Cisco’s FireSIGHT eStreamer client¶
Cisco FireSIGHT Management Center centrally manages network security and operational functions for Cisco ASA with FirePOWER Services and Cisco FirePOWER network security appliances.
Configuring the FireSIGHT eStreamer Client to send flows to Scrutinizer will make the following flow reports available:
- App Internet HTTP Host
- Application E-Zone & Sub Type
- Application I-Zone & Sub Type
- Firewall List
- Ingress and Egress Zones
- User App HTTP Host
- User App HTTP URL
- User Application
- Web App & CoS
- Web App Event & Rule Details
- Web App and Source IP
Minimum required versions are:
- Scrutinizer v16.2
- eStreamer 5.4
Before starting the eStreamer Client configuration, two pieces of information are needed:
Scrutinizer collector’s public IP Address
- It’s 10.30.11.5 in the example
FireSIGHT eStreamer IP address
- It’s 10.1.2.70 in the example
Register Scrutinizer with FireSIGHT¶
Start with the client configuration in the FireSIGHT Defense Center.
Log into the FireSIGHT Defense Center
- for Firepower v5.4: navigate to System > Local > Registration
(The remaining steps apply to both versions of Firepower.)
Enable all eStreamer Events, and click the Save button at the bottom of the list.
- Wait for the page to refresh. It may not give any other indication that a change has been made.
Click on the (+) Create Client button on the right.
Enter the Scrutinizer collector’s public IP address.
Enter a password (optional)
- If a password is entered, remember it. It will be needed in a later step.
- Find the newly configured client in the list and click the download button to the right of the client. Download and save the client certificate.
License Scrutinizer’s eStreamer Client
Upload the client certificate to the /home/plixer/scrutinizer/files/ directory on the Scrutinizer appliance.
scp ~/Downloads/10.30.11.5.pkcs12 email@example.com:/home/plixer/scrutinizer/files/
Configure Scrutinizer’s eStreamer client¶
Now it is time to move over to the Scrutinizer collector server and configure the client.
Create or edit /etc/firesight.ini with contents like the example above, but with details changed to reflect the unique network
- There is also a sample file installed with Scrutinizer in /home/plixer/scrutinizer/files/firesight.ini.sample that can be edited and moved to the /etc/ folder.
Scrutinizer’s eStreamer client will reconfigure itself every time a change is saved to firesight.ini. It may be better to edit a separate file and copy it into place when ready.
The eStreamer client will export flows to the collector at CollectorIP and CollectorPort
fdi_templates is the path where the export templates are defined. Use the location provided in the example.
The eStreamer client will connect to the FireSIGHT at the firesight host and port.
pkcs12_file is the location FireSIGHT certificate was updated.
pkcs12_password is the certificate password, or blank if a password wasn’t specified.
fs_bind_addr is the eStreamer client address registered with FireSIGHT (Scrutinizer collector IP Address). It must be a bindable address that can route to the eStreamer service.
export_to tells the eStreamer client which collector or collectors will receive exported flows.
- There can be more than one “collector” and/or “firesight”, but they must have different names.
- One “collector” can receive flows from multiple “firesights”.
- One “firesight” can export flows to multiple “collectors”.
Wait for flows¶
Flows should be observed in Scrutinizer within a minute. Contact Plixer technical support if they do not appear after a few minutes.