Stealthwatch Virtual Edition (with Data Store) Appliance Installation Guide 7.3.2

Stealthwatch Virtual Edition (VE) Installation Guide

installation, v7.3, 7.3.2, SMC VE, Flow Collector VE, FCVE, Flow Sensor VE, UDP Director, Flow Replicator, Endpoint Concentrator, hardware, configuration, virtual installation

Cisco Systems, Inc.

Stealthwatch Virtual Edition (with Data Store) Appliance ...

Configuration Guide for full instructions on deploying Stealthwatch Virtual Edition. (VE) with a Data Store, including proper order of appliance deployment.

Google Docs
Google Drive
Download [pdf]

File Info : application/pdf, 101 Pages, 5.12MB

SW 7 3 2 VE Appliance Data Store Install Guide DV 1 0

Cisco Stealthwatch
Virtual Edition (with Data Store) Appliance Installation Guide 7.3.2

Table of Contents

Introduction

Overview

Audience

Terminology

Abbreviations

Before You Begin

Installation and Configuration Order

First Time Setup

Data Store

Security Analytics and Logging (OP)

Installation Methods

Compatibility

General Requirements for All Appliances

VMware

KVM

Downloading Software

TLS

Third Party Applications

Browsers

Host Name

Domain Name

NTP Server

Time Zone

Resource Requirements

Stealthwatch Management Console VE

Stealthwatch Management Console

Flow Collector VE

-2-

Flow Collector with a Data Store

Data Node VE

Flow Sensor VE

Flow Sensor VE Network Environments

Flow Sensor VE Traffic

UDP Director VE

Data Storage

1. Configuring your Firewall and Ports

Overview

Placing the Appliances

Stealthwatch Management Console

Stealthwatch Flow Collector

Stealthwatch Flow Sensor

Important Considerations for Integration

TAPs

Using Electrical TAPs

Using Optical TAPs

Using TAPs Outside Your Firewall

Placing the Flow Sensor VE Inside Your Firewall

SPAN Ports

Stealthwatch UDP Director

Stealthwatch Data Node

Configuring Your Firewall for Communications

Open Ports

Stealthwatch Management Console (SMC), Flow Collector, Data Nodes,

Flow Sensor, and UDP Director

Communication Ports and Protocols

Optional Communication Ports

Stealthwatch Deployment Example

-3-

Stealthwatch Deployment with Data Store Example

2. Downloading VE Installation Files

Installation Files

1. Log in to Cisco Software Central

2. Download Files

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

Overview

Before You Begin

Installing a Virtual Appliance Using vCenter (ISO)

Process Overview

1. Logging in to the VMware Web Client

2a. Configuring the Flow Sensor to Monitor Traffic

Monitoring External Traffic with PCI Pass-Through

Monitoring a vSwitch with Multiple Hosts

Configuration Requirements

Monitoring a vSwitch with a Single Host

Configuration Requirements

Configure the Port Group to Promiscuous Mode

2b. Configuring an Isolated LAN for inter-Data Node Communications

3. Installing the Virtual Appliance

4. Defining Additional Monitoring Ports (Flow Sensors only)

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

Overview

Before You Begin

Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

Process Overview

1. Logging in to the VMware Web Client

2. Booting from the ISO

3c. Installing a Virtual Appliance on a KVM Host (ISO)

-4-

Overview

Before You Begin

Installing a Virtual Appliance on a KVM Host (ISO)

Process Overview

Configuring an isolated LAN for Data Nodes

1. Installing a Virtual Appliance on a KVM Host

Monitoring Traffic

Configuration Requirements

Installing a Virtual Appliance on a KVM Host

2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on

an Open vSwitch (Flow Sensors Only)

4. Configuring your Environment using First Time Setup

Configuring a Stealthwatch Management Console or Flow Collector

Configuring a Data Node

Configuring a Flow Sensor or UDP Director

Troubleshooting

Certificate Error

Accessing the Appliance

5. Configuring your Stealthwatch System

Contacting Support

100

-5-

Introduction
Introduction
Overview
Use this guide to install the following Cisco Stealthwatch Enterprise Virtual Edition (VE) appliances:
l Stealthwatch Management Console (SMC) VE l Stealthwatch Flow Collector VE l Stealthwatch Data Node VE
l If you plan on deploying Data Nodes as part of a Data Store, review the Data Store Virtual Edition Deployment and Configuration Guide before you begin for full instructions on deploying the Data Store, including proper order of appliance installation. Use this guide only as a reference for virtual appliance installation.
l Stealthwatch Flow Sensor VE l Stealthwatch UDP Director VE
For more information about Stealthwatch, refer to the following online resources:
l Overview: https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html
l Appliances: https://www.cisco.com/c/en/us/products/security/stealthwatch/datasheetlisting.html
l Release Notes: For details, refer to the Release Notes. l Hardware Installation Guides: To install Stealthwatch x2xx series hardware,
download the guides from https://www.cisco.com/c/en/us/support/security/stealthwatch/productsinstallation-guides-list.html. l Data Node and Data Store Installation: If you plan on deploying Data Nodes as part of a Data Store, review the Data Store Virtual Edition Deployment and Configuration Guide before you begin for complete instructions on deploying the Data Store, including proper order of appliance installation.
Audience
The intended audience for this guide includes network administrators and other personnel who are responsible for installing and configuring Stealthwatch products.

-6-

Introduction

If you are configuring virtual appliances, we assume you have basic familiarity with VMware or KVM. If you prefer to work with a professional installer, please contact your local Cisco Partner or Cisco Stealthwatch Support.
Terminology
This guide uses the term "appliance" for any Stealthwatch product, including virtual products such as the Stealthwatch Flow Sensor Virtual Edition (VE). A "cluster" is your group of Stealthwatch appliances that are managed by the Stealthwatch Management Console (SMC).
Abbreviations
The following abbreviations may appear in this guide:

Abbreviations Definition

DNS

Domain Name System (Service or Server)

dvPort

Distributed Virtual Port

ESX

Enterprise Server X

Gigabyte

IDS

Intrusion Detection System

IPS

Intrusion Prevention System

ISO

International Standards Organization

Information Technology

KVM

Kernel-based Virtual Machine

MTU

Maximum Transmission Unit

NTP

Network Time Protocol

SMC

Stealthwatch Management Console

-7-

Abbreviations Definition

Terabyte

UUID

Universally Unique Identifier

VDS

vNetwork Distributed Switch

Virtual Edition

VLAN

Virtual Local Area Network

Virtual Machine

Introduction

-8-

Before You Begin
Before You Begin
Before you begin, review this guide to understand the process as well as the preparation, time, and resources you'll need to plan for the installation.
Installation and Configuration Order
Before you install your virtual appliances, please note the required order for installing and configuring Stealthwatch.
1. Review Data Store Overview: Review the Data Store Virtual Edition Deployment Overview to understand basic prerequisite information for deploying Stealthwatch with a Data Store.
2. Install Virtual Appliances: Use the Data Store Virtual Edition Deployment and Configuration Guide for full instructions on deploying Stealthwatch Virtual Edition (VE) with a Data Store, including proper order of appliance deployment. Use this Virtual Edition (with Data Store) Appliance Installation Guide as reference for the virtual appliance installation.
3. Configure Stealthwatch: After you deploy your SMC VE, Data Nodes VE, and Flow Collectors VE, configure that appliance using the Stealthwatch System Configuration Guide v7.3.2 and the Data Store Virtual Edition Deployment and Configuration Guide.
Note the following:
l Configuration Order: Make sure you configure the appliances in order. l Certificates: Appliances are installed with a unique, self-signed appliance
identity certificate. l Central Management: Use the primary SMC/Central Manager to manage
your appliances and change configuration settings.
After you install your appliances, you will configure Stealthwatch using the Stealthwatch System Configuration Guide v7.3.2. This step is critical for the successful configuration and communication of your system.
4. Configure Data Store Initialization and Retention: After the SMC VE, Data Nodes VE, and Flow Collectors VE are deployed and configured in Stealthwatch, use the Data Store Virtual Edition Deployment and Configuration Guide to

-9-

Before You Begin
initialize the Data Store and configure flow interface statistics data retention. The guide also includes Data Store maintenance information.
First Time Setup
As part of the 4. Configuring your Environment using First Time Setup in this guide, you will configure your environment for a Data Store deployment. You can also choose to enable SAL On Prem.
After you make these selections in First Time Setup, you cannot change the configuration. If you select the wrong choice, deploy a new virtual appliance or RFD your virtual appliance.
Data Store
When you configure Stealthwatch with a Data Store in the First Time Setup, it is important to follow the instructions and note the following:
l SMC and Flow Collectors: You need to deploy the Data Store on your SMCs and Flow Collectors.
l Guide: Use the Data Store Virtual Edition Deployment and Configuration Guide for full instructions on deploying Stealthwatch with a Data Store, including proper order of appliance deployment, initializing the Data Store, and configuring data retention.
Security Analytics and Logging (OP)
You can choose to enable Security Analytics and Logging On Prem and use your Stealthwatch deployment to store Firepower event information. Note that this disables NetFlow collection on your Flow Collector.
l SMC and Flow Collectors: If you enable Security Analytics and Logging on your SMC, you must enable SAL on the Flow Collector.
l Guide: Refer to the Security Analytics and Logging: Firepower Event Integration Guide for more information.
l App Requirement: If you configure Security Analytics and Logging On Prem, install the Security Analytics and Logging On Prem App on your Stealthwatch Management Console.

- 10 -

Before You Begin

Installation Methods
You can use a VMware environment or KVM (Kernel-based Virtual Machine) for the virtual appliance installation.
Before you start the installation, review the compatibility information and resource requirements.
Use the following table to choose an installation method. Also, make sure you review the compatibility and resource requirements before you start the installation.

Method

Installation Instructions (for reference)

Installation File

Details

VMware vCenter

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

Installing your virtual

ISO

appliances using VMware

vCenter.

3b. Installing a

VMware ESXi

Virtual Appliance

Installing your virtual

Stand-Alone

ISO

appliances on an ESXi

Server

on an ESXi Stand-

stand-alone host server.

Alone Server (ISO)

KVM and Virtual Machine Manager

3c. Installing a Virtual Appliance on a KVM Host (ISO)

Installing your virtual

ISO

appliances using KVM and

Virtual Machine Manager.

- 11 -

Before You Begin

Compatibility
Whether you plan to install your virtual appliances in a VMware environment or KVM (Kernel-based Virtual Machine), make sure you review the following compatibility information:
General Requirements for All Appliances

Requirement Description

Dedicated Resources

All appliances require the allocation of dedicated resources and cannot be shared with other appliances or hosts.

No Live Migration

Appliances do not support vMotion due to the possibility of corruption.

Network Adapter

All appliances require at least 1 network adapter.
Flow Sensors can be configured with additional adapters to support additional throughput.
Data Nodes require a second network adapter for communication with other Data Nodes as part of the Data Store.

Storage Controller

When configuring the ISO in VMware, select the LSI Logic SAS SCSI Controller type.

Storage Provisioning

Assign Thick Provisioned Lazy Zeroed storage provisioning when deploying virtual appliances.

VMware
l Compatibility: VMware v6.5, v6.7, v7.0. l Operating System: Debian 10 64-bit. l ISO Deployment: We validated VMware v6.5 using update 2 and the vSphere
flash-based web client. There may be issues using other clients from vSphere. You can use the ESXi 6.5 update 2 HTML5 client, but you may encounter system time-outs. l Live migration: We do not support host to host live migration (for example, with vMotion). l Snapshots: Virtual machine snapshots are not supported.

- 12 -

Before You Begin
Do not install VMware Tools on a Stealthwatch virtual appliance because it will override the custom version already installed. Doing so would render the virtual appliance inoperable and require reinstallation.
KVM
l Compatibility: You can use any compatible Linux distribution. l KVM Host Versions: There are several methods used to install a virtual machine
on a KVM host. We tested KVM and validated performance using the following components:
l libvirt 3.0.0 - 6.5.0 l qemu-KVM 2.8.0 - 5.0.0 l Open vSwitch 2.6.1 - 2.13.0 l Linux Kernel 4.4.38 - 5.4.55 l Operating System: Debian 10 64-bit. l Virtualization Host: For minimum requirements and best performance, review the Resource Requirements section and see the hardware specification sheet for your appliance at Cisco.com.
The system performance is determined by the host environment. Your performance may vary.
Downloading Software
Use Cisco Software Central to download virtual appliance (VE) installation files, patches, and software update files. Log in to your Cisco Smart Account at https://software.cisco.com or contact your administrator. Refer to 2. Downloading VE Installation Files for instructions.
TLS
Stealthwatch requires v1.2.
Third Party Applications
Stealthwatch does not support installing third party applications on appliances.

- 13 -

Before You Begin
Browsers
l Compatible Browsers: Stealthwatch supports the latest version of Chrome, Firefox, and Edge.
l Microsoft Edge: There may be a file size limitation with Microsoft Edge. We do not recommend using Microsoft Edge to install the VE ISO files.
Host Name
A unique host name is required for each appliance. We cannot configure an appliance with the same host name as another appliance. Also, make sure each appliance host name meets the Internet standard requirements for Internet hosts.
Domain Name
A fully qualified domain name is required for each appliance. We cannot install an appliance with an empty domain.
NTP Server
l Configuration: At least 1 NTP server is required for each appliance. l Problematic NTP: Remove the 130.126.24.53 NTP server if it is in your list of
servers. This server is known to be problematic and it is no longer supported in our default list of NTP servers.
Time Zone
All Stealthwatch appliances use Coordinated Universal Time (UTC). l Virtual Host Server: Make sure your virtual host server is set to the correct time.
Make sure the time setting on the virtual host server (where you will be installing the virtual appliances) is set to the correct time. Otherwise, the appliances may not be able to boot up.

- 14 -

Resource Requirements
Resource Requirements
This section provides the resource requirements for the virtual appliances. Use the tables provided in this section to record settings you will need to install and configure the Stealthwatch VE appliances.
l Stealthwatch Management Console (SMC) l Flow Collector l Data Node l Flow Sensor l UDP Director l Data Storage
Make sure you reserve the required resources for your system. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.

- 15 -

Resource Requirements

Stealthwatch Management Console VE
To determine the minimum resource allocations for the Stealthwatch Management Console VE, you should determine the number of concurrent users expected to log in to the SMC. Refer to the following specifications to determine your resource allocations.
Stealthwatch Management Console

Concurrent Users*
up to 9 10 or more

Required Reserved Memory
32 GB
64 GB

Required Reserved CPUs
4
8

Minimum Storage Space
125 GB
200 GB

*Concurrent users include scheduled reports and people using the SMC client at the same time.

- 16 -

Resource Requirements

Flow Collector VE
Because the Data Nodes within a Data Store will store flows instead of the Flow Collectors, the resource requirements are different depending on whether you deploy a Data Store.
Flow Collector with a Data Store

Flows per second

Interfaces

Exporters

Required Reserved Memory

Required Reserved CPUs

Required Minimum Data Storage

Up to

50,000

Up to 65535 Up to 2048 32 GB

200 GB

Up to

120,000 Up to 65535 Up to 4096 70 GB

200 GB

- 17 -

Resource Requirements
Data Node VE
If you plan on deploying Data Nodes as part of a Data Store, review the Data Store Installation and Configuration Guide before you begin for full instructions on initializing the Data Store, including proper order of appliance deployment.
To determine your resource requirements for the Data Node VE, you should determine the flows per second expected on the network. This also affects the resource requirements for your Flow Collectors VE. Refer to Flow Collector VE for more information on resource requirements. You can deploy only 3 Data Nodes VE to your network. You cannot deploy additional Data Nodes VE. If you deploy a Data Store VE with 3 Data Nodes VE, we recommend that for each Data Node, calculate the storage allocation as follows:
[[(daily average FPS/1,000) x 1.6 x days] / number of Data Nodes
l Determine your daily average (FPS) l Divide this number by 1,000 FPS l Multiply this number by 1.6 GB of storage for one day's worth of storage l Multiply this number by the number of days you want to store the flows for total
Data Store storage l Divide this number by the number of Data Nodes in your Data Store for
storage per Data Node
For example, if your system:
l has 50,000 daily average (FPS) l will store flows for 90 days, and l you have 3 Data Nodes calculate per Data Node as follows:
[(50,000/1,000) x 1.6 x 90] / 3 = 2400 GB (2.4 TB) per Data Node
l daily average FPS = 50,000 l 50,000 daily average FPS / 1,000= 50 l 50 x 1.6 GB = 80 GB for one day's worth of storage

- 18 -

Resource Requirements

l 80 GB x 90 days per Data Store = 7200 GB per Data Store l 7200 GB / 3 Data Nodes = 2400 GB (2.4 TB) per Data Node Refer to the following specifications to determine your resource requirements:

Flows per second

Required Reserved Memory

Required

Required Minimum Data

Reserved CPUs Storage for 30 days

32 GB per Data 6 per Data Node

Up to 50,000 Node VE

l 800 GB per Data Node
l 2.4 TB total across 3 Data Nodes

Up to 120,000

32 GB per Data 12 per Data Node

Node VE

l 1.92 TB per Data Node
l 5.76 TB total across 3 Data Nodes

Up to 220,000

64 GB per Data 16 per Data Node

Node VE

l 3.52 TB per Data Node
l 10.56 TB total across 3 Data Nodes

- 19 -

Resource Requirements

Flow Sensor VE
Stealthwatch offers various types of Flow Sensor VEs depending upon the number of NICs for the Flow Sensor VE.
l Cache: The Flow Cache Size column indicates the maximum number of active flows that the Flow Sensor can process at the same time. The cache adjusts with the amount of reserved memory, and flows are flushed every 60 seconds. Use the Flow Cache Size to calculate the amount of memory needed for the amount of traffic being monitored.
l Requirements: Your environment may require more resources depending on a number of variables, such as average packet size, burst rate, and other network and host conditions.

NICs monitoring ports

Required Reserved CPUs

Required Minimum Reserved Memory

Estimated Throughput

Flow Cache Size (maximum number of concurrent flows)

1 x 1 Gbps

4 GB

850 Mbps

32,766

1,850 Mbps

2 x 1 Gbps

8 GB

Interfaces configured as PCI pass-through (igb/ixgbe compliant or e1000e compliant)

65,537

3,700 Mbps

4 x 1 Gbps

1 x 10 Gbps* 12

16 GB 24 GB

Interfaces configured as PCI pass-through (igb/ixgbe compliant or e1000e compliant)

131,073

8 Gbps

~512,000

- 20 -

Resource Requirements

NICs monitoring ports

Required Reserved CPUs

Required Minimum Reserved Memory

Estimated Throughput

Flow Cache Size (maximum number of concurrent flows)

Interfaces configured as PCI pass-through (Intel ixgbe/i40e compliant)
16 Gbps

2 x 10 Gbps* 22

40 GB

Interfaces configured as PCI pass-through (Intel ixgbe/i40e compliant)

~1,000,000

*For 10 Gbps throughput, configure all CPUs in 1 socket. For each additional 10 Gbps NIC, add 10 vCPUs and 16 GB of RAM. Optional: One or more 10G NICs may be used on the physical VM host. These figures are based on tests with Cisco UCS C220 M4, which contains the following:
l Processors: 2 Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40 GHz, 2 sockets, 12 cores per socket
l Memory: 128 GB l Storage: 800 GB l ESXi: VMware vSphere 6.7.0 l Monitoring Interfaces: PCI pass-through with 1 Gbps and 10 Gbps interfaces
Flow Sensor VE Network Environments
Before installing the Flow Sensor VE, make sure you know the type of network environment you have. This guide covers all types of network environments that a Flow Sensor VE can monitor.

- 21 -

Resource Requirements

Compatibility: Stealthwatch supports a VDS environment, but it does not support VMware Distributed Resource Scheduler (VM-DRS). Virtual Network Environments: The Flow Sensor VE monitors the following types of virtual network environments:
l A network with virtual local area network (VLAN) trunking l Discrete VLANs where one or more VLANs are prohibited from attaching packet
monitoring devices (for example, due to local policy) l Private VLANs l Hypervisor hosts rather than VLANs
Integration: For integration information, review Stealthwatch Flow Sensor.
Flow Sensor VE Traffic
The Flow Sensor will process traffic with the following Ethertypes:

Ethertype 0x8000 0x86dd 0x8909 0x8100 0x88a8 0x9100 0x9200 0x9300 0x8847 0x8848

Protocol Normal IPv4 Normal IPv6 SXP VLAN
VLAN QnQ
MLPS unicast MLPS multicast

The Flow Sensor saves the top-level MPLS label or VLAN ID and exports it. It bypasses the other labels when it is processing packets.

- 22 -

Resource Requirements

UDP Director VE
The UDP Director VE requires that the virtual machine meets the following specifications:

Required Reserved CPU
2

Required Reserved Memory
4 GB

Minimum Data Storage
60 GB

Maximum FPS Rate
10,000

- 23 -

Resource Requirements
Data Storage
The appliance data storage expands automatically when the appliance reboots. Also, you may want to expand the appliance resource allocations to improve performance. Use the following information to allocate storage for each appliance.
Make sure you reserve the required resources for your system. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
l Expansion Calculation: The virtual appliance uses approximately 75% of the server for data storage, leaving 25% for the operating system and cache. Therefore, always expand the data storage to 40% more than the desired amount.
l FPS Calculation: Allocate a minimum of 1 GB of data storage for every 1,000 flows per second (FPS) your system averages daily multiplied by the number of days you want to store the flows. For example, if your system averages 2,000 FPS and you want to store flows for 30 days, allocate a minimum of 60 GB (2 X 30) of data storage space.
l Syslog: If the External Event processing (syslog) feature is used, more memory and processing resources are required.
l Data Storage: Use the following table to determine the data storage required for each appliance.
l Restart: If you increase the virtual machine memory using another method on your Hypervisor host, restart the appliance after you have saved your changes.

- 24 -

Resource Requirements

Stealthwatch VE Model

Required Minimum Data Storage

Maximum Addressable Storage/ Hardware Equivalent

Stealthwatch Management Console VE 125 GB

5.6 TB

Flow Collector NetFlow or sFlow VE

200 GB

n/a, depends on Data Store

Data Node VE

See Data Node VE Resource Requirements for more information

Flow Sensor

60 GB

n/a

UDP Director

60 GB

n/a

- 25 -

1. Configuring your Firewall and Ports
1. Configuring your Firewall and Ports
Overview
Before you can install your virtual appliance, complete the following procedures to prepare your network:
1. Placing the Appliances 2. Configuring Your Firewall for Communications 3. Stealthwatch Flow Sensor
Placing the Appliances
Review the placement information for each appliance you are installing.
l Stealthwatch Management Console (SMC) l Flow Collector l Flow Sensor l UDP Director l Data Node
Stealthwatch Management Console
As the management device, install the Stealthwatch Management Console at a location on your network that is accessible to all the devices sending data to it. If you have a failover pair of Stealthwatch Management Consoles, we recommend installing the primary and the secondary consoles in separate physical locations. This strategy will enhance a disaster recovery effort should it become necessary.
Stealthwatch Flow Collector
As collection and monitoring devices, the Stealthwatch Flow Collector should be installed at a location on your network that is accessible to the NetFlow or sFlow devices sending the data to a Flow Collector, as well as any devices you plan to use to access the management interface. When you place a Flow Collector outside a firewall, we recommend that you turn off the setting Accept traffic from any exporter.

- 26 -

1. Configuring your Firewall and Ports
Stealthwatch Flow Sensor
As a passive monitoring device, the Stealthwatch Flow Sensor can sit at multiple points on your network to observe and record IP activity, thereby protecting network integrity and detecting security breaches. The Flow Sensor features integrated web-based management systems that facilitate either centralized or remote management and administration. The Flow Sensor VE appliance is most effective when placed at critical segments of your corporate network as follows:
l Inside your firewall to monitor traffic and determine if a firewall breach has occurred
l Outside your firewall, monitoring traffic flow to analyze who is threatening your firewall
l At sensitive segments of your network, offering protection from disgruntled employees or hackers with root access
l At remote office locations that constitute vulnerable network extensions l On your business network for protocol use management (for example, on
your transaction services subnet to determine if a hacker is running Telnet or FTP and compromising your customers' financial data)
Important Considerations for Integration
The Stealthwatch Flow Sensor VE is versatile enough to integrate with a wide variety of network topologies, technologies, and components. Before you install a Flow Sensor VE, you must make several decisions about your network and how you want to monitor it. It is important to review the following:
l Analyze your network's topology and your specific monitoring needs. l Connect a Flow Sensor so that it receives network transmissions to and from the
monitored network, and, if desired, receives interior network transmissions as well. l For optimum performance when using the Flow Sensor to monitor physical network traffic, configure your Flow Sensor VE with direct access to the underlying physical host's NICs (such as using an igb or e1000e compliant PCI pass-through).
The following sections explain how to integrate a Stealthwatch Flow Sensor VE appliance into your network using the following Ethernet network devices:
l TAPs l SPAN Ports

- 27 -

1. Configuring your Firewall and Ports
While not all network configurations can be discussed here, the examples may help you determine the best setup for your monitoring needs. These examples provide physical network scenarios, and the virtual host can be configured in a similar way.
TAPs
When a Test Access Port (TAP) is placed in line with a network connection, it repeats the connection on a separate port or ports. For example, an Ethernet TAP placed in line with an Ethernet cable will repeat each direction of transmission on separate ports. Therefore, use of a TAP is the most reliable way to use the Flow Sensor. The type of TAP you use depends on your network.
Review the Stealthwatch System Configuration Guide v7.3.2 for Flow Sensor configuration requirements.
This section explains the following ways to use TAPs:
l Using Electrical TAPs l Using Optical TAPs l Using TAPs Outside Your Firewall l Placing the Flow Sensor VE Inside Your Firewall
In a network using TAPs, the Flow Sensor VE can capture performance monitoring data only if it is connected to an aggregating TAP that is capturing both inbound and outbound traffic. If the Flow Sensor VE is connected to a unidirectional TAP that is capturing only one direction of traffic on each port, then the Flow Sensor VE will not capture performance monitoring data.
Using Electrical TAPs
The following illustration shows the Stealthwatch Flow Sensor VE connected to an Ethernet electrical TAP. To achieve this configuration, connect the two TAP ports to the Flow Sensor VE Monitor Ports 1 and 2, as shown.

- 28 -

1. Configuring your Firewall and Ports
Using Optical TAPs
Two splitters are required for fiber-opticbased systems. You can place a fiber-optic cable splitter in line with each direction of transmission and use it to repeat the optical signal for one direction of transmission. The following illustration shows the Flow Sensor connected to a fiber-opticbased network. To achieve this configuration, connect the outputs of the optical splitters to the Flow Sensor VE Monitor Ports 1 and 2, as shown.

If the connection between the monitored networks is an optical connection, then the Stealthwatch Flow Sensor VE appliance is connected to two optical splitters. The management port is connected to either the switch of the monitored network or to another switch or hub.
Using TAPs Outside Your Firewall
To have the Flow Sensor VE monitor traffic between your firewall and other networks, connect the Stealthwatch management port to a switch or port outside of the firewall.
Use a TAP for this connection so that failure of the device does not bring down your entire network.
The following illustration shows an example of this configuration using an Ethernet electrical TAP. The management port must be connected to the switch or hub of the monitored network. This setup is similar to the setup that monitors traffic to and from your network.

- 29 -

1. Configuring your Firewall and Ports
If your firewall is performing network address translation (NAT), you can observe only the addresses that are on the firewall.
Placing the Flow Sensor VE Inside Your Firewall
To monitor traffic between internal networks and a firewall, the Flow Sensor VE must be able to access all traffic between the firewall and the internal networks. You can accomplish this by configuring a mirror port that mirrors the connection to the firewall on the main switch. Make sure that the Flow Sensor VE Monitor Port 1 is connected to the mirror port, as shown in the following illustration:

To monitor traffic inside your firewall by using a TAP, insert the TAP or optical splitter between your firewall and the main switch or hub. A TAP configuration is shown below.

- 30 -

1. Configuring your Firewall and Ports
An optical splitter configuration is shown below.
SPAN Ports
You can also connect the Flow Sensor VE to a switch. However, because a switch does not repeat all traffic on each port, the Flow Sensor VE will not perform properly unless the switch can repeat packets transmitted to and from one or more switch ports. This type of switch port is sometimes called a mirror port or Switch Port Analyzer (SPAN). The following illustration shows how you can achieve this configuration by connecting your network to the Stealthwatch Flow Sensor VE through the management port.

- 31 -

1. Configuring your Firewall and Ports
In this configuration, you must configure a switch port (also called a mirror port), to repeat all traffic to and from the host of interest to the mirror port. The Flow Sensor VE Monitor Port 1 must be connected to this mirror port. This allows the Flow Sensor to monitor traffic to and from the network of interest and to other networks. In this instance, a network may be made up of some or all of the hosts connected to the switch. A common way of configuring networks on a switch is to zone them into virtual local area networks (VLANs), which are logical rather that physical connections of hosts. If the mirror port is configured to mirror all ports on a VLAN or switch, the Flow Sensor VE can monitor all traffic to, from, and within the network of interest, as well as other networks.
l Configuration: Review the Stealthwatch System Configuration Guide v7.3.2 for Flow Sensor configuration requirements.
l Documentation: In all cases, make sure you consult your switch manufacturer's documentation to determine how to configure the switch mirror port and what traffic will be repeated to the mirror port.
Stealthwatch UDP Director
The only requirement for the placement of the Stealthwatch UDP Director is that it has an unobstructed communication path to the rest of your Stealthwatch appliances.
If you are deploying the UDP Director in an environment where Cisco's ACI is being utilized and Unicast Reverse Path Forwarding (uRPF) or Limit IP learning to subnet is enabled, the local network may block the forwarded traffic leaving the UDP Director. You need to spoof the UDP traffic as part of the forwarding rules so tools collecting the log data are able to know the original source of traffic.
To ensure a successful operation of the UDP Director in this case, deploy your UDP Director on a portion of your network where you can disable uRPF or Limit IP learning to subnet (typically internally). You can place the UDP Director in an L3 out (no IP learning). If on 4.0+, you can disable endpoint learning on a per VRF basis.
Stealthwatch Data Node
As a repository for flow data collected by Flow Collectors, and as the centralized repository against which a Stealthwatch Management Console runs queries, install your Data Nodes at a location on your network that is accessible by all of your Flow Collectors and your Stealthwatch Management Console. See the Data Store Virtual Edition Deployment and Configuration Guide for more information.

- 32 -

1. Configuring your Firewall and Ports
Configuring Your Firewall for Communications
In order for the appliances to communicate properly, you should configure the network so that firewalls or access control lists do not block the required connections. Use the information provided in this section to configure your network so that the appliances can communicate through the network.
Open Ports
Stealthwatch Management Console (SMC), Flow Collector, Data Nodes, Flow Sensor, and UDP Director
Consult with your network administrator to ensure that the following ports are open and have unrestricted access:
l TCP 22 l TCP 25 l TCP 389 l TCP 443 l TCP 2393 l TCP 5222 l UDP 53 l UDP 123 l UDP 161 l UDP 162 l UDP 389 l UDP 514 l UDP 2055 l UDP 6343
In addition, if you deploy Data Nodes to your network, ensure that the following ports are open and have unrestricted access:
l TCP 5433 l TCP 5444 l TCP 9450

- 33 -

1. Configuring your Firewall and Ports

Communication Ports and Protocols
The following table shows how the ports are used in Stealthwatch:

From (Client) Admin User PC All appliances

To (Server) All appliances Network time source

Active Directory SMC

Cisco ISE

SMC

Cisco ISE

SMC

External log sources

SMC

Flow Collector SMC

UDP Director

Flow Collector - sFlow

UDP Director

Flow Collector - NetFlow

UDP Director

3rd Party event management systems

Flow Sensor

SMC

Flow Sensor

Flow Collector - NetFlow

Identity

SMC

NetFlow Exporters

Flow Collector - NetFlow

sFlow Exporters Flow Collector - sFlow

SMC

Cisco ISE

Port TCP/443 UDP/123 TCP/389, UDP/389 TCP/443 TCP/5222
UDP/514
TCP/443 UDP/6343 UDP/2055*
UDP/514
TCP/443 UDP/2055 TCP/2393
UDP/2055*
UDP/6343* TCP/443

Protocol HTTPS NTP LDAP HTTPS XMPP SYSLOG HTTPS sFlow NetFlow SYSLOG HTTPS NetFlow SSL NetFlow sFlow HTTPS

- 34 -

1. Configuring your Firewall and Ports

From (Client) To (Server)

Port

Protocol

SMC SMC SMC SMC SMC SMC SMC User PC

Cisco ISE DNS Flow Collector Flow Sensor Identity Flow Exporters LDAP SMC

TCP/5222 UDP/53 TCP/443 TCP/443 TCP/2393 UDP/161 TCP/636 TCP/443

XMPP DNS HTTPS HTTPS SSL SNMP TLS HTTPS

*This is the default port, but any UDP port could be configured on the exporter.

- 35 -

1. Configuring your Firewall and Ports

Optional Communication Ports
The following table is for optional configurations determined by your network needs:

From (Client) To (Server)

Port

Protocol

All appliances User PC

TCP/22 SSH

SMC

3rd Party event management systems UDP/162 SNMP-trap

SMC

3rd Party event management systems UDP/514 SYSLOG

SMC

Email gateway

TCP/25 SMTP

SMC

Threat Intelligence Feed

TCP/443 SSL

User PC

All appliances

TCP/22 SSH

- 36 -

1. Configuring your Firewall and Ports
Stealthwatch Deployment Example
The following diagram shows the various connections used by Stealthwatch. Some of these ports are optional.

- 37 -

1. Configuring your Firewall and Ports
Stealthwatch Deployment with Data Store Example
The following diagram shows an example Stealthwatch architecture with a Data Store deployed. See the table for the ports associated with each callout.

- 38 -

1. Configuring your Firewall and Ports

The following lists the communication ports to open on your firewall to deploy the Data Store.

# From (Client) To (Server) Port

Protocol or Purpose

1 SMC

Flow Collectors

and Data

22/TCP

Nodes

SSH, required to initialize Data Store database

1 Data Nodes

all other Data Nodes

22/TCP

SSH, required to initialize Data Store database and for database administration tasks

SMC, Flow 2 Collectors, and NTP server
Data Nodes

123/UDP

NTP, required for time synchronization

2 NTP server

SMC, Flow Collectors, and 123/UDP Data Nodes

NTP, required for time synchronization

3 SMC

Flow Collectors

and Data

443/TCP

Nodes

HTTPS, required for secure communications between appliances

3 Flow Collectors SMC

443/TCP

HTTPS, required for secure communications between appliances

3 Data Nodes

SMC

443/TCP

HTTPS, required for secure communications between appliances

NetFlow

Exporters

Flow Collectors 2055/UDP NetFlow ingestion - NetFlow

5 Data Nodes

all other Data Nodes

4803/TCP

inter-Data Node messaging service

6 Data Nodes

all other Data Nodes

inter-Data Node messaging 4803/UDP
service

- 39 -

1. Configuring your Firewall and Ports

7 Data Nodes

all other Data Nodes

inter-Data Node messaging 4804/UDP
service

SMC, Flow 8 Collectors, and Data Nodes
Data Nodes

5433/TCP Vertica client connections

9 Data Node

all other Data Node

Vertica messaging service 5433/UDP monitoring

sFlow 10 Exporters

Flow Collectors

- sFlow

6343/UDP sFlow ingestion

11 Data Nodes

all other Data Nodes

inter-Data Node messaging 6543/UDP service

See the Data Store Virtual Edition Deployment and Configuration Guide for more information on Data Store communication ports.

- 40 -

2. Downloading VE Installation Files

2. Downloading VE Installation Files
Use the following instructions to download the ISO files for your virtual appliance installation. Refer to Installation Files to determine the file type.
Installation Files

Virtual Machine

Appliance Installation File

Details

3a. VMware vCenter

ISO

Installing your virtual appliances using VMware vCenter.

3b. VMware ESXi StandISO
Alone Server

Installing your virtual appliances on an ESXi stand-alone host server.

3c. KVM and Virtual Machine ISO
Manager

Installing your virtual appliances using KVM and Virtual Machine Manager.

1. Log in to Cisco Software Central
1. Log in to Cisco Software Central at https://software.cisco.com. 2. In the Download and manage > Download and Upgrade section, select
Access downloads. 3. Scroll down until you see the Select a Product field. 4. You can access Stealthwatch files in two ways:
l Search by Name: Type Stealthwatch in the Select a Product field. Press Enter.
l Search by Menu: Click Browse All. Select Security > Network Visibility and Segmentation > Stealthwatch.

- 41 -

2. Downloading VE Installation Files

2. Download Files
1. Select an appliance type.
l Stealthwatch Management Console Virtual Appliance l Stealthwatch Flow Collector Virtual Appliance l Stealthwatch Data Node Virtual Appliance l Stealthwatch Flow Sensor Virtual Appliance l Stealthwatch UDP Director Virtual Appliance
2. Select Stealthwatch System Software. 3. In the Latest Release column, select 7.3.2 (or the version of 7.3.x that you are
installing). 4. Download: Locate the ISO installation file. Click the Download icon or Add to
Cart icon. 5. Repeat these instructions to download the files for each appliance type.

- 42 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Overview
Use the following instructions to install your virtual appliances using VMware vCenter.
If you plan on deploying Data Nodes as part of a Data Store, review the Data Store Virtual Edition Deployment and Configuration Guide before you begin for full instructions on initializing the Data Store, including proper order of appliance deployment.
To use an alternative method, refer to the following:
l VMware ESXi Stand-Alone Server: Use 3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO).
l KVM: Use 3c. Installing a Virtual Appliance on a KVM Host (ISO).
Before You Begin
Before you begin the installation, complete the following preparation procedures:
1. Compatibility: Review the compatibility requirements in Compatibility. 2. Resource Requirements: Review the Resource Requirements section to
determine the required allocations for the appliance. You can use a resource pool or alternative method to allocate resources. 3. Firewall: Configure your firewall for communications. Refer to 1. Configuring your Firewall and Ports. 4. Files: Download the appliance ISO files. Refer to 2. Downloading VE Installation Files for instructions. 5. Time: Confirm the time set on the hypervisor host in your VMware environment (where you will be installing the virtual appliance) shows the correct time. Otherwise, the virtual appliances may not be able to boot up.
Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch appliances.

- 43 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Do not install VMware Tools on a Stealthwatch virtual appliance because it will override the custom version already installed. Doing so would render the virtual appliance inoperable and require reinstallation.

- 44 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Installing a Virtual Appliance Using vCenter (ISO)
If you have VMware vCenter (or similar), use the following instructions to install a virtual appliance using the ISO.
Process Overview
Installing a virtual appliance involves completing the following procedures, which are covered in this chapter:
1. Logging in to the VMware Web Client 2a. Configuring the Flow Sensor to Monitor Traffic 2b. Configuring an Isolated LAN for inter-Data Node Communications 3. Installing the Virtual Appliance 4. Defining Additional Monitoring Ports (Flow Sensors only)
1. Logging in to the VMware Web Client
To install the virtual appliance, log in to the VMware Web Client.
Some of the menus and graphics may vary from the information shown here. Please refer to your VMware guide for details related to the software.
1. Log in to your VMware Web Client.

2. You have the following options:
Flow Sensors: If the appliance is a Flow Sensor, go to 2a. Configuring the Flow Sensor to Monitor Traffic.

- 45 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Data Nodes: If you are deploying Data Nodes, go to Configuring an Isolated LAN for inter-Data Node Communications. All Other Appliances: If the appliance is not a Flow Sensor, go to 3. Installing the Virtual Appliance.
2a. Configuring the Flow Sensor to Monitor Traffic
The Flow Sensor VE has the ability to provide visibility into VMware environments, generating flow data for areas that are not flow-enabled. As a virtual appliance installed inside each hypervisor host, the Flow Sensor VE passively captures Ethernet frames from the host vSwitch, and it observes and creates flow records containing valuable session statistics that pertain to conversational pairs, bit rates, and packet rates. For details, refer to Flow Sensor VE and Stealthwatch Flow Sensor. Use the following instructions to configure the Flow Sensor VE to monitor traffic on a vSwitch as follows:
l Monitoring a vSwitch with Multiple Hosts l Monitoring a vSwitch with a Single Host
Monitoring External Traffic with PCI Pass-Through
You can also configure your Flow Sensor VE for direct network monitoring using a compliant PCI pass-through.
l Requirements: igb/ixgbe compliant or e1000e compliant PCI pass-through. l Resource Information: Refer to Flow Sensor VE. l Integration: Refer to 1. Configuring your Firewall and Ports. l Instructions: To add PCI network interfaces to the Flow Sensor VE, refer to your
VMware documentation.

- 46 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Monitoring a vSwitch with Multiple Hosts
Use the instructions in this section to use the Flow Sensor VE to monitor traffic on a Distributed vSwitch that spans multiple VM hosts or clusters. This section applies only to VDS networks. If your network is in a non-VDS environment, go to Monitoring a vSwitch with a Single Host.
Configuration Requirements
This configuration has the following requirements: l Distributed Virtual Port (dvPort): Add a dvPort group with the correct VLAN settings for each VDS that the Flow Sensor VE will monitor. If the Flow Sensor VE monitors both VLAN and non-VLAN traffic on the network, you need to create two dvPort groups, one for each type. l VLAN Identifier: If your environment uses a VLAN (other than VLAN trunking or a private VLAN), you need the VLAN identifier to complete this procedure. l Promiscuous Mode: Enabled. l Promiscuous Port: Configured to the vSwitch.
Complete the following steps to configure the network using a VDS: 1. Click the Networking icon.
2. In the Networking tree, right-click the VDS. 3. Select Distributed Port Group > New Distributed Port Group.

- 47 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
4. Use the New Distributed Port Group dialog box to to configure the port group, including the specifications in the following steps.
5. Select Name and Location: In the Name field, enter a name to identify this dvPort group.
6. Configure Settings: In the Number of Ports field, enter the number of Flow Sensor VEs in your cluster of hosts.

7. Click the VLAN type drop-down list.
l If your environment doesn't use a VLAN, select None. l If your environment uses a VLAN, select the VLAN type. Configure it as
follows:

VLAN

VLAN Type

VLAN Trunking Private VLAN

Detail
In the VLAN ID field, enter the number (between 1 and 4094) that matches the identifier.
In the VLAN trunk range field, enter 0-4094 to monitor all VLAN traffic.
Select Promiscuous from the dropdown list.

8. Ready to Complete: Review the configuration settings. Click Finish.

- 48 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
9. In the Networking tree, right-click the new dvPort group. Select Edit Settings. 10. Select Security. 11. Click the Promiscuous Mode drop-down list. Select Accept.
12. Click OK to close the dialog box. 13. Does the Flow Sensor VE monitor both VLAN and non-VLAN network traffic?
l If yes, repeat the steps in this section Monitoring a vSwitch with Multiple Hosts.
l If no, continue to the next step. 14. Is there another VDS in the VMware environment that the Flow Sensor VE will
monitor? l If yes, repeat the steps in this section Monitoring a vSwitch with Multiple Hosts for the next VDS. l If no, go to Configuring an Isolated LAN for inter-Data Node Communications if you are deploying Data Nodes, or 3. Installing the Virtual Appliance if you are not.

- 49 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Monitoring a vSwitch with a Single Host
Use the instructions in this section to use the Flow Sensor VE to monitor traffic on a vSwitch with a single host.
This section applies only to non-VDS networks. If your network uses a VDS, go to Monitoring a vSwitch with Multiple Hosts.
Configuration Requirements
This configuration has the following requirements: l Promiscuous Port Group: Add a promiscuous port group for each virtual switch that the Flow Sensor VE will be monitoring. l Promiscuous Mode: Enabled. l Promiscuous Port: Configured to the vSwitch.
Configure the Port Group to Promiscuous Mode
Use the following instructions to add a port group, or edit a port group, and set it to Promiscuous.
1. Log in to your VMware ESXi host environment. 2. Click Networking.

- 50 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

l Create Port Group: Click Add port group. l Edit Port Group: Select the port group. Click Edit Settings.
5. Use the dialog box to configure the port group. Configure the VLAN ID or VLAN Trunking:

VLAN Type VLAN ID VLAN Trunking

Detail
Use VLAN ID to specify a single VLAN. In the VLAN ID field, enter the number (between 1 and 4094) that matches the identifier.
Use VLAN Trunking to monitor all VLAN traffic. The range defaults to 0-4095.

6. Click the Security arrow.

7. Promiscuous Mode: Choose Accept.

- 51 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
8. Will the Flow Sensor VE be monitoring another virtual switch in this VMware environment?
l If yes, go back to 2a. Configuring the Flow Sensor to Monitor Traffic, and repeat all the steps for the next virtual switch.
l If no, go to Configuring an Isolated LAN for inter-Data Node Communications if you are deploying Data Nodes, or 3. Installing the Virtual Appliance if you are not.

- 52 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
2b. Configuring an Isolated LAN for inter-Data Node Communications
If you are deploying Data Nodes VE to your network, configure an isolated LAN with a virtual switch so that the Data Nodes can communicate with each other over eth1 for inter-Data Node communication.
We recommend that you deploy all of your Data Nodes VE on the same ESXi host. If you plan on deploying your Data Nodes VE on separate ESXi hosts, contact Cisco Professional Services for assistance in configuring the isolated LAN.
To configure a vSphere Standard Switch: 1. Log into your VMware host environment. 2. From the VMware Host Client inventory, right-click Networking and click Add standard vSwitch. 3. Enter a vSwitch name. 4. Click Create virtual switch. 5. Do NOT configure physical network cards as uplinks. 6. Select the Cisco Discovery Protocol. 7. Click Add. 8. Go to 3. Installing the Virtual Appliance.
To configure a vSphere Distributed Switch:
1. Log into your VMware host environment. 2. From the menu, select Networking. 3. Right-click a data center and select Distributed Switch > New Distributed
Switch. 4. Enter a name, then click Next. 5. Select a distributed switch version based on your ESXi version, then click Next.
For example, if you have ESXI 7.0 or later deployed, select 7.0.0. 6. For Number of uplinks, select 0. Do NOT configure physical network cards as
uplinks. 7. Select Create a default port group and enter a Port group name. 8. Click Next.

- 53 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
9. Click Finish. 10. Go to 3. Installing the Virtual Appliance.
3. Installing the Virtual Appliance
Use the following instructions to install a virtual appliance on your hypervisor host and define the virtual appliance management and monitoring ports.
Some of the menus and graphics may vary from the information shown here. Please refer to your VMware guide for details related to the software.
1. Locate the virtual appliance software file (ISO) that you downloaded from Cisco Software Central.
2. Make the ISO available in vCenter. You have the following options: l Upload the ISO to a vCenter datastore. l Add the ISO to a content library. l Keep the ISO on your local workstation, and configure the deployment to reference that file.
See the VMware documentation for more information. 3. From the vCenter UI, select Menu > Hosts and Clusters. 4. In the navigation pane, right click a cluster or host and select New Virtual
Machine... to access the New Virtual Machine wizard. 5. From the Select a creation type window, select Create a new virtual machine,
then click Next.

- 54 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
6. From the Select a name and folder window, enter a Virtual machine name, select a location for the virtual machine, then click Next.

- 55 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
7. From the Select a compute resource window, select a cluster, host, resource pool, or vApp to which you will deploy the appliance, then click Next.
8. From the Select storage window, select a VM Storage Policy from the dropdown, then select a storage location, then click Next.

- 56 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
9. From the Select compatibility window, select a virtual machine version from the Compatible with drop-down, based on your current deployed ESXi version. For example, the following screenshot shows ESXi 7.0 and later because ESXi 7.0 is deployed. Click Next.

- 57 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
10. From the Select a guest OS screen, select the Linux Guest OS Family and the Debian GNU/Linux 10 (64-bit) Guest OS Version. Click Next.

- 58 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
11. From the Customize hardware window, configure the virtual hardware. Refer to Resource Requirements for specific recommendations for your appliance type.
This step is critical for system performance. If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.

In addition to the resource requirements, select the following settings:
l Click New Hard disk to expand the configuration options. Select Thick Provision Lazy Zeroed from the Disk Provisioning drop-down.
l In the New CD/DVD Drive field, select an ISO location based on where you have stored the ISO. Click New CD/DVD Drive to expand the configuration options. Check Connect At Power On.
l Click New SCSI controller to expand the configuration options. Select LSI Logic SAS from the Change Type drop-down. If you do not select LSI Logic SAS, your virtual appliance may fail to properly deploy.

- 59 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
l If the appliance is a Flow Sensor, and you are configuring 10 Gbps throughput for the NIC, click CPU to expand the configuration options. Configure all Cores per Socket so all CPUs are in one socket.
12. If you are deploying a Data Node virtual appliance, also add a second network adaptor. Click Add New Device, then select Network Adaptor. For the first network adaptor, select a switch that will allow the Data Node VE to communicate on a public network with other appliances. For the second network adaptor, select the switch that you created in Configuring an Isolated LAN for inter-Data Node Communications that will allow the Data Node VE to communicate on a private network with other Data Nodes. Ensure that you properly assign the network adaptors and virtual switches for every Data Node in your deployment as you deploy each Data Node.

13. From the Ready to complete window, review your settings, then click Finish.

- 60 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

14. The deployment starts in the background. Monitor the deployment progress in the Recent Tasks section. Make sure the deployment is completed and shown in the Inventory tree before you go to the next steps.
15. Flow Sensors: If the appliance is a Flow Sensor and will be monitoring more than one virtual switch in the VMware environment, or more than one VDS in a cluster, continue with the next section 4. Defining Additional Monitoring Ports (Flow Sensors only).
16. Repeat all of the procedures in 3a. Installing a Virtual Appliance using VMware vCenter (ISO) for the next virtual appliance in your system.
If you have completed installing all virtual appliances in your system, go to 4. Configuring your Environment using First Time Setup.

- 61 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
4. Defining Additional Monitoring Ports (Flow Sensors only)
This procedure is required if the Flow Sensor VE will be monitoring more than one virtual switch in a VMware environment or more than one VDS in a cluster. If this is not the monitoring configuration for your Flow Sensor, go to 4. Configuring your Environment using First Time Setup. To add Flow Sensor VE monitoring ports, complete the following steps:
1. In the Inventory tree, right-click the Flow Sensor VE. Select Edit Settings.

2. Use the Edit Settings dialog box to configure the following specified settings. 3. Click Add New Device. Select Network Adapter.

- 62 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
4. Locate the new network adapter. Click the arrow to expand the menu, and configure the following: l New Network: Select an unassigned promiscuous port group. l Adapter Type: Select VMXNET 3. l Status: Check the Connect at Power On check box.

- 63 -

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
5. After reviewing the settings, click OK. 6. Repeat this procedure to add another Ethernet adapter as needed.
If you have added all Ethernet adapters, go to to 4. Configuring your Environment using First Time Setup.

- 64 -

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Overview
Use the following instructions to install your virtual appliances using a VMware environment with an ESXi Stand-alone server.
If you plan on deploying Data Nodes as part of a Data Store, review the Data Store Installation and Configuration Guide before you begin for full instructions on initializing the Data Store, including proper order of appliance deployment.
To use an alternative method, refer to the following:
l VMware vCenter: Use 3a. Installing a Virtual Appliance using VMware vCenter (ISO) .
l KVM: Use 3c. Installing a Virtual Appliance on a KVM Host (ISO).
Before You Begin
Before you begin the installation, complete the following preparation procedures:
1. Compatibility: Review the compatibility requirements in Compatibility. 2. Resource Requirements: Review the Resource Requirements section to
determine the required allocations for the appliance. You can use a resource pool or alternative method to allocate resources. 3. Firewall: Configure your firewall for communications. Refer to 1. Configuring your Firewall and Ports. 4. Files: Download the appliance ISO files. Refer to 2. Downloading VE Installation Files for instructions. 5. Time: Confirm the time set on the hypervisor host in your VMware environment (where you will be installing the virtual appliance) shows the correct time. Otherwise, the virtual appliances may not be able to boot up.
Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch appliances.

- 65 -

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Do not install VMware Tools on a Stealthwatch virtual appliance because it will override the custom version already installed. Doing so would render the virtual appliance inoperable and require reinstallation.
Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Use the following instructions to install your virtual appliances using a VMware environment with an ESXi Stand-alone server.
Process Overview
Installing a virtual appliance involves completing the following procedures, which are covered in this chapter:
1. Logging in to the VMware Web Client 2. Booting from the ISO
Flow Sensors: If the appliance is a Flow Sensor, review Stealthwatch Flow Sensor to understand the additional configuration steps required.
1. Logging in to the VMware Web Client
Some of the menus and graphics may vary from the information shown here. Please refer to your VMware guide for details related to the software.
1. Log in to the VMware Web Client. 2. Click Create/Register a Virtual Machine. 3. Use the New Virtual Machine dialog box to configure the appliance as specified
in the following steps. 4. Select Creation Type: Select Create a New Virtual Machine.

- 66 -

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

5. Select a Name and Guest OS: Enter or select the following:
l Name: Enter a name for the appliance so you can identify it easily. l Compatibility: Select the version you are using (v6.5 or v6.7). l Guest OS family: Linux. l Guest OS version: Select Debian GNU/Linux 10 64-bit.

6. Select Storage: Select an accessible datastore. Review Resource Requirements to confirm you have enough space.

- 67 -

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
7. Customize Settings: Enter or select your appliance requirements (refer to Resource Requirements for details).
Make sure you select the following:
l SCSI Controller: LSI Logic SAS l Network Adapter: Confirm the management address for the appliance. l Hard Disk: Thick Provisioning Lazy Zeroed
If the appliance is a Flow Sensor, you can click Add Network Adapter to add another management or sensing interface. Refer to Stealthwatch Flow Sensor for details. If the appliance is a Flow Sensor, and you are configuring 10 Gbps throughput for the NIC, click CPU to expand the configuration options. Configure all all CPUs in one socket. If the appliance is a Data Node, you must add another network interface to allow inter-Data Node communications. Click Add Network Adapter. For the first network adaptor, select a switch that will allow the Data Node VE to communicate on a public network with other appliances. For the second network adaptor, select the switch that you created in Configuring an Isolated LAN for inter-Data Node Communications that will allow the Data Node VE to communicate on a private network with other Data Nodes.

- 68 -

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

8. Click the arrow next to Network Adapter. 9. For the Adapter Type, select VMXnet3. 10. Review your configuration settings and confirm they are correct.
11. Click Finish. A virtual machine container is created.
2. Booting from the ISO
1. Open the VMware console. 2. Connect the ISO to the new virtual machine. Refer to the VMware guide for details. 3. Boot the virtual machine from the ISO. It runs the installer and reboots
automatically. 4. Once the installation and reboot are completed, you will see the login prompt.

- 69 -

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

5. Disconnect the ISO from the virtual machine. 6. Repeat all of the procedures in 3b. Installing a Virtual Appliance on an ESXi
Stand-Alone Server (ISO) for the next virtual appliance. 7. Flow Sensors: If the appliance is a Flow Sensor, review Stealthwatch Flow
Sensor and finish the setup using the previous sections of this manual:
l 2a. Configuring the Flow Sensor to Monitor Traffic (use Monitoring a vSwitch with a Single Host)
l If the Flow Sensor will be monitoring more than one virtual switch in the VMware environment, or more than one VDS in a cluster, go to 4. Defining Additional Monitoring Ports (Flow Sensors only).
8. If you have completed installing all virtual appliances in your system, go to 4. Configuring your Environment using First Time Setup.

- 70 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
3c. Installing a Virtual Appliance on a KVM Host (ISO)
Overview
Use the following instructions to install your virtual appliances using KVM and Virtual Machine Manager.
If you plan on deploying Data Nodes as part of a Data Store, review the Data Store Installation and Configuration Guide before you begin for full instructions on initializing the Data Store, including proper order of appliance deployment.
To use an alternative method, refer to the following:
l VMware vCenter: Use 3a. Installing a Virtual Appliance using VMware vCenter (ISO) .
l VMware ESXi Stand-Alone Server: Use 3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO).
Before You Begin
Before you begin the installation, make sure you've completed the following procedures:
1. Compatibility: Review the compatibility requirements in Compatibility. 2. Resource Requirements: Review the Resource Requirements section to
determine the required allocations for the appliance. You can use a resource pool or alternative method to allocate resources. 3. Firewall: Configure your firewall for communications. Refer to 1. Configuring your Firewall and Ports. 4. Files: Download the appliance ISO files and copy them to a folder on the KVM host.We use the following folder in the example provided in this section: var/lib/libvirt/image. Refer to 2. Downloading VE Installation Files for instructions. 5. Time: Confirm the time set on the hypervisor host in your VMware environment (where you will be installing the virtual appliance) shows the correct time. Otherwise, the virtual appliances may not be able to boot up.

- 71 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch appliances.

- 72 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
Installing a Virtual Appliance on a KVM Host (ISO)
If you have a KVM host, use the following instructions to install a virtual appliance using the ISO.
Process Overview
Installing a virtual appliance involves completing the following procedures, which are covered in this chapter:
Configuring an isolated LAN for Data Nodes 1. Installing a Virtual Appliance on a KVM Host 2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only)
Configuring an isolated LAN for Data Nodes
If you are deploying Data Nodes VE to your network, configure an isolated LAN with a virtual switch so that the Data Nodes can communicate with each other over eth1 for inter-Data Node communication. See your virtual switch's documentation for more information on creating an isolated LAN.
We recommend that you deploy all of your Data Nodes VE on the same ESXi host. If you plan on deploying your Data Nodes VE on separate ESXi hosts, contact Cisco Professional Services for assistance in configuring the isolated LAN.
1. Installing a Virtual Appliance on a KVM Host
There are several methods to install a virtual machine on a KVM host using a ISO file. The following steps give one example for installing a virtual Stealthwatch Management Console (SMC) through a GUI tool called Virtual Machine Manager running on a Ubuntu box. You can use any compatible Linux distribution. For compatibility details, refer to Compatibility.
Monitoring Traffic
The Flow Sensor VE has the ability to provide visibility into KVM environments, generating flow data for areas that are not flow-enabled. As a virtual appliance installed inside each KVM host, the Flow Sensor VE passively captures Ethernet frames from traffic it observes and creates flow records containing valuable session statistics that pertain to conversational pairs, bit rates, and packet rates. For details, refer to Stealthwatch Flow Sensor: Integrating the Flow Sensor VE into your network.

- 73 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
Configuration Requirements
This configuration has the following requirements: l Promiscuous Mode: Enabled. l Promiscuous Port: Configured to an open vSwitch.
Installing a Virtual Appliance on a KVM Host
To install a virtual appliance, and enable the Flow Sensor VE to monitor traffic, complete the following steps:
1. Use Virtual Machine Manager to connect to the KVM Host and configure the appliance as specified in the following steps.
2. Click File > New Virtual Machine.
3. Select Local install media (ISO image or CDROM). Click Forward.

- 74 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)

6. Select the ISO file. Click Choose Volume. Confirm the ISO file is accessible by the KVM Host.
7. Under Choose an operating system type and version, select Linux from the OS type drop-down list.
8. From the Version drop-down list, select Debian Jessie. Click Forward.

- 75 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
9. Increase the Memory (RAM) and CPUs to the amount shown in the Resource Requirements section. Review Resource Requirements to allocate sufficient resources. This step is critical for system performance. If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.

- 76 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
10. Select Create a disk image for the virtual machine. 11. Enter the data storage amount shown for the appliance in Resource
Requirements section. Click Forward.

Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
12. Assign a Name for the virtual machine. This will be the display name, so use a name that will help you find it later.
13. Check the Customize configuration before install check box. 14. In the Network selection drop-down box, select the applicable network and port
group for installation. If this is a Data Node, select a network and port group that will allow the Data Node to communicate on a public network with other appliances.

- 77 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
15. Click Finish. The configuration menu opens.

- 78 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
16. In the navigation pane, select NIC. 17. Under Virtual Network Interface, select e1000 in the Device model drop-down
box. Click Apply.

18. Click VirtIO Disk 1. 19. In the Advanced Options drop-down list, select SCSI in the Disk bus drop-down
box. Click Apply. 20. Do you need to add additional NICS for monitoring ports on the Flow Sensor VE, or
to enable inter-Data Node communications on a Data Node VE?
l If yes, go to 2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only).
l If no, go to the next step.
21. Click Begin Installation. 22. Go to 4. Configuring your Environment using First Time Setup.

- 79 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only)
To add additional NICs for the Flow Sensor VE monitoring ports or Data Node VE and to complete the installation, complete the following steps:
1. In the Configuration Menu, click Add Hardware. The Add New Virtual Hardware dialog box displays.
2. In the left navigation pane, click Network.

- 80 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
3. If this is a Flow Sensor, click the Portgroup drop-down list to select an unassigned promiscuous port group you want to monitor. Click the Device Model drop-down list to select e1000. If this is a Data Node, select a network source that will allow for inter-Data Node communication on an isolated LAN, using the configuration that you created in Configuring an isolated LAN for Data Nodes.

- 81 -

3c. Installing a Virtual Appliance on a KVM Host (ISO)
4. Click Finish. 5. If you need to add another monitoring port, repeat these instructions. 6. After you have added all monitoring ports, click Begin Installation.

- 82 -

4. Configuring your Environment using First Time Setup
4. Configuring your Environment using First Time Setup
After you install the Stealthwatch VE appliances using VMware or KVM, you are ready to configure the basic virtual environment for them. Select the procedure for your appliance:
l Configuring a Stealthwatch Management Console or Flow Collector l Configuring a Data Node l Configuring a Flow Sensor or UDP Director
Configuring a Stealthwatch Management Console or Flow Collector
1. Connect to your Hypervisor host (virtual machine host). 2. In the Hypervisor host, locate your virtual machine. 3. Confirm the virtual machine is powered on.
If the virtual machine does not power on, and you receive an error message about insufficient available memory, do one of the following:
l Resources: Increase the available resources on the system where the appliance is installed. Refer to Resource Requirements section for details.
l VMware Environment: Increase the memory reservation limit for the appliance and its resource pool.
Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
4. Access the virtual machine console. Allow the virtual appliance to finish booting up.

- 83 -

4. Configuring your Environment using First Time Setup
5. Log in through the console. l Login: root l Default Password: lan1cope l You will change the default password when you configure the system.
6. At the command prompt, type SystemConfig. Press Enter. 7. Review the failed login attempts information. Select OK to continue.
8. Review the First Time Setup introduction. Select OK to continue.

- 84 -

4. Configuring your Environment using First Time Setup
9. Do you want to deploy a Data Store? Select Yes.
SMC and Flow Collectors: Make sure you select Yes on your SMCs and Flow Collectors.
After you choose to configure your SMC or Flow Collector for use with Data Store, you cannot change this configuration. Select Yes only if you plan to deploy a Data Store to your network.
If you select the wrong choice, deploy a new virtual appliance or RFD your virtual appliance.

- 85 -

4. Configuring your Environment using First Time Setup
10. Do you want to enable Security Analytics and Logging? Select Yes or No.
More Information: If you enable Security Analytics and Logging (OP), you will use your Stealthwatch deployment to store Firepower event information. Note that this disables NetFlow collection on your Flow Collector.
l SMC and Flow Collectors: If you enable Security Analytics and Logging on your SMC, you must enable SAL on the Flow Collector.
l Guide: Refer to the Security Analytics and Logging: Firepower Event Integration Guide for more information.
l App Requirement: If you configure Security Analytics and Logging On Prem, install the Security Analytics and Logging On Prem app on your Stealthwatch Management Console.
After you choose to configure your SMC or Flow Collector for use with Security Analytics and Logging On Prem, you cannot change this configuration. Select Yes only if you plan to use Stealthwatch for Security Analytics and Logging On Prem to store your Firepower event information.
If you select the wrong choice, deploy a new virtual appliance or RFD your virtual appliance.

- 86 -

4. Configuring your Environment using First Time Setup
11. Select OK to confirm your selection.

12. Enter the management interface IP Address, Netmask, Gateway, Broadcast, Host Name, and Domain, then select OK to continue.

- 87 -

4. Configuring your Environment using First Time Setup

14. Select OK to confirm your selection. Follow the on-screen prompts to finish the virtual environment and restart the appliance.
15. Press Ctrl + Alt to exit the console.
16. Repeat all the steps in 4. Configuring your Environment using First Time Setup for the next SMC or Flow Collector in your system. If you've configured all SMCs and Flow Collectors in First Time Setup, go to Configuring a Data Node.
Configuring a Data Node
1. Connect to your Hypervisor host (virtual machine host). 2. In the Hypervisor host, locate your virtual machine. 3. Confirm the virtual machine is powered on.
If the virtual machine does not power on, and you receive an error message about insufficient available memory, do one of the following:
l Resources: Increase the available resources on the system where the appliance is installed. Refer to Resource Requirements section for details.
l VMware Environment: Increase the memory reservation limit for the appliance and its resource pool.

- 88 -

4. Configuring your Environment using First Time Setup
Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
4. Access the virtual machine console. Allow the virtual appliance to finish booting up.
5. Log in through the console. l Login: root l Default Password: lan1cope l You will change the default password when you configure the system.
6. At the command prompt, type SystemConfig. Press Enter. 7. Review the failed login attempts information. Select OK to continue.

8. Review the First Time Setup introduction. Select OK to continue.

- 89 -

4. Configuring your Environment using First Time Setup

9. Enter the management interface IP Address, Netmask, Gateway, Broadcast, Host Name, and Domain, then select OK to continue.

- 90 -

4. Configuring your Environment using First Time Setup

11. Select OK to confirm your selection. Follow the on-screen prompts.
12. Configure a physical port or port channel for inter-Data Node communications. Enter the following:
l IP Address: eth1 interface for inter-Data Node communications with a non-routable IP Address from the 169.254.42.0/24 CIDR block, between 169.254.42.2 and 169.254.42.254. For ease of maintenance, select sequential IP addresses (such as 169.254.42.10, 169.254.42.20, and 169.254.42.30).
l Netmask: 255.255.255.0
l Gateway: 169.254.42.1
l Broadcast: 169.254.42.255

- 91 -

4. Configuring your Environment using First Time Setup

13. Select OK to continue. 14. Confirm your settings. Select Yes to continue.

15. Follow the on-screen prompts to finish the virtual environment and restart the appliance.
16. Press Ctrl + Alt to exit the console.

- 92 -

4. Configuring your Environment using First Time Setup
17. Repeat all the steps in Configuring a Data Node for the next Data Node in your system.
l If you've configured all Data Nodes in First Time Setup, go to Configuring a Flow Sensor or UDP Director.
l If you've configured all your virtual appliances in First Time Setup, go to 5. Configuring your Stealthwatch System.
Configuring a Flow Sensor or UDP Director
1. Connect to your Hypervisor host (virtual machine host). 2. In the Hypervisor host, locate your virtual machine. 3. Confirm the virtual machine is powered on.
If the virtual machine does not power on, and you receive an error message about insufficient available memory, do one of the following:
l Resources: Increase the available resources on the system where the appliance is installed. Refer to Resource Requirements section for details.
l VMware Environment: Increase the memory reservation limit for the appliance and its resource pool.
Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Stealthwatch appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
4. Access the virtual machine console. Allow the virtual appliance to finish booting up.
5. Log in through the console. l Login: root l Default Password: lan1cope l You will change the default password when you configure the system.
6. At the command prompt, type SystemConfig. Press Enter.

- 93 -

4. Configuring your Environment using First Time Setup
7. Review the failed login attempts information. Select OK to continue.

8. Review the First Time Setup introduction. Select OK to continue.

9. Enter the management interface IP Address, Netmask, Gateway, Broadcast, Host Name, and Domain, then select OK to continue.

- 94 -

4. Configuring your Environment using First Time Setup

10. Confirm your settings. Select Yes to continue.

11. Select OK to confirm your selection. Follow the on-screen prompts to finish the virtual environment and restart the appliance.
12. Press Ctrl + Alt to exit the console. 13. Repeat all the steps in 4. Configuring your Environment using First Time
Setup for the next virtual appliance in your system.

- 95 -

4. Configuring your Environment using First Time Setup
If you've configured all your virtual appliances in First Time Setup, go to 5. Configuring your Stealthwatch System.

- 96 -

4. Configuring your Environment using First Time Setup
Troubleshooting
Certificate Error
If your VM environment usage is high, there may be a timing error and some events occur out of order. If you receive the following error that permission is denied due to a certificate error (.crt), do the following:

1. Log in to the appliance console as sysadmin. The default password is lan1cope.
You will change the default password when you configure the system. For more information, refer to the Stealthwatch System Configuration Guide.
2. Run the following command:
/lancope/admin/plugins/update/.98-FIX-SECRET-PERMS.sh
3. Run SystemConfig. 4. Return to 4. Configuring your Environment using First Time Setup (starting at
step 5) and complete all steps in the section. If you cannot access the appliance, please contact Cisco Stealthwatch Support.
Accessing the Appliance
If you cannot access the appliance after it restarts, do the following: 1. Log in as root. 2. Run the following commands and confirm the docker containers and services are up and running:

- 97 -

4. Configuring your Environment using First Time Setup
l docker ps l systemctl list-units --failed l systemd-analyze critical chain 3. Once all docker containers and services are up and running, try the login again. If you cannot access the appliance, please contact Cisco Stealthwatch Support.

- 98 -

5. Configuring your Stealthwatch System
5. Configuring your Stealthwatch System
As you deploy your SMC VE, Data Nodes VE, and Flow Collectors VE, configure that appliance using the Stealthwatch System Configuration Guide v7.3.2 and note the following:
l Certificates: Appliances are installed with a unique, self-signed appliance identity certificate.
l Central Management: Use the primary SMC/Central Manager to manage your appliances and change configuration settings.
Make sure that each appliance is Up in Central Management before continuing to the next appliance. After the SMC VE, Data Nodes VE, and Flow Collectors VE are deployed and configured in Stealthwatch, use the Data Store Virtual Edition Deployment and Configuration Guide to initialize the Data Store and configure flow interface statistics data retention.

- 99 -

Contacting Support
Contacting Support
If you need technical support, please do one of the following: l Contact your local Cisco Partner l Contact Cisco Stealthwatch Support l To open a case by web: http://www.cisco.com/c/en/us/support/index.html l To open a case by email: tac@cisco.com l For phone support: 1-800-553-2447 (U.S.) l For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwidecontacts.html

- 100 -

Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

madbuild