Cisco’s FireSIGHT eStreamer client

Overview

Cisco FireSIGHT Management Center manages network security and operational functions for Cisco ASA with Firepower Services and Cisco Firepower network security appliances. Configuring the FireSIGHT eStreamer client to send flows to Plixer Scrutinizer will make the following flow reports available:

  • App Internet HTTP Host
  • Application E-Zone & Sub Type
  • Application I-Zone & Sub Type
  • Firewall List
  • Ingress and Egress Zones
  • User App HTTP Host
  • User App HTTP URL
  • User Application
  • Web App & CoS
  • Web App Event & Rule Details
  • Web App and Source IP

Important

The minimum supported version of eStreamer is 5.4.

Registering Plixer Scrutinizer with FireSIGHT

In the configuration example below, Plixer Scrutinizer collector’s IP address is 10.30.11.5. 10.1.2.70 is the FireSIGHT eStreamer IP address.

  1. Log into the FireSIGHT Defense Center.

For Firepower v5.4: navigate to System > Local > Registration:

../_images/FireSight_image1.jpg

For Firepower v6.x: navigate to System > Integration > eStreamer:

../_images/eStreamer_config_v6_x.png

(The remaining steps apply to both versions of Firepower.)

  1. Enable all eStreamer Events, and click the Save button at the bottom of the list. Wait for the page to refresh. It may not give any other indication that a change has been made.
  2. Click on the (+) Create Client button on the right.
  3. Enter the Scrutinizer collector’s IP address.
  4. Enter a password (optional). If a password is entered, make sure to remember it. It will be needed in a later step.
../_images/FireSight_image2.jpg
  1. Find the newly configured client in the list and click the download button to the right of the client. Download and save the client certificate.
../_images/FireSight_image3.jpg
  1. License Plixer Scrutinizer’s eStreamer client. Upload the client certificate to the /home/plixer/scrutinizer/files/ directory on the Plixer Scrutinizer appliance.
scp ~/Downloads/10.30.11.5.pkcs12 [email protected]:/home/plixer/scrutinizer/files/

Configuring Plixer Scrutinizer’s eStreamer client

  1. SSH into the Plixer Scrutinizer collector server and configure the client.
../_images/FireSight_image4.jpg
  1. Create or edit /etc/firesight.ini similar to the example above. Change the settings to reflect your network. There is the /home/plixer/scrutinizer/files/firesight.ini file that you can edit and move to the /etc/ directory.

Note

Plixer Scrutinizer’s eStreamer client will reconfigure itself every time a change is saved to firesight.ini.

  1. The eStreamer client will export flows to the collector at CollectorIP and CollectorPort.
  2. fdi_templates is the path where the export templates are defined. Use the location provided in the example.
  3. The eStreamer client will connect to the FireSIGHT at the firesight host and port.
  4. pkcs12_file is the location FireSIGHT certificate was updated.
  5. pkcs12_password is the certificate password, or blank if a password wasn’t specified.
  6. fs_bind_addr is the eStreamer client address registered with FireSIGHT (Plixer Scrutinizer collector IP address). It must be a bindable address that can route to the eStreamer service.
  7. export_to tells the eStreamer client which collector or collectors will receive exported flows.

Important

There can be more than one collector and/or firesight, but they must have different names. A single collector can receive flows from multiple firesights. A firesight exporter can send flows to multiple collectors.

  1. Edit the /home/plixer/scrutinizer/env/local_env file. Change the following line:
exporter PLIXER_NO_FIRESEER=1

to

exporter PLIXER_NO_FIRESEER=0

Save the changes.

  1. Restart the flow collector:
service plixer_flow_collector restart
  1. Wait for flows which should be observed in Plixer Scrutinizer within a minute. Contact technical support for assistance with troubleshooting.