Sensor Deployment Considerations

Placing Sensors on your Network

Sensor Deployment ConsiderationsYou can deploy sensors to collect flow data, or ingest network traffic that is mirrored from a network router or switch, or both. There is no limit on the number of sensors deployed.NOTE: Sensors version 4.0 or greater can collect enhanced NetFlow telemetry. This allows Stealthwatch Cloud to generate new types of observations and alerts. For more information, see the Stealthwatch Cloud Configuration Guide for Enhanced NetFlow.Because network topologies vary greatly, keep the following general guidelines in mind when deploying your sensors:

Determine if you want to deploy sensors to:

collect flow data
ingest mirrored network traffic
have some collect flow data, and others ingest mirrored network traffic
both collect flow data and ingest mirrored network traffic

If collecting flow data, determine what formats your network devices can export, such as NetFlow v5, NetFlow v9, IPFIX, or sFlow.

NOTE: Many firewalls support NetFlow, including Cisco ASA firewalls and Cisco Meraki MX Appliances. Consult with your manufacturer's support documentation to determine if your firewall also supports NetFlow.

Ensure that the network port on the sensor can support the Mirror ports capacity.

Contact support@obsrvbl.com if you need help with deploying multiple sensors to your network.Checking Your Sensor VersionTo ensure you have the most recent sensor deployed on your network (version 4.0), you can check an existing sensor's version from the command line. If you need to upgrade, reinstall the sensor, as described in 6. Boot Media Creation – Physical Appliances Only and 7. Sensor Installation – Physical Appliances and Virtual Machines.

SSH log into the sensor.

At the prompt, enter cat /opt/obsrvbl-ona/version and press Enter. If the console does not display 4.0.0, your sensor is out of date. Download the most recent sensor ISO from the web portal UI, as described in 6. Boot Media Creation – Physical Appliances Only.

Cisco Defense Orchestrator and Sensor DeploymentIf you use Cisco Defense Orchestrator (CDO) and deploy Firepower appliances to your network, you can purchase a Cisco Security Analytics and Logging license (Firewall Analytics and Monitoring or Total Network Analytics and Monitoring) and apply Stealthwatch Cloud dynamic entity modeling to your Firepower event data. See Cisco Security Analytics and Logging for more information.With a Firewall Analytics and Monitoring or Total Network Analytics and Monitoring license, you can associate an existing Stealthwatch Cloud portal with your CDO deployment, or have Cisco provision a new Stealthwatch Cloud portal for you. As you configure Security Analytics and Logging, Cisco automatically provisions a sensor named connection-events, dedicated to your Firepower event data. See Request a Stealthwatch Cloud Portal for more information.Because the Firewall Analytics and Monitoring license applies dynamic entity modeling to Firepower event data only, you do not need to deploy additional Stealthwatch Cloud sensors to your network for this license. In contrast, because the Total Network Analytics and Monitoring license applies dynamic entity modeling to both Firepower event data and on-premises network traffic, to take full advantage of the license capabilities, deploy additional sensors to your network.NOTE: Contact support@obsrvbl.com if you complete your CDO configuration and do not see the connection-events sensor in your Stealthwatch Cloud portal.