Cisco CESA NVM Configuration

Cisco Endpoint Security Analytics Configuration (CESA) earlier also known as NVM (Network visibility module) provides information about an endpoint to a central flow collector. In this post we will learn how to configure the CESA module to send the flow data to the flow collectors like Cisco secure network analytics (Stealth watch).

Cisco NVM configuration step by step:

Step 1> Install the Cisco Endpoint Security Analytics agent on the machine. Download pre-deploy file from cisco website , for this post we have used “cisco-secure-client-win-5.0.03076-predeploy-k9” file. We need to install below highlighted “Diagnostic and reporting tool” is optional.

Cisco NVM installation

Step 2> Download and install profile editor from Cisco website, In this post we have used tools-cisco-secure-client-win-5.0.03076-profileeditor-k9.msi” profile editor

Step 3> Check for the port on flow collector. Navigate to Support > Advanced Setting under flow collector GUI and check enable_nvm is enabled.

flow collecto nvm service check

Check for the port configured to collect the NVM log.

Step 4> Open NVM profile editor (Network Visibility Module Profile Editor) and Configure the profile for as below.

Enter the IP address of the flow collector, port number, un-select secure checkbox, select the collection criteria.

cisco nvm profile configuration

Configure Data collection policy: Click on Add and select the network type for which the flow data need to be collected. Under include/exclude select as per need.

Define Trusted network, its an ip address of internal server which would be reachable from end machine to identify whether the machine is behind a trusted network.

trusted network configuration

Save the file under specific pathC:\ProgramData\Cisco\Cisco Secure Client\NVM” and with specific nameNVM_ServiceProfile

file save under specific path.

How to verify if the CESA is working?

Open task manager and under services look for csc_nvmagent service status. We can also start wireshark on the end machine to capture the traffic flowing in and out of the endpoint and check if the the endpoint is sending the logs to the log collector or not.

check running status.

With this we have installed and verified Cisco NVM configuration on a machine.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.