procedure


Change directories to ~/SCA.cd ~/SCA

Example:

Step 1

user@host:~$ cd ~/SCA

Stop the controller processes.sudo service ciscosln-sca stop, then enter your password whenprompted

Step 2

Example:user@host:~/SCA$ sudo service ciscosln-sca stop

Reset the admin user account's password../sca.sh reset-admin-password

Example:user@host:~/SCA$ ./sca.sh reset-admin-passworduser@host:~/SCA$ Resetting the admin password in sln

Step 3

user@host:~/SCA$ New password is 'AbCd1234'user@host:~/SCA$ Admin password reset done.

Start the controller processes.sudo service ciscosln-sca start

Example:

Step 4

user@host:~/SCA$ sudo service ciscosln-sca start

Disabling Host Time SynchronizationAfter you reset the administrator password, configure the VM to disable host time synchronization. This ensures the VM synchronizestime with the configured NTP servers, instead of the ESXi host.

Before You Begin


Procedure


Modifies the .vmx virtual machine configuration file todisable time synchronization with the ESXi host.

vmware-toolbox-cmd timesync disable

Example:user@host:~$ vmware-toolbox-cmd timesync disable

Step 1

27

Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account(admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must changethe password and confirm the new password.

Procedure

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and passwordwhen prompted.

Verifying NTP Configuration on the Controller

Before You Begin


Procedure


Display configured NTP servers. If the system does not display configuredNTP servers, repeat NTP configuration in Configuring the Controller withthe Setup Script, on page 25.

ntpq –n –p

Example:

Step 1

user@host:~$ ntpq –n –p

What to Do Next

• Update the controller certificate configuration settings, as described in the next section.

Controller Certificate ManagementModify the controller configuration file to update certificate management settings. You can enable the controller to use self-signedagent certificates, and enable TOFU. After this, restart the controller processes.

Updating the Controller ConfigurationThe sca.conf configuration file contains several layers of nested brackets. When you update the file to add or update the dla node,make sure that you nest it within the sln bracket. See the following for an example.sln {dla {security {allowSelfSignedCert = truetrustCertOnFirstUse = truecertRollover = true

}

28

}}You can also reference ~/SCA/sample_sca.conf for an example of syntax.

Before You Begin


Procedure


Change to the /SCA directory.cd ~/SCA

Example:

Step 1


Edit the sca.conf configuration file.sudo vi sca.conf, then input your password whenprompted

Step 2

Example:user@host:~/SCA$ sudo vi sca.conf

Update the configuration file to includeallowSelfSignedCert = true, trustCertOnFirstUse= true, and certRollover = true.

Update the configuration file to include or modify theconfiguration.

Step 3

Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 4

What to Do Next

• Restart the controller's processes, as described in the next section.

Restarting Controller Processes

Before You Begin


Procedure



Example:

Step 1


29


Restart the controller processes.sudo service ciscosln-sca restart

Example:

Step 2

user@host:~/SCA$ sudo service ciscosln-sca restart

Updating Administrator CredentialsUpdate your administrator credentials to log into the controller web UI. In a later step, the install script, located on the controller,adds deployed agents to the controller using these updated administrator credentials.

When you installed the controller, you defined an IP address for the controller web UI. Use the default login password (cisco) forthe administrator user account (admin). After you log in once, you must change the password and confirm the new password.

Procedure

In your web browser, navigate to https://sca-ip-address, then enter your controller web username and password when prompted.

What to Do Next

• Configure your ISR's NTP settings, as described in the next section.

NTP ConfigurationTo configure NTP server addresses on the ISR, associate the router management interface with the NTP servers. Alternatively, if youhave a loopback interface already configured, you can use that instead to reference NTP servers.

Configuring NTP on the ISRThe agents deployed as a virtual service receive time from the host router. You must configure NTP servers on the ISR to ensureLearning Network License timestamps match, and to ensure that the system properly displays anomalies.

NTP configuration is not required for deploying a virtual service. However, if you incorrectly configureNTP server domain names or IP addresses on the ISR, you cannot deploy virtual services to it. Correctlyenter the NTP server domain names or IP addresses.

Note

You can enter each command individually. You can also paste the commands from the example below into a text editor, update thevariable, then paste all the updated commands into the command line.enablentp source GigabitEthernet0/0/0ntp server <ipv4-addresses>exitIf you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the router management interface.

30

Procedure


Enable privileged EXEC mode. Enter your password ifprompted.

enable

Example:

Step 1

Router> enable

Use the GigabitEthernet0/0/0 interface to connect to an NTPserver.

ntp source GigabitEthernet0/0/0

Example:

Step 2

Router# ntp source GigabitEthernet0/0/0

Use the GigabitEthernet0/0/0 interface to connect to an NTPserver. Definemultiple addresses to specify backupNTP servers.

ntp server ipv4-addresses

Example:

Step 3

Router# ntp server 209.165.202.129

209.165.202.130

Display configured NTP servers. If the system does not displaycorrectly configured NTP servers, repeat the configurationprocess.

show ntp association

Example:

Step 4

Router# show ntp association

Exit privileged EXEC mode.exit

Example:

Step 5

Router# exit

Install Script OverviewThe controller includes an agent install and upgrade properties file (install.yaml), and an agent install script (installation_auto.py). Running the agent install script requires configuring the agent install and upgrade properties file with agent, ISR, and networksettings. You can configure the file to deploy multiple agents at one time. This file contains global settings, which apply to all deployedagents, and branch-specific settings, which apply only to one ISR and agent.

For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.

Note

When you run the install script, it reads the properties file, and does the following for each agent:

• uploads the OVA file to the ISR

• configures flexible NetFlow for Learning Network License

• configures a virtual service named sln and deploys the agent

31

• configures ISR and agent network settings

• adds the new agent to the controller

ISR Hardware ConfigurationBefore you deploy your agents as virtual services, ensure that your ISRs have enough RAM and the proper hardware installed, asdescribed in ISR 4000 Series Platform Requirements, on page 9.

For more information on hardware installation, see the Hardware Installation Guide for the Cisco 4000 Series Integrated ServicesRouter, at http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html.

Install Script Deployment

Install Script Diagram

An agent may be installed as a virtual-service (container) in an ISR 4331, 4351, 4431, or 4451 router by running theinstallation_auto.py install and upgrade script. The controller contains the script, which you run from the controller commandline. The script issues configuration commands on the router and the newly-created agent. It also adds the agent to the controller, sothe user can issue further configuration changes from the controller web UI.

32

http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html

The script references the install.yaml properties file, also located on the controller. The following diagram tracks the variousproperties in the deployment process.

Figure 4: ISR and Agent Deployed as a Virtual Service

Agent Copy

The arrow labeled copy (scp) demonstrates the install script copying the agent .ova file from a network location of your choice to theNetwork Element (4331, 4351, 4431, or 4451 router). In this example, the script copies the file from the deployed controller usingthe SCP protocol to the ISR.

For all commands issued to the ISR, the script uses the configured credentials (ne_username, ne_password) to connect to the networkelement (ne_ctl_ip).

The following properties control how the script copies the file:

• src_host - the network location where the agent .ova file is copied from

• src_username - username used by the script to log into this network location

• src_password - password used by src_username

• src_ova_path - filepath and filename on the host where the agent .ova file is located

33

• dst_store - whether the script copies the .ova file to the branch router harddisk or bootflash

Cisco recommends you define the controller as the source host, upload the .ova to the controller, and copy the file to all branch routers.

Agent Virtual Service Creation

The center of the diagram shows the commands the script uses to create, install, and activate the agent as a virtual-service (container),and references the properties file to apply values to the variables.

The script creates the virtual-service with two virtual interfaces, using the interface VirtualPortGroup commands:

• ctl/mgmt - The control and management interface, used for agent/controller communication, to install mitigation policies onthe router, and to receive NetFlow records from the router. This is VirtualPortGroup 1 on the router, and eth0 on the agent.

The script configures the ctl/mgmt interface without an IP address, (using ip unnumbered), referencing the name of a routerinterface (parent-if-name) whose IP address is reachable by the controller.

The script also configures an ip route on the agent with a routable IP address (dla_ctl_ip) so the router forwards packetsfrom the controller to the agent over the ctl/mgmt interface.

Note that you configure credentials for the agent to log into the router (dla_ne_login: username, dla_ne_login, password),to install mitigation policies, and collect information from the router.

• data xfer - The data transfer interface, used to send raw packet data from the router to the agent, when packet buffer capture(PBC) or DNS deep packet inspection (DNS/DPI) are enabled. This is VirtualPortGroup 2 on the router, and eth1 on theagent.

The script configures the data xfer interface with a private IP address (ne_ip) and netmask (ne_mask), since traffic across thisinterface never leaves the router.

After configuring the virtual interfaces, the script issues commands (virtual-service, vnic) to create the virtual-service named slnwith two virtual interfaces reachable by the VirtualPortGroup 1 and VirtualPortGroup 2 interfaces on the router.

The script then issues an install command to install the agent .ova into the virtual service, then an activate command to activatethe virtual service.

Finally, the script issues the connect command to log into the virtual service console to configure the following:

• the agent hostname (dla_hostname) and default gateway (dla_ctl_gw)

• the eth0 interface with a routable IP address (dla_ctl_ip) and netmask (dla_ctl_mask). The controller must be able to reachthis address.

• the eth1 interface with a private IP address (dla_dat_ip) and netmask (dla_dat_mask

34

Learning Network License NetFlow Configuration

The install script also issues commands to configure Flexible NetFlow (Version 9), as required for Learning Network License. Thefollowing diagram illustrates this configuration.

Figure 5: NetFlow Operation on the ISR

The script creates the following:

• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fields to collect

• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent dla_ctl_ip IP address to send NetFlow data to the agent

• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and output traffic coming overconfigured branch interfaces, and forwards it to SLN-NF-EXPORTER

The script also issues an interface command for each branch interface (branch-if1-names...) that you configure in the propertiesfile. These branch interfaces are the router interfaces used to reach branch hosts.

Agent Addition to the Controller

The script adds each agent to the controller, if not already added, using the RESTful API. The script logs into the controller usingthe configured credentials (sca_webui_login: username, sca_webui_login: password). The script uses the agent hostname(dla_hostname) or the IP address (dla_ctl_host_sca) if the agent hostname is not resolvable in DNS.

35

Each agent is added to the controller as Disabled. You must log into the controller web UI to enable the agent. If you register yourdeployment with Smart Licensing, enabling the agent also consumes a license entitlement.

Agent Properties File OverviewThe agent install and upgrade properties file (install.yaml), located on the controller, is in YAML format, and stores settings askey-value pairs. The install script uses these settings to deploy 1 or more agents. The controller contains an install.yaml.example

file, which contains the basic YAML format and sample settings. You can rename this file to install.yaml and update the settingsfor your deployment.

The file stores global settings, which apply to all agent deployments. The file also stores per-branch settings, each set of which areapplied to a specific ISR and agent. Per-branch settings override global settings. If you define a setting both as global and as per-branchfor certain branches, the install script selects the per-branch setting when defined, and the global setting when the per-branch settingis not defined.

You define usernames and passwords in the properties file, which the install script uses to access ISRs, the controller, and agents. Ifyou comment out a password property by placing a pound sign (#) at the beginning of that line, the script prompts you for thatpassword while running. However, if you comment out the dla_password or ne_password property as a global setting, the scriptprompts you for the first agent where the property is not defined. It then uses the password you enter for every agent which does nothave the property defined.

Usernames and passwords added to the properties file remain in the file after you finish deploying theagents. If this is a security concern, remove them after the deployment completes.

Note

Agent Properties File Settings

Global Property Settings

The following are the global property settings. You can define any of these per-branch, except for the sca_webui_login settings. Ifyou define dla_ova_copy: src_host, dla_ova_copy: src_username, or dla_ova_copy: src_password per-branch, you must alsodefine each setting globally. Note that the per-branch setting overrides the global setting.

When you run the script, it prompts you for any password you do not define.

The syntax below is presented as an example. Do not copy and paste this into the property file. Improperformatting and spacing in the property file will cause the script to fail.

Note

dla_ova_copy:src_host: <source-host-ip>src_username: <source-host-user>src_password: <source-host-password>src_ova_path: <source-host-ova-filepath>dst_store: <dest-store-location>

vir_portgroup_1:ip_unnum: <parent-interface>vrf_forwarding: <parent-interface-vrf>

vir_portgroup_2:ne_ip: <private-ip-1>ne_mask: <private-ip-1-mask>dla_dat_ip: <private-ip-2>dla_dat_mask: <private-ip-2-mask>

ne_username: <ne-user>ne_password: <ne-password>

36

ne_port: <tcp-port>dla_password: <dla-password>dla_ne_login:

username: <dla-ne-user>password: <dla-ne-password>

sca_webui_login:username: <sca-user>password: <sca-password>

Table 11: dla_ova_copy Properties

Required?ValidationDescriptionProperty

n/an/agroup of properties used tocopy the agent OVA from asource host that is capable ofSCP file copying, such as thecontroller, to the ISR

dla_ova_copy

yesIPv4 address or DNS nameIP address of the hostcontaining the agent OVA,from which the script willcopy the file

src_host

yesstringusername the script uses to loginto the Linux console of thehost containing the agent OVA

src_username

yesstring, cannot be NULLpassword for src_usernamesrc_password

yesstring, must contain filepathand filename

filepath on the source hostwhere the agent OVA islocated, such as/home/sln/agent.ova, inquotation marks

src_ova_path

yesbootflash or harddisk

Specify bootflash only ifyour ISR does not have a harddrive installed. If your ISR hasa hard drive, and you specifybootflash, the script ignoresthe setting and uploads to thehard drive.

bootflash to upload the agentOVA to the ISR's flashmemory, or harddisk toupload the agent OVA to theISR's hard drive

dst_store

37

Table 12: vir_portgroup_1 Properties


n/an/agroup of properties used tocreate the VirtualPortGroup1 virtual interface

vir_portgroup_1

yesstringname of an interface on yourISR through which thecontroller can reach the agent.The script uses this toconfigure the NetworkElement side of the ctl/mgmtinterface.

ip_unnum

no, see Configuring VRFForwarding on the ISR, onpage 43 for more information

stringname of the non-default VRFinstance on your ISR that theip_unnum interface belongs to.If you added the interface to anon-default VRF instance, youmust configure this so thescript can properly copy theOVA file to the router.

vrf_forwarding

Table 13: vir_portgroup_2 Properties


n/an/agroup of properties used tocreate the VirtualPortGroup2 virtual interface

vir_portgroup_2

yesIPv4 addressNetwork Element IP addresson the virtual-service DataTransfer interface. The scriptuses this to configure theNetwork Element side of theData Transfer interface.

Because traffic over thisinterface does not leave therouter, specify a private IPaddress.

ne_ip

nosubnet maskThe netmask for ne_ipne_mask

38


yesIPv4 addressAgent IP address on thevirtual-service Data Transferinterface. The script uses thisto configure the agent side ofthe Data Transfer interface.

Because traffic over thisinterface does not leave therouter, specify a private IPaddress.

dla_dat_ip

nosubnet maskthe netmask for dla_dat_ipdla_dat_mask

Table 14: ne_username Property


yesstringa username with a privilegelevel of 15 that the installscript uses to log into the ISR,to execute CLI commands

ne_username

Table 15: ne_password Property


no, the script prompts you ifnot defined

If you do not define thene_password property as aglobal property, the scriptprompts you the first time itattempts to deploy an agentwhere the configured branchproperties also do not containne_password. However, thescript reuses that password forevery remaining agentdeployment for whichne_password is not defined.

string, cannot be NULLthe password for ne_usernamene_password

39

Table 16: ne_port Property


nointegerthe TCP port the upgradescript uses when connectingvia SSH to the ISR. Ifundefined, this defaults to 22.

ne_port

Table 17: dla_password Property


no, the script prompts you ifcommented out

If you do not define thedla_password property as aglobal property, the scriptprompts you the first time itattempts to deploy an agentwhere the configured branchproperties also do not containdla_password. However, thescript reuses that password forevery remaining agentdeployment for whichdla_password is not defined.

string, cannot be NULL, mustbe a minimum of 6 characters

password configured for theagent admin account when thescript deploys the agent, toreplace the default adminpassword

dla_password

Table 18: dla_ne_login Properties


n/an/agroup of properties used todefine agent credentials to loginto the Network Element

dla_ne_login

yesstringusername the agent uses to loginto the ISR to learn aboutinterfaces and installmitigations.

username


string, cannot be NULLpassword for the agentusername

password

40

Table 19: sca_webui_login Properties


n/an/agroup of properties used todefine install script credentialsto log into the controller webUI

sca_webui_login

yesstringusername the script uses to loginto the controller web UI toadd agents to the controller,and configure agent attributes.

username


string, cannot be NULLpassword to log into thecontroller.

password

Branch-Specific Property Settings

The following are the branch-specific property settings. For each new set of branch settings, you must preface them with a dash (-).

The syntax below is presented as an example. Do not copy and paste this into the property file. Improperformatting and spacing in the property file will cause the script to fail.

Note

branches:-ne_ctl_ip: <parent-interface-ip>dla_ctl_ip: <control-ip>dla_ctl_mask: <control-ip-mask>dla_ctl_gw: <control-ip-gateway>dla_hostname: <dla-hostname>dla_description: <dla-description>ne_netflow_interfaces:

ifnames: ['<branch-interface-1>','<branch-interface-2>','branch-interface-N>'......]dla_ctl_host_sca: <dla-ip-for-sca>

The dla_description and ne_ctl_ip properties can only be updated through the install script on initial agent installation. If youwant to update the agent description after installation, modify it in the controller web UI. See theCisco Stealthwatch Learning NetworkLicense Configuration Guide for more information.

Table 20: branches Properties


n/an/agroup of settings used toconfigure a specific agent ona branch Network Element

branches

41


yes

You can only modify this oninitial agent installation.

IPv4 addressIP address for the physicalinterface defined forvir_portgroup_1: ip_unnum

that the script uses to connectto the network element, and toadd an agent to the controller

ne_ctl_ip

yesIPv4 addressa routable IP address for theagent on the control interfacethat the ne_ctl_ip can reach,so the controller can reach theagent

dla_ctl_ip

yessubnet maskmask for dla_ctl_ipdla_ctl_mask

yesIPv4 addressdefault gateway the agent usesfor non-local destinations,generally the same IP addressas ne_ctl_ip

dla_ctl_gw

yesstringagent hostname, used by thescript to generate uniquenames for per-branch log files,used by the controller toconnect to the dla_ctl_ip, andused by the controller web UIas the agent's unique name

dla_hostname

no

if undefined, the scriptpopulates the description withthe dla_hostname value, or thedla_ctl_host_sca IP address ifyou defined it

You can only modify this oninitial agent installation.

string, up to 256 characters,surrounded by doublequotation marks (")

agent descriptiondla_description

yesa comma-delimited array,surrounded by brackets ([]),with each interface namesurrounded by single quotes(')

a list of ISR branch-facinginterfaces on which the scriptconfigures Flexible NetFlowfor Learning Network License

ne_netflow_interfaces:ifnames

42


noIPv4 addressagent IP address used by thecontroller to reach the agent ifthe agent hostname is notresolvable in DNS, or if theagent control IP address isbehind a NAT or PAT. If youdo not define this, the scriptadds the agent to the controllerusing the dla_hostname value.

dla_ctl_host_sca

Configuring VRF Forwarding on the ISRIn the install.yaml properties file, if you added the vir_portgroup_1: ip_unnum interface to a non-default VPN routing andforwarding (VRF) instance on your ISR, you must define the vir_portgroup_1: vrf_forwarding property in the file. This allowsthe script to properly copy the .ova file to the router using SCP.

On the ISR, you must also configure the vir_portgroup_1: ip_unnum interface as the source address for an SSH client device, sothe script can properly copy the .ova file.

Before You Begin

• Define vrf_forwarding in the install.yaml properties file. See Agent Properties File Settings, on page 36 for more information.

• Log into the ISR console.

Procedure


Enable privileged EXEC mode.enable

Example:Router> enable

Step 1

Enter global configuration mode.config t

Example:Router# config t

Step 2

Specify the ip_unnum interface as the source for an SSHclient device.

ip ssh source-interface <ip_unnum>

Example:Router(config)# ip ssh source-interfaceGigabitEthernet0/0/0

Step 3

Exit global configuration mode and return to privilegedEXEC mode.

exit

Example:Router(config)# exit

Step 4

43

Updating the Agent Properties File

Before You Begin

• Log into the controller VM console with the username sln.

Procedure


Navigate to the /container directory.cd /opt/cisco/sln/install_upgrade/container

Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container

Step 1

Copy the install.yaml.example file toinstall.yaml.

cp install.yaml.example install.yaml

Example:user@host:/opt/cisco/sln/install_upgrade/container$ cpinstall.yaml.example install.yaml

Step 2

Open the install.yaml install and upgradeproperties file in the vi text editor.

vi install.yaml, then enter your password when prompted.

Example:user@host:/opt/cisco/sln/install_upgrade/container$ viinstall.yaml

Step 3

Update the properties file with the necessarysettings.

Using Agent Properties File Settings, on page 36 as a guide, updatethe properties file with the necessary settings.

Step 4

Save your changes and close the file.Press Esc, then enter :wq! and press Enter.Step 5

What to Do Next

• Run the install script, as described in Install Script Operation, on page 44.

Install Script OperationThe install script (installation_auto.py) deploys agents as virtual services based on settings in the agent install and upgradeproperties file (install.yaml). You configure the properties file and run the install script from the controller, which contains bothby default.

Based on the properties file settings and the script options you select, the script attempts to deploy agents in batches, copying the.ova file to the ISR, then deploying it.

The script copies the .ova file to the ISR based on the properties file settings. However, if you copy the.ova file to the ISR, and configure the properties file setting to upload the .ova to the same filepath, thescript deploys the agent using the .ova file already on the ISR.

Note

44

As the script runs, it displays progress updates on the console every 10 seconds. These updates display the total number of agents todeploy, the number in progress, and the number that succeeded and failed.

If you commented out password properties in the install.yaml properties file, the script prompts you during the progress updates.For agent passwords, if you did not define a global password, the first time the script deploys an agent without a password defined,it prompts you for the password, then uses this password for all remaining agents without a password defined. The script also logsits progress to several log files.

You can exit the script at any time by pressing Ctrl-C.

Install Script Options

Append the following options to the command line when running the script for the following functionality:

Table 21: Install Script Options

DescriptionOption

Configure the script to deploy this number of agents in a batchat one time.

The script defaults to deploying 50 agents in a batch. If younotice failed deployments when running the script, try loweringthe batch size.

-b <integer>

Reference the install.yaml properties file.-c install.yaml

Removes all Learning Network License configuration and thevirtual service from the ISR. If you want to upgrade your agentsto the same version, run the script using --clean_only first,then run the script without --clean_only.

--clean_only

Copies the .ova file specified in the properties file to thedestination filepath on the ISR, even if an .ova file with thesame name is present at that destination filepath.

-f

Deploy all agents configured in the properties file, even if theyhave been previously installed successfully.

If you do not define this option, the script only deploys agentsthat previously failed to deploy properly.

-i

Show help for options.-h

Perform local validation of the referenced properties file.-v

Perform validation of the referenced properties file, includingconnecting to the network element and validating interfacenames.

-V

45

Run a basic installation from the controller command line with the following command:installation_auto.py -c install.yaml

Running the Install Script

Before You Begin


Procedure


Navigate to the /container directory.cd /opt/cisco/sln/install_upgrade/container

Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container

Step 1

Run the installation_auto.py installscript.

installation_auto.py -c install.yaml, then enter your passwordwhen prompted

Example:user@host:/opt/cisco/sln/install_upgrade/container$installation_auto.py -c install.yaml

Step 2

Provide passwords when prompted.If you did not update install.yaml with passwords, enter those whenprompted.

Step 3

Verifying NTP Configuration on the Agent

Before You Begin

• Log into the agent virtual service console.

Procedure


Display configured NTP servers. If the system does not display configuredNTP servers, repeat NTP configuration in Configuring NTP on the ISR,on page 30.

ntpq –n –p

Example:

Step 1

user@host:~$ ntpq –n –p

46

Smart Licensing OverviewTo deploy the Learning Network License, youmust register your controller with Cisco Smart Licensing. If you do not, your deploymententers Evaluation Mode, a 90-day trial which limits you to a maximum of 10 managed agents, and disables new functionality whenthe 90 days expire.

Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses,Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needsat a glance.

In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent and purchase the license later.This allows you to deploy and use an agent, and avoid delays due to purchase order approval.

Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account(admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must changethe password and confirm the new password.

Procedure

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and passwordwhen prompted.

Registering the Controller Instance

Before You Begin

• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).

• Log into the controller web UI.

Procedure

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Click Register.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it is

already registered.Step 6 Click Register.

47



Restarting the Controller Processes

Procedure



Example:

Step 1


Restart the controller processes.sudo service ciscosln-sca restart

Example:

Step 2

user@host:~/SCA$ sudo service ciscosln-sca restart

Enabling Agents on the ControllerIf you do not register your controller with Smart Licensing before you enable agents, your deployment is in Evaluation Mode, andyou are limited to managing 10 agents with your controller for 90 days.

When you register your controller with Smart Licensing and enable the agents, ensure you have enough license entitlements.

Before You Begin

• Log into the controller web UI.

Procedure

Step 1 Select AGENTS.Step 2 For each managed agent, click Enable, then click Continue to enable the agent.

Interface ConfigurationWhen you configure a Network Element's interface, select a traffic direction, whether you want to enable mitigations on the interface,and whether you want to enable packet buffer capture (PBC) or deep packet inspection (DPI).

Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.Note

Interface Traffic DirectionThe Direction you select for an interface determines how the agent tracks traffic origin from within or outside the branch, populatesclusters, and models traffic to identify anomalies. Label each interface based on the following guidelines:

48

• An Internal interface faces the branch and branch hosts. The system applies Learning Network License-related NetFlow onthis interface.

• An External interface faces the core. This interface passes traffic outside the branch, including other branches, headquarters,or the Internet.

• An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is a reason you do not wantto monitor the traffic over this interface.

An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters external hosts, those residingon External interfaces, separately from internal hosts, those residing on Internal interfaces. Traffic between clusters is monitoredfor anomaly detection.

The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which represents the branch hosttraffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internal interface is not modeled. See the followingtable for more information.

Table 22: Interface Direction and Modeled Traffic

...to an Unconfiguredinterface...

...to an External interface......to an Internal interface...

...is modeled and inspected foranomalous traffic.



Traffic from an Internalinterface...

...is notmodeled and inspectedfor anomalous traffic.



Traffic from an Externalinterface...




Traffic from anUnconfigured interface...

Enable MitigationYou can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not support enabling mitigation ontunnel interfaces with multipoint GRE (mGRE) enabled.

Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction. This providesmaximum protection if the agent detects an anomaly, and you want to install a QoS policy on the Network Element to prevent theanomaly from being forwarded. If you configure a mitigation tailored to this anomalous traffic, the system installs the correspondingQoS policy on all Network Element interfaces on which you enabled mitigation.

By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnelinterfaces.

Note

If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at the parent interface level, youcan only enable mitigation policies at the parent level for that interface family. Similarly, if the subinterfaces have a QoS policyinstalled, you can only enable mitigation policies at the subinterface level for that interface family. If you enable a mitigation on asubinterface, the system automatically enables the mitigation on all sibling subinterfaces.

If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interface or subinterface level.Once you configure a mitigation for a parent interface or a subinterface, however, you can only subsequently create mitigations atthat level for the interface family.

49

Enable PBC/DPIYou can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:

• You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic (ip traffic-export).If you configured IP traffic export on the interface, remove the configuration from the interface before enabling PBC and DPI.

• You can only enable PBC or DPI on a 4000 Series ISR parent interface.

This allows you to capture and download PCAP files, or capture DNS query information from traffic.

On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for allsub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables itfor the parent interface and all sibling subinterfaces.

Note

Configuring Agent Network SettingsYou can update an agent's network settings, including the host router's IP address and directionality of the router's interfaces.

Before You Begin

• See Interface Configuration, on page 48 for information on configuring your agents.

Procedure

Step 1 Select AGENTS.Step 2 Click Configure next to an agent.Step 3 Enter the VirtualPortGroup1 virtual service eth0 IPv4 address in the Network Element IP field.Step 4 Click the expand icon ( ) next to an interface to view the router interface configuration.Step 5 For an interface, choose from the drop-down:

• Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)

• External if the interface faces the core (generally, if the interface is passing traffic)

• Unconfigured if you interface is unused, or the interface faces neither the branch nor the core

Step 6 Check Enable mitigation to apply mitigation actions to this interface.Step 7 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:

• Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.

• Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the networkelement passes raw packets to the agent

50

• Select a agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receives rawpackets from the network element.

Step 8 If you want to enable the packet buffer capture (PBC) feature, check Enable PBC. You must enable capturing raw packetdata.

Step 9 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data.Step 10 Click Submit.Step 11 Click Submit.Step 12 If you want to create a template to apply this configuration to other agents, click Create template.

What to Do Next

• Allow the system time to perform the initial learning phase, as described in Initial Learning Phase Overview, on page 51.

Initial Learning Phase OverviewAfter you manage your agents with the controller, allow the system to run for seven days, inspect your network traffic, and build abaseline traffic model.

The Learning Network License system identifies anomalies by comparing detected traffic to the baseline model, and noting deviations.After system deployment, each agent inspects traffic traversing the router. During this initial learning phase, the agent builds a baselinetraffic model. The model includes dynamically-generated clusters of hosts, and what types of application traffic are transmittedbetween clusters at what times of day.

If you log into the controller web UI while the system is learning about your network, you may see very few or no reported anomalies,as the system cannot compare against a baseline yet. Towards the end of the initial learning phase, the system may start reportinganomalies, but without a complete baseline, these anomalies may not be relevant. After the initial learning phase, when each agentcompletes its baseline model, the system can properly identify anomalous traffic that deviates from the baseline.

For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.

Next StepsAfter you deploy the Learning Network License system, you can perform the following:

• Configure audit and event logging. See the Cisco Stealthwatch Learning Network License Virtual Service Installation Guidefor more information.

• Integrate with an Identity Services Engine (ISE) server by configuring pxGrid integration. See the Cisco Stealthwatch LearningNetwork License Virtual Service Installation Guide for more information.

• Log into the controller web UI to configure user display settings, view anomalies and assign relevance feedback, configuremitigations for an anomaly, and configure external system integration. See the Cisco Stealthwatch Learning Network LicenseConfiguration Guide for more information.

For AssistanceThank you for using Cisco products.

51

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gatheringadditional information about the Firepower System, seeWhat’s New in Cisco Product Documentation at http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe toWhat’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSSfeed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system, please contact CiscoSupport:

• Visit the Cisco Support site at http://support.cisco.com.

• Email Cisco Support at [email protected].

• Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.

52

http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

http://support.cisco.com

Europe HeadquartersAsia Pacific HeadquartersAmericas HeadquartersCisco Systems International BVAmsterdam, The Netherlands

Cisco Systems (USA) Pte. Ltd.Singapore

Cisco Systems, Inc.San Jose, CA 95134-1706USA

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on theCisco Website at www.cisco.com/go/offices.

cisco stealthwatch learning network license virtual ... · cisco stealthwatch learning network...

Documents