Since I wrote my last blog on FireSIGHT integration, a lot has changed with Scrutinizer. We have a new WebUI, new reports, and our FireSIGHT integration now works differently. This, of course, means that the way we set up the integration is a bit different as well.

What is FireSIGHT and What Does It Do?

In the words of Cisco, the FireSIGHT Management Center provides total visibility into everything on your network. It allows you to automatically aggregate information generated by the Cisco ASA with FirePOWER services and Cisco FirePOWER physical or virtual appliances deployed on your network. There is a lot this beast can do so, if you’d like to read more you can view the Cisco document here.

Guarding your network

Let’s Get Started.

Before we get carried away, there are a couple of important things we need to think about. First, you will need our Advanced Reporting license in order to run the FirePOWER reports in Scrutinizer. Second, you will need to be using at least FirePOWER eStreamer version 5.4.

FirePOWER Manager

The first step is to register Scrutinizer with FireSIGHT.

  1. Log in to your FireSIGHT Defense Center. With Firepower v5.4, you’ll need to navigate to system > local > registration. With version 6 and higher, this will be under system > integration > eStreamer.
  2. Next, enable all eStreamer Events and click save. In the past, we discouraged checking off all events, in case this would send too much information to Scrutinizer and affect performance. With a newer version of Scrutinizer—16.8 and higher—this is not a concern.
  3. Once you have enabled all events and saved the configuration, click on the “(+) Create Client” button in the upper right corner. The system will ask you for a client IP. Enter the IP of your Scrutinizer server. After the client is saved, click on the green arrow to the right of the hostname IP. This will download the certificate.
  4. Upload the client certificate to Scrutinizer. This can be done with an FTP client such as WinSCP. Once you have a connection to the Scrutinizer server, place the client certificate in the directory /home/plixer/scrutinizer/files.

Configuring the Scrutinizer eStreamer Client.

Next, it’s time to dive into Scrutinizer.

We’ll need to edit the firesight.ini file. There is a sample of this file in the directory /home/plixer/scrutinizer/files called firesight.ini.sample. Move this file to /etc/ and rename it firesight.ini. The file should look just like this:

firesight.ini

The CollectorIp will be the IP address of your Scrutinizer server. For CollectorPort, I suggest 2055 or a common port that Scrutinizer already listens on.

Under the “firesight” section, the host IP will be the IP of the FireSIGHT management center. The port number will usually be 8302. Next, add the file path to the client certificate you downloaded to Scrutinizer. For example home/plixer/scrutinizer/files/IPOFSCRUTINIZER.pkcs.12 just like it shows above. The fs_bind_addr will be the IP of Scrutinizer. Export_to should be the same as what you have named the collector section; above it is named “collector me.” Now that you’ve edited all the fields, save the file.

Now We Wait…

For flows! In five to fifteen minutes, we should begin seeing flows populate in Scrutinizer. Previously, the report options would appear under the loopback icon for Scrutinizer on the status tab. Now they will populate as their own device with the IP of the FireSIGHT module you’re sending flow data from. If you have more than one, you may see multiple FireSIGHT devices appear. Now you will have access to multiple reports based on your FirePOWER data.

FireSIGHT reports

If you’d like to see these reports, but do not have our Advanced Reporting license, follow this link to evaluate! If you’d like to evaluate Scrutinizer—and the trial license does come with Advanced Reporting, by the way—request an evaluation here.

Joanna Buckley

Joanna Buckley

Joanna is a technical support specialist here at Plixer. During the work day, Joanna works with customers from all over the world to resolve their tech issues to assure that they are working with the latest and greatest that Plixer has to offer. Joanna may have a Bachelor of Fine Arts in History from the University of Southern Maine but that hasn't slowed her passion for tech and working with it hands on. Outside of work she enjoys video games, living history, gardening, crafting and working with her second home The Brick Store Museum here in Kennebunk.

Related

2 comments on “FireSIGHT Integration – Updated 2017

  1. Good stuff! I have this setup. But I am trying to make sense of these reports. What value do the reports provide?

    1. Thanks for the comment! The reports will display the information from the eStreamer events you configured to send to Scrutinizer. For example, if I run a Web App and Source IP report I will be able to see the web application, application the user was using, the source IP and the amount of data used during that conversation. Using this report, I’d be able to see if a particular user was using Google Chrome to browse websites such as The Huffington Post or NPR; those are just examples I took from a report I just ran. This data could be incredibly useful if there is suspicous traffic detected through your Cisco ASA since now you can use Scrutinizer to dig deeper in to the event.

      I hope this helps! If you need further assistance you can always contact us at Plixer technical support and we’d be happy to help out

Comments are closed.