Since I wrote my last blog on FireSIGHT integration, a lot has changed with Scrutinizer. We have a new WebUI, new reports, and our FireSIGHT integration now works differently. This, of course, means that the way we set up the integration is a bit different as well.
What is FireSIGHT and What Does It Do?
In the words of Cisco, the FireSIGHT Management Center provides total visibility into everything on your network. It allows you to automatically aggregate information generated by the Cisco ASA with FirePOWER services and Cisco FirePOWER physical or virtual appliances deployed on your network. There is a lot this beast can do so, if you’d like to read more you can view the Cisco document here.
Let’s Get Started.
Before we get carried away, there are a couple of important things we need to think about. First, you will need our Advanced Reporting license in order to run the FirePOWER reports in Scrutinizer. Second, you will need to be using at least FirePOWER eStreamer version 5.4.
The first step is to register Scrutinizer with FireSIGHT.
- Log in to your FireSIGHT Defense Center. With Firepower v5.4, you’ll need to navigate to system > local > registration. With version 6 and higher, this will be under system > integration > eStreamer.
- Next, enable all eStreamer Events and click save. In the past, we discouraged checking off all events, in case this would send too much information to Scrutinizer and affect performance. With a newer version of Scrutinizer—16.8 and higher—this is not a concern.
- Once you have enabled all events and saved the configuration, click on the “(+) Create Client” button in the upper right corner. The system will ask you for a client IP. Enter the IP of your Scrutinizer server. After the client is saved, click on the green arrow to the right of the hostname IP. This will download the certificate.
- Upload the client certificate to Scrutinizer. This can be done with an FTP client such as WinSCP. Once you have a connection to the Scrutinizer server, place the client certificate in the directory /home/plixer/scrutinizer/files.
Configuring the Scrutinizer eStreamer Client.
Next, it’s time to dive into Scrutinizer.
We’ll need to edit the firesight.ini file. There is a sample of this file in the directory /home/plixer/scrutinizer/files called firesight.ini.sample. Move this file to /etc/ and rename it firesight.ini. The file should look just like this:
The CollectorIp will be the IP address of your Scrutinizer server. For CollectorPort, I suggest 2055 or a common port that Scrutinizer already listens on.
Under the “firesight” section, the host IP will be the IP of the FireSIGHT management center. The port number will usually be 8302. Next, add the file path to the client certificate you downloaded to Scrutinizer. For example home/plixer/scrutinizer/files/IPOFSCRUTINIZER.pkcs.12 just like it shows above. The fs_bind_addr will be the IP of Scrutinizer. Export_to should be the same as what you have named the collector section; above it is named “collector me.” Now that you’ve edited all the fields, save the file.
Now We Wait…
For flows! In five to fifteen minutes, we should begin seeing flows populate in Scrutinizer. Previously, the report options would appear under the loopback icon for Scrutinizer on the status tab. Now they will populate as their own device with the IP of the FireSIGHT module you’re sending flow data from. If you have more than one, you may see multiple FireSIGHT devices appear. Now you will have access to multiple reports based on your FirePOWER data.
If you’d like to see these reports, but do not have our Advanced Reporting license, follow this link to evaluate! If you’d like to evaluate Scrutinizer—and the trial license does come with Advanced Reporting, by the way—request an evaluation here.