I'm experimenting with Stealthwatch with my labs.
I currently deployed SMC, FlowCollector and FlowSensor and integrated with Cisco ISE 2.1
For anyone who has deployed Stealtwatch, do Stealthwatch support automatic mitigation for alarms triggered?
I have searched and found some ambiguity in documents.
Attached below is the document I found in Stealthwatch help section
What mitigation device does the documents states? Can Stealthwatch do a automatic mitigation via Cisco ISE?
The document you are referring to describes a Stealthwatch mitigation capability that was developed to work with the Cisco ASA.
Currently Stealthwatch does not offer 'automatic' mitigation via Cisco ISE. The Stealthwatch host 'Quarantine' function requires that a user to submit the request which is processed via pxGrid and assigns the default remediation policy define on the ISE to the selected host.
Ah I see, does this mitigation capability still works with ASA? Can't find any documentation with it.
And by the way, my FlowSensor can't make use of its DPI capabilities to sense L7 Application. When i set my flow sensor to point to FlowCollector, in SMC, it fell into Exporters category, not Flow Sensor, any help?
Hello Andryan, the remote SSH mitigation into an ASA still functions in the java client. As for the exporter issue, you'll want to double check the Flow Sensor's export settings via it's web interface. It's likely set to export as v9 and not IPFIX. Please ensure it's exporting as IPFIX and that should resolve it.
Ah thanks ! So much trouble done just for this !!
Dees that mean I can finally sitting down waiting for the FlowSensor populate the packets received by itself using DPI?
I have deployed it for almost 2 weeks and all I got in Top Applications are Unclassified HTTP and Unclassified HTTPS.
To clarify, if I didn't deploy FlowSensor at all in my deployment, does it means I will lost the visibility of applications etc ?
No problem! Make sure the SPAN is correctly configured going into the Flow Sensor’s monitor port, otherwise you will not be able to get DPI working properly. DPI is one method of application verification, the other is via NBAR if you have an exporting device that supports NBAR.
I have set the monitoring port to accept promiscuous mode.
Still unclassified hmm