Configuring Cisco’s FireSIGHT eStreamer Client

Overview

Cisco FireSIGHT Management Center centrally manages network security and operational functions for Cisco ASA with FirePOWER Services and Cisco FirePOWER network security appliances.

Configuring the FireSIGHT eStreamer Client to send flows to Scrutinizer will make the following flow reports available:

  • App Internet HTTP Host
  • Application E-Zone & Sub Type
  • Application I-Zone & Sub Type
  • Firewall List
  • Ingress and Egress Zones
  • User App HTTP Host
  • User App HTTP URL
  • User Application
  • Web App & CoS
  • Web App Event & Rule Details
  • Web App and Source IP

Prerequisites

Minimum required versions are:

  • Scrutinizer v16.2
  • eStreamer 5.4

Required Information

Before starting the eStreamer Client configuration, two pieces of information are needed:

  • Scrutinizer collector’s public IP Address

    • It’s 10.30.11.5 in the example
  • FireSIGHT eStreamer IP Address

    • It’s 10.1.2.70 in the example

Register Scrutinizer with FireSIGHT

Start with the Client configuration in the FireSIGHT Defense Center.

  1. Log into the FireSIGHT Defense Center

    1. For Firepower v5.4: Navigate to System > Local > Registration
../_images/FireSight_image1.jpg
b. For Firepower v6.x: Navigate to System > Integration > eStreamer
../_images/eStreamer_config_v6_x.png

(The remaining steps apply to both versions of Firepower.)

  1. Enable all eStreamer Events, and click the “Save” button at the bottom of the list.

    1. Wait for the page to refresh. It may not give any other indication that a change has been made.
  2. Click on the “(+) Create Client” button on the right.

  3. Enter the Scrutinizer collector’s public IP Address

  4. Enter a password (optional)

    1. If a password is entered, remember it. It will be needed in a later step.
../_images/FireSight_image2.jpg
  1. Find the newly configured client in the list and click the download button to the right of the client.

    1. Download and save the client certificate
../_images/FireSight_image3.jpg
  1. License Scrutinizer’s eStreamer Client

    1. Upload the client certificate to /home/plixer/scrutinizer/files/ on the Scrutinizer appliance.

    2. example:

      scp ~/Downloads/10.30.11.5.pkcs12 plixer@10.30.11.5:/home/plixer/scrutinizer/files/

Configure Scrutinizer’s eStreamer Client

Now it is time to move over to the Scrutinizer collector server and configure the client.

../_images/FireSight_image4.jpg
  1. Create or edit /etc/firesight.ini with contents like the example above, but with details changed to reflect the unique network

    1. There is also a sample file installed with Scrutinizer in /home/plixer/scrutinizer/files/firesight.ini.sample that can be edited and moved to the /etc/ folder.
  2. Scrutinizer’s eStreamer client will reconfigure itself every time a change is saved to firesight.ini. It may be better to edit a separate file and copy it into place when ready.

  3. The eStreamer client will export flows to the collector at CollectorIP and CollectorPort

  4. fdi_templates is the path where the export templates are defined. Use the location provided in the example.

  5. The eStreamer client will connect to the FireSIGHT at the firesight host and port.

  6. pkcs12_file is the location FireSIGHT certificate was updated.

  7. pkcs12_password is the certificate password, or blank if a password wasn’t specified.

  8. fs_bind_addr is the eStreamer client address registered with FireSIGHT (Scrutinizer collector IP Address). It must be a bindable address that can route to the eStreamer service.

  9. export_to tells the eStreamer client which collector or collectors will receive exported flows.

  • There can be more than one “collector” and/or “firesight”, but they must have different names.
  • One “collector” can receive flows from multiple “firesights”.
  • One “firesight” can export flows to multiple “collectors”.

Wait for Flows

Flows should be observed in Scrutinizer within a minute. Contact Plixer Technical Support if they do not appear after a few minutes.