Cisco Endpoint Security Analytics Configuration (CESA) earlier also known as NVM (Network visibility module) provides information about an endpoint to a central flow collector. In this post we will learn how to configure the CESA module to send the flow data to the flow collectors like Cisco secure network analytics (Stealth watch).
Cisco NVM configuration step by step:
Step 1> Install the Cisco Endpoint Security Analytics agent on the machine. Download pre-deploy file from cisco website , for this post we have used “cisco-secure-client-win-5.0.03076-predeploy-k9” file. We need to install below highlighted “Diagnostic and reporting tool” is optional.
Step 2> Download and install profile editor from Cisco website, In this post we have used tools-cisco-secure-client-win-5.0.03076-profileeditor-k9.msi” profile editor
Step 3> Check for the port on flow collector. Navigate to Support > Advanced Setting under flow collector GUI and check enable_nvm is enabled.
Check for the port configured to collect the NVM log.
Step 4> Open NVM profile editor (Network Visibility Module Profile Editor) and Configure the profile for as below.
Enter the IP address of the flow collector, port number, un-select secure checkbox, select the collection criteria.
Configure Data collection policy: Click on Add and select the network type for which the flow data need to be collected. Under include/exclude select as per need.
Define Trusted network, its an ip address of internal server which would be reachable from end machine to identify whether the machine is behind a trusted network.
Save the file under specific path “C:\ProgramData\Cisco\Cisco Secure Client\NVM” and with specific name “NVM_ServiceProfile”
How to verify if the CESA is working?
Open task manager and under services look for csc_nvmagent service status. We can also start wireshark on the end machine to capture the traffic flowing in and out of the endpoint and check if the the endpoint is sending the logs to the log collector or not.
With this we have installed and verified Cisco NVM configuration on a machine.