Agent Management - Cisco€¦ · Agent Management ThefollowingdescribeshowtoenableSmartLicensingonyourcontrollerandmanageagents. • ManagingandLicensingAgents,page1 • SmartLicensingOverview,page1

Agent Management

The following describes how to enable Smart Licensing on your controller and manage agents.

• Managing and Licensing Agents, page 1

• Smart Licensing Overview, page 1

• Interface Configuration, page 7

• Enabling Agents on the Controller, page 9

• Configuring Agent Network Settings, page 9

• Agent Configuration Templates, page 10

Managing and Licensing AgentsAfter you run the install script, you can register Smart Licensing on your controller, then enable the managedagents.

Step 1 Log into the controller and register Smart Licensing. See Smart Licensing Overview, on page 1 for more information.Step 2 Enable your agents on the controller. See Enabling Agents on the Controller, on page 9for more information.

Smart Licensing OverviewTo deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. Ifyou do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10managed agents, and disables new functionality when the 90 days expire.

Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorizationkey (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensinglets you assess your license usage and needs at a glance.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 1

In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent andpurchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase orderapproval.

Smart Software ManagerWhen you purchase one or more Smart Licenses, you manage them in the Cisco Smart Software Manager:http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager letsyou create a master account for your organization.

By default, your licenses are assigned to the Default Virtual Account under your master account. As theaccount administrator, you can create additional virtual accounts; for example, for regions, departments, orsubsidiaries. Multiple virtual accounts help you manage large numbers of licenses and appliances.

You manage licenses and appliances by virtual account. Only that virtual account’s appliances can use thelicenses assigned to the account. If you need additional licenses, you can transfer an unused license fromanother virtual account. You can also transfer appliances between virtual accounts.

For each virtual account, you can create a Product Instance Registration Token. Enter this token ID when youregister a controller. You can create a new token if an existing token expires. An expired token does not affecta registered controller that used this token for registration, but you cannot use an expired token to register acontroller. Also, a registered controller becomes associated with a virtual account based on the token you use.You can also create a new token, and use it to reregister even if the current token is still valid.

For more information about the Cisco Smart Software Manager, see Cisco Smart Software Manager UserGuide.

Smart License TypesEach Learning Network License component has a corresponding license entitlement, as described in thefollowing table:

Table 1: Smart License Entitlement Types

Associated File Downloads andDescription

License Entitlement andDescription

Learning Network LicenseComponent

sln-sca-k9-<ver>.ova - singlecontroller OVA

L-SW-SCA-K9 - SCA VirtualManager

controller

sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's NIM-SSD

sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's bootflash

L-SW-LN-43-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 1 Yr Term

L-SW-LN-43-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4300 Series 3 Yr Term

agent deployed as a virtual serviceon an ISR 43XX

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.12

Agent ManagementSmart Software Manager

Associated File Downloads andDescription

License Entitlement andDescription

Learning Network LicenseComponent

sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's NIM-SSD

sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova

- agent deployed as a virtualservice to the ISR's bootflash

L-SW-LN-44-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4400 Series 1 Yr Term

L-SW-LN-44-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for 4400 Series 3 Yr Term

agent deployed as a virtual serviceon an ISR 44XX

sln-dla-ucse-k9-<ver>.ova -agent deployed to a UCS E-Seriesblade server

L-SW-LN-UCS-1Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 1 Yr Term

L-SW-LN-UCS-3Y-K9 - CiscoStealthwatch Learning NetworkLicense for UCS Series 3 Yr Term

agent installed on a UCS E-Seriesblade server

You must obtain one license entitlement for each controller and agent deployed to your environment.

The controller web UI displays license entitlement counts for your agents. When you enable a managed agentwith the controller, the Smart Licensing Agent automatically requests a license entitlement for that agent,specific to that installation type. It also updates the license count. Similarly, when you disable a managedagent from the controller, the Smart Licensing Agent requests to free the license entitlement, and updates thelicense count.

For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.

Smart Licensing ConfigurationBy default, the controller connects directly to the Licensing Authority servers. You can configure thesa.properties Smart Licensing configuration file to connect to the Licensing Authority servers through anHTTP or HTTPS proxy server.

By default, the controller logs information about Smart Licensing. You can disable this in the sa.propertiesconfiguration file.

Smart Licensing Configuration File SettingsIf you want to change how your controller connects to the Licensing Authority servers, you can configure anHTTP proxy or HTTPS proxy. You cannot configure more than one.

Table 2: sa.properties Configuration File Settings

Allowed ValuesDescriptionField

not configurable, do not modifythis property even if blank

A globally unique identifier for thecontroller generated by the systemduring the installation process

PRODUCT_SN

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 3

Agent ManagementSmart Licensing Configuration

Allowed ValuesDescriptionField

URL of the HTTP proxy

Do not configure this if youconfigured HTTPS_PROXY_HOST.

URL of the HTTP proxy used toconnect to the Licensing Authorityservers

HTTP_PROXY_HOST

HTTP proxy port

Do not configure this unless youconfigured HTTP_PROXY_HOST

HTTP proxy port used to connectto the Licensing Authority servers

HTTP_PROXY_PORT

URL of the HTTPS proxy

Do not configure this if youconfigured HTTP_PROXY_HOST.

URL of the HTTPS proxy used toconnect to the Licensing Authorityservers

HTTPS_PROXY_HOST

HTTPS proxy port

Do not configure this unless youconfigured HTTPS_PROXY_HOST

HTTPS proxy port used to connectto the Licensing Authority servers

HTTPS_PROXY_PORT

true to enable logging, false todisable logging

Whether Smart Licensing loggingis enabled or disabled

LOGGER_ON

Updating the Smart Licensing Configuration File

Before You Begin

• Log into the controller VM console.

SUMMARY STEPS

1. cd ~/SCA/services/sa-server

2. sudo vi sa.properties, then enter your password when prompted3. You have the following options:

• To connect to the License Authority servers through an HTTP proxy, configure the HTTP_PROXY_HOSTsetting with the HTTP proxy URL, and optionally configure the HTTP_PROXY_PORT setting with aport to use.

• To connect to the License Authority servers through an HTTPS proxy, configure theHTTPS_PROXY_HOST setting with the HTTPS proxy URL, and optionally configure theHTTPS_PROXY_PORT setting with a port to use.

4. If you want to disable Smart Licensing logging, update LOGGER_ON to false.5. Press Esc, then enter :wq! and press Enter.6. more sa.properties, to review the file for errors

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.14

Agent ManagementSmart Licensing Configuration

DETAILED STEPS

PurposeCommand or Action

Change directories to the /sa-serverdirectory.

cd ~/SCA/services/sa-server

Example:user@host:~$cd ~/SCA/services/sa-server

Step 1

Open the sa.properties in the vi texteditor with super user privileges.

sudo vi sa.properties, then enter your password when prompted

Example:

Step 2

user@host:~/SCA/services/sa-server$ sudo vi sa.properties

Update the configuration file to change theSmart Licensing servers connectionmethod.

You have the following options:Step 3

• To connect to the License Authority servers through an HTTP proxy,configure the HTTP_PROXY_HOST setting with the HTTP proxy URL,and optionally configure the HTTP_PROXY_PORT setting with a portto use.

• To connect to the License Authority servers through an HTTPSproxy, configure the HTTPS_PROXY_HOST setting with the HTTPSproxy URL, and optionally configure the HTTPS_PROXY_PORT settingwith a port to use.

Example:HTTP_PROXY_HOST = <http-proxy-url> HTTP_PROXY_PORT =

<http-proxy-port>

Example:HTTPS_PROXY_HOST = <https-proxy-url> HTTPS_PROXY_PORT =

<https-proxy-port>

Update the configuration file to disablelogging.

If you want to disable Smart Licensing logging, update LOGGER_ON tofalse.

Example:

Step 4

LOGGER_ON = false

Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 5

Open the file in read-only mode to reviewthe entries for errors.

more sa.properties, to review the file for errors

Example:

Step 6

user@host:~/SCA/services/sa-server$ more sa.properties

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 5

Agent ManagementSmart Licensing Configuration

What to Do Next

• Restart the controller processes, as described in the next section.

Restarting the Controller Processes

SUMMARY STEPS

1. cd ~/SCA

2. sudo service ciscosln-sca restart

DETAILED STEPS

PurposeCommand or Action

Change to the /SCA directory.cd ~/SCA

Example:

Step 1

user@host:~$ cd ~/SCA

Restart the controller processes.sudo service ciscosln-sca restart

Example:

Step 2

user@host:~/SCA$ sudo service ciscosln-sca restart

Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset theadministrator user account (admin) password. Log in with the temporary password printed to the controllerVM console. After you log in once, you must change the password and confirm the new password.

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username andpassword when prompted.

Registering the Controller Instance

Before You Begin

• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.16

Agent ManagementLogging into the Controller Web UI

• Log into the controller web UI.

Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Click Register.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it

is already registered.Step 6 Click Register.

Interface ConfigurationWhen you configure a Network Element's interface, select a traffic direction, whether you want to enablemitigations on the interface, and whether you want to enable packet buffer capture (PBC) or deep packetinspection (DPI).

Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.Note

Interface Traffic DirectionTheDirection you select for an interface determines how the agent tracks traffic origin from within or outsidethe branch, populates clusters, and models traffic to identify anomalies. Label each interface based on thefollowing guidelines:

• An Internal interface faces the branch and branch hosts. The system applies Learning NetworkLicense-related NetFlow on this interface.

• An External interface faces the core. This interface passes traffic outside the branch, including otherbranches, headquarters, or the Internet.

• An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is areason you do not want to monitor the traffic over this interface.

An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters externalhosts, those residing on External interfaces, separately from internal hosts, those residing on Internalinterfaces. Traffic between clusters is monitored for anomaly detection.

The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which representsthe branch host traffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internalinterface is not modeled. See the following table for more information.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 7

Agent ManagementInterface Configuration

Table 3: Interface Direction and Modeled Traffic

...to an Unconfiguredinterface...

...to an Externalinterface...

...to an Internalinterface...

...is modeled andinspected for anomaloustraffic.

...is modeled andinspected for anomaloustraffic.

...is modeled andinspected for anomaloustraffic.

Traffic from an Internalinterface...

...is not modeled andinspected for anomaloustraffic.

...is not modeled andinspected for anomaloustraffic.

...is modeled andinspected for anomaloustraffic.

Traffic from anExternal interface...

...is not modeled andinspected for anomaloustraffic.

...is not modeled andinspected for anomaloustraffic.

...is modeled andinspected for anomaloustraffic.

Traffic from anUnconfiguredinterface...

Enable MitigationYou can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not supportenabling mitigation on tunnel interfaces with multipoint GRE (mGRE) enabled.

Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction.This provides maximum protection if the agent detects an anomaly, and you want to install a QoS policy onthe Network Element to prevent the anomaly from being forwarded. If you configure a mitigation tailored tothis anomalous traffic, the system installs the corresponding QoS policy on all Network Element interfaceson which you enabled mitigation.

By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnelinterfaces.

Note

If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at theparent interface level, you can only enable mitigation policies at the parent level for that interface family.Similarly, if the subinterfaces have a QoS policy installed, you can only enable mitigation policies at thesubinterface level for that interface family. If you enable a mitigation on a subinterface, the system automaticallyenables the mitigation on all sibling subinterfaces.

If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interfaceor subinterface level. Once you configure a mitigation for a parent interface or a subinterface, however, youcan only subsequently create mitigations at that level for the interface family.

Enable PBC/DPIYou can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:

• You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic(ip traffic-export). If you configured IP traffic export on the interface, remove the configurationfrom the interface before enabling PBC and DPI.

• You can only enable PBC or DPI on a 4000 Series ISR parent interface.

This allows you to capture and download PCAP files, or capture DNS query information from traffic.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.18

Agent ManagementInterface Configuration

On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for allsub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables itfor the parent interface and all sibling subinterfaces.

Note

Enabling Agents on the ControllerIf you do not register your controller with Smart Licensing before you enable agents, your deployment is inEvaluation Mode, and you are limited to managing 10 agents with your controller for 90 days.

When you register your controller with Smart Licensing and enable the agents, ensure you have enough licenseentitlements.

Before You Begin

• Log into the controller web UI.

Step 1 Select AGENTS.Step 2 For each managed agent, click Enable, then click Continue to enable the agent.

Configuring Agent Network SettingsYou can update an agent's network settings, including the host router's IP address and directionality of therouter's interfaces.

Before You Begin

• See Interface Configuration, on page 7 for information on configuring your agents.

Step 1 Select AGENTS.Step 2 Click Configure next to an agent.Step 3 Enter the VirtualPortGroup1 virtual service eth0 IPv4 address in the Network Element IP field.Step 4 Click the expand icon ( ) next to an interface to view the router interface configuration.Step 5 For an interface, choose from the drop-down:

• Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)

• External if the interface faces the core (generally, if the interface is passing traffic)

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 9

Agent ManagementEnabling Agents on the Controller

• Unconfigured if you interface is unused, or the interface faces neither the branch nor the core

Step 6 Check Enable mitigation to apply mitigation actions to this interface.Step 7 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:

• Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.

• Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the networkelement passes raw packets to the agent

• Select a agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receivesraw packets from the network element.

Step 8 If you want to enable the packet buffer capture (PBC) feature, checkEnable PBC. You must enable capturing raw packetdata.

Step 9 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data.Step 10 Click Submit.Step 11 Click Submit.Step 12 If you want to create a template to apply this configuration to other agents, click Create template.

What to Do Next

• Allow the system time to perform the initial learning phase, as described in Initial Learning PhaseOverview.

Agent Configuration TemplatesAfter you configure an agent, you can save a configuration template with that agent's configured settings. Ifyou apply that template to another agent, the system updates the agent's configuration with those saved settings.You can apply a configuration template to one agent at a time.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.110

Agent ManagementAgent Configuration Templates

Applying a Template to an Agent

Before You Begin

• Configure at least one agent and create a configuration template.

Step 1 Select AGENTS.Step 2 Check the checkbox for one agent.Step 3 Enter a template name in the Select a configuration template to apply field. The field updates to showmatching results

as you type.Step 4 Click Apply configuration to selected Agent, then confirm your selection.

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.1 11

Agent ManagementApplying a Template to an Agent

Cisco Stealthwatch Learning Network License Virtual Service Installation Guide, Version 1.112

Agent ManagementApplying a Template to an Agent