Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco IOS Router and Switch

Issue with Generic Serial Numbers in Older Versions of Cisco IOS Routers

FortiSIEM uses serial numbers to uniquely identify a device. For older routers, the serial number is obtained from the OID 1.3.6.1.4.1.9.3.6.3.0. However, this value is often incorrectly set by default to a generic value like MSFC 2A. If multiple routers have a common default value, then these routers will be merged into a single entry in the FortiSIEM CMDB. 

You can check the current value for the serial number in a Cisco router by doing a SNMP walk of the OID.

snmpwalk -v2c -c <cred> <ip> 1.3.6.1.4.1.9.3.6.3.0

If the value is a generic value, then set it to the actual serial number.

Router(config)#snmp-server chassis-id
 Router(config)#exit 
 Router#write memory

Run the snmpwalk again to verify that the serial number is updated, then perform discovery of your Cisco router.

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP (V1, V2c, V3) Host name, IOS version, Hardware model, Memory size, Network interface details - name, address, mask and description Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Availability and Performance Monitoring
SNMP (V1, V2c, V3) Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc. Hardware health: temperature, fan and power supply Availability
SNMP (V1, V2c, V3) Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association   Topology and end-host location
SNMP (V1, V2c, V3) BGP connectivity, neighbors, state, AS number BGP state change Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3) OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)   IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter - both overall and Source->Destination and Destination->Source, Packets Lost - both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score VoIP Performance Monitoring
SNMP (V1, V2c, V3)   Class based QoS metrics (from CISCO-CLASS-BASED-QOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets QoS performance monitoring
SNMP (V1, V2c, V3) NBAR metrics (from CISCO-NBAR-PROTOCOL-DISCOVERY-MIB): For each interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec Performance Monitoring

Telnet/SSH

Running and startup configuration, Image file name, Flash memory size, Running processes Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization Performance Monitoring, Security and Compliance
Syslog Device type System logs and traffic logs matching acl statements Availability, Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "cisco_ios" to see the event types associated with this device. 

Configuration

Telnet/SSH

FortiSIEM uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

  • show startup-config
  • show running-config
  • show version
  • show flash
  • show ip route
  • show mac-address-table or show mac address-table
  • show vlan brief
  • show process cpu
  • show process mem
  • show disk0
  • enable
  • terminal pager 0
SNMP
SNMP V1/V2c 
  1. Log in to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Create an access list for FortiSIEM.
    access-list 10 permit <FortiSIEM IP>
  4. Set up community strings and access lists.
    snmp-server community <community string> ro 10
  5. Exit configuration mode.
SNMP V3
  1. Log in to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Create an access list for FortiSIEM.
    access-list 10 permit <FortiSIEM IP>
  4. Set up SNMP credentials for Authentication only.
    snmp-server group <grpName> v3 auth
    #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs
    snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> access 10
  5. Set up SNMP credentials for Authentication and Encryption.
    snmp-server group <grpName> v3 priv
    #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs
    snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server group <grpName> v3 priv context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> priv des56 <password> access 10
    
    
  6. Exit configuration mode.

Additional IOS SNMPv3 Configuration Examples

IOS

enable

config t

snmp-server contact "contact info"

snmp-server location "location info"

snmp-server group fsiem_group v3 priv

#Note, check the context sensitive help in your IOS version to see if aes 128 is supported instead of des56.

snmp-server user fortisiem_user fsiem_group 192.168.1.2 v3 auth sha "yourShaPassword" priv des56 "yourDesPassword"

copy running-config startup-config

 

IOS XE

enable

config t

snmp-server group fsiem_group v3 priv

snmp-server user fortisiem fsiem_group 192.168.1.2 v3 auth sha "yourShaPassword" priv aes 128 "yourAesPassword"

copy running-config startup-config

 

IOS XR

#Note not all models running IOS XR can support aes 128, some may only support des

configure

snmp-server contact "contact info"

snmp-server location "location info"

snmp-server group fsiem_group v3 priv

snmp-server user fortisiem fsiem_group v3 auth sha "yourShaPassword" priv aes 128 "yourDesPassword"

commit

 

Nexus 9K

config t

snmp-server contact "contact info"

snmp-server location "location info"

snmp-server user fortisiem auth sha "yourShaPassword" priv aes-128 "yourAesPassword"

snmp-server user fortisiem enforcePriv

copy running-config startup-config

 

Syslog
  1. Login to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Enable logging with these commands.
    logging on
    logging trap informational
    logging <FortiSIEM IP>
    
    
  4. Make sure that the timestamp in syslog message sent to FortiSIEM does not contain milliseconds.
    no service timestamps log datetime msec
    service timestamps log datetime
  5. To log traffic matching acl statements in stateless firewall scenarios, add the log keyword to the acl statements.
    access-list 102 deny udp any gt 0 any gt 0 log
  6. To turn on logging from the IOS Firewall module, use this command.
    ip inspect audit-trail
  7. Exit configuration mode.
Sample Cisco IOS Syslog Messages

<190>109219: Jan  9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.20.33:1876) -- responder (192.168.0.10:445)

<190>263951: 2w6d: %SEC-6-IPACCESSLOGP: list permit-any permitted udp 192.168.20.35(0) -> 192.168.23.255(0), 1 packet

<188>84354: Dec  6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source: 192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 08:15:20 PST Mon Dec 6 2010

<189>217: May 12 13:57:23.720: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.29.8)

<189>Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98
NetFlow
Enable NetFlow on the Router
  1. Enter configuration mode.
  2. For every interface, run this command.
    interface <interface> <interface_number>ip route-cache flow
    exit
Set Up NetFlow Export
  1. Enter configuration mode.
  2. Run these commands.
    ip flow-export version 5|9
    ip flow-export destination <Accelops IP> 2055
    ip flow-export source <interface> <interface_number>ip flow-cache timeout active 1
    ip flow-cache timeout inactive 15
    snmp-server ifindex persist

On MLS switches, such as the 6500 or 7200 models, also run these commands.

mls netflow
mls nde sender
mls aging long 64
mls flow ip full
Exit configuration mode

You can verify that you have set up NetFlow correctly by running these commands.

#shows the current NetFlow configuration
show ip flow export 
#summarizes the active flows and gives an indication of how much NetFlow data the device is exporting
show ip cache flow or show ip cache verbose flow 

Sample Flexible Netflow Configuration in IOS

flow exporter e1
    ! destination is the collector address, default port needs to be changed to 2055
    destination <accelopsIp>    transport udp 2055
!
flow record r1
    ! record specifies packet fields to collect
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match interface input
    collect transport tcp flags
    collect interface output
    collect counter bytes
    collect counter packets
!
flow monitor m1
    ! monitor refers record configuration and exporter configuration.
    record r1
    exporter e1
    cache timeout active 60
    cache timeout inactive 30
    cache entries 1000
!
interface GigabitEthernet 2/48
    ip flow monitor m1 input
IP SLA

IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via RTT-MON SNMP MIB.

  • UDP Jitter (reported by FortiSIEM event type PH_DEV_MON_IPSLA_MET)
  • UDP Jitter for VoIP (reported by FortiSIEM event type PH_DEV_MON_IPSLA_VOIP_MET)
  • HTTP performance (reported by FortiSIEM event type PH_DEV_MON_IPSLA_HTTP_MET)
  • ICMP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_ICMP_MET)
  • UDP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_UDP_MET)

These are the only IP SLA tests monitored by FortiSIEM.

Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-directional traffic statistics are also reported by the initiating router, so you don't need to set up a reverse test between the original initiating and responding routers. FortiSIEM automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics.

Configuring IP SLA Initiator for UDP Jitter

ipsla-init>enable
ipsla-init#config terminal
ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port>ipsla-init(config-sla-monitor-jitter)#frequency default
ipsla-init(config-sla-monitor-jitter)#exit
ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for UDP Jitter for VoIP

ipsla-init>enable
ipsla-init#config terminal
ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port> codec <codec type> advantage-factor 0
ipsla-init(config-sla-monitor-jitter)#frequency default
ipsla-init(config-sla-monitor-jitter)#exit
ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for ICMP Echo Operation

Router> enable
Router# configure terminal
Router(config)# ip sla monitor 15
Router(config-sla-monitor)# type echo protocol ipIcmpEcho <destination-ip-address>Router(config-sla-monitor-echo)# frequency 30
Router(config-sla-monitor-echo)# exit
Router(config)# ip sla monitor schedule 10 start-time now life forever
Router(config)# exit
Configuring the IP SLA Responder for All Cases

ipsla-resp>enable
ipsla-resp#config terminal
ipsla-resp(config)#ip sla monitor responder
Class-Based QoS

CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. FortiSIEM detects the presence of valid CBQoS MIBs and starts monitoring them.

NBAR

Cisco provides protocol discovery via NBAR configuration guide.

Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.

Sample event generated by FortiSIEM

[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceCisco.cpp,[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10.1.20.59,[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752,[recvFlows]=3168,[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277614,[sentBytes64]=232513,[totBitsPerSec]=22528.000000,[recvBitsPerSec]=12288.000000,[sentBitsPerSec]=10240.000000,[phLogDetail]=

Settings for Access Credentials

SNMP Access Credentials for All Devices

These are the generic settings for providing SNMP access to your device from FortiSIEM.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has access credentials for your device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password associated with the user

Cisco IOS Router and Switch

Issue with Generic Serial Numbers in Older Versions of Cisco IOS Routers

FortiSIEM uses serial numbers to uniquely identify a device. For older routers, the serial number is obtained from the OID 1.3.6.1.4.1.9.3.6.3.0. However, this value is often incorrectly set by default to a generic value like MSFC 2A. If multiple routers have a common default value, then these routers will be merged into a single entry in the FortiSIEM CMDB. 

You can check the current value for the serial number in a Cisco router by doing a SNMP walk of the OID.

snmpwalk -v2c -c <cred> <ip> 1.3.6.1.4.1.9.3.6.3.0

If the value is a generic value, then set it to the actual serial number.

Router(config)#snmp-server chassis-id
 Router(config)#exit 
 Router#write memory

Run the snmpwalk again to verify that the serial number is updated, then perform discovery of your Cisco router.

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP (V1, V2c, V3) Host name, IOS version, Hardware model, Memory size, Network interface details - name, address, mask and description Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Availability and Performance Monitoring
SNMP (V1, V2c, V3) Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc. Hardware health: temperature, fan and power supply Availability
SNMP (V1, V2c, V3) Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association   Topology and end-host location
SNMP (V1, V2c, V3) BGP connectivity, neighbors, state, AS number BGP state change Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3) OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)   IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter - both overall and Source->Destination and Destination->Source, Packets Lost - both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score VoIP Performance Monitoring
SNMP (V1, V2c, V3)   Class based QoS metrics (from CISCO-CLASS-BASED-QOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets QoS performance monitoring
SNMP (V1, V2c, V3) NBAR metrics (from CISCO-NBAR-PROTOCOL-DISCOVERY-MIB): For each interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec Performance Monitoring

Telnet/SSH

Running and startup configuration, Image file name, Flash memory size, Running processes Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization Performance Monitoring, Security and Compliance
Syslog Device type System logs and traffic logs matching acl statements Availability, Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "cisco_ios" to see the event types associated with this device. 

Configuration

Telnet/SSH

FortiSIEM uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.

  • show startup-config
  • show running-config
  • show version
  • show flash
  • show ip route
  • show mac-address-table or show mac address-table
  • show vlan brief
  • show process cpu
  • show process mem
  • show disk0
  • enable
  • terminal pager 0
SNMP
SNMP V1/V2c 
  1. Log in to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Create an access list for FortiSIEM.
    access-list 10 permit <FortiSIEM IP>
  4. Set up community strings and access lists.
    snmp-server community <community string> ro 10
  5. Exit configuration mode.
SNMP V3
  1. Log in to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Create an access list for FortiSIEM.
    access-list 10 permit <FortiSIEM IP>
  4. Set up SNMP credentials for Authentication only.
    snmp-server group <grpName> v3 auth
    #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs
    snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> access 10
  5. Set up SNMP credentials for Authentication and Encryption.
    snmp-server group <grpName> v3 priv
    #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs
    snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server group <grpName> v3 priv context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> priv des56 <password> access 10
    
    
  6. Exit configuration mode.

Additional IOS SNMPv3 Configuration Examples

IOS

enable

config t

snmp-server contact "contact info"

snmp-server location "location info"

snmp-server group fsiem_group v3 priv

#Note, check the context sensitive help in your IOS version to see if aes 128 is supported instead of des56.

snmp-server user fortisiem_user fsiem_group 192.168.1.2 v3 auth sha "yourShaPassword" priv des56 "yourDesPassword"

copy running-config startup-config

 

IOS XE

enable

config t

snmp-server group fsiem_group v3 priv

snmp-server user fortisiem fsiem_group 192.168.1.2 v3 auth sha "yourShaPassword" priv aes 128 "yourAesPassword"

copy running-config startup-config

 

IOS XR

#Note not all models running IOS XR can support aes 128, some may only support des

configure

snmp-server contact "contact info"

snmp-server location "location info"

snmp-server group fsiem_group v3 priv

snmp-server user fortisiem fsiem_group v3 auth sha "yourShaPassword" priv aes 128 "yourDesPassword"

commit

 

Nexus 9K

config t

snmp-server contact "contact info"

snmp-server location "location info"

snmp-server user fortisiem auth sha "yourShaPassword" priv aes-128 "yourAesPassword"

snmp-server user fortisiem enforcePriv

copy running-config startup-config

 

Syslog
  1. Login to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Enable logging with these commands.
    logging on
    logging trap informational
    logging <FortiSIEM IP>
    
    
  4. Make sure that the timestamp in syslog message sent to FortiSIEM does not contain milliseconds.
    no service timestamps log datetime msec
    service timestamps log datetime
  5. To log traffic matching acl statements in stateless firewall scenarios, add the log keyword to the acl statements.
    access-list 102 deny udp any gt 0 any gt 0 log
  6. To turn on logging from the IOS Firewall module, use this command.
    ip inspect audit-trail
  7. Exit configuration mode.
Sample Cisco IOS Syslog Messages

<190>109219: Jan  9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.20.33:1876) -- responder (192.168.0.10:445)

<190>263951: 2w6d: %SEC-6-IPACCESSLOGP: list permit-any permitted udp 192.168.20.35(0) -> 192.168.23.255(0), 1 packet

<188>84354: Dec  6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source: 192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 08:15:20 PST Mon Dec 6 2010

<189>217: May 12 13:57:23.720: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.29.8)

<189>Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98
NetFlow
Enable NetFlow on the Router
  1. Enter configuration mode.
  2. For every interface, run this command.
    interface <interface> <interface_number>ip route-cache flow
    exit
Set Up NetFlow Export
  1. Enter configuration mode.
  2. Run these commands.
    ip flow-export version 5|9
    ip flow-export destination <Accelops IP> 2055
    ip flow-export source <interface> <interface_number>ip flow-cache timeout active 1
    ip flow-cache timeout inactive 15
    snmp-server ifindex persist

On MLS switches, such as the 6500 or 7200 models, also run these commands.

mls netflow
mls nde sender
mls aging long 64
mls flow ip full
Exit configuration mode

You can verify that you have set up NetFlow correctly by running these commands.

#shows the current NetFlow configuration
show ip flow export 
#summarizes the active flows and gives an indication of how much NetFlow data the device is exporting
show ip cache flow or show ip cache verbose flow 

Sample Flexible Netflow Configuration in IOS

flow exporter e1
    ! destination is the collector address, default port needs to be changed to 2055
    destination <accelopsIp>    transport udp 2055
!
flow record r1
    ! record specifies packet fields to collect
    match ipv4 protocol
    match ipv4 source address
    match ipv4 destination address
    match transport source-port
    match transport destination-port
    match interface input
    collect transport tcp flags
    collect interface output
    collect counter bytes
    collect counter packets
!
flow monitor m1
    ! monitor refers record configuration and exporter configuration.
    record r1
    exporter e1
    cache timeout active 60
    cache timeout inactive 30
    cache entries 1000
!
interface GigabitEthernet 2/48
    ip flow monitor m1 input
IP SLA

IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via RTT-MON SNMP MIB.

  • UDP Jitter (reported by FortiSIEM event type PH_DEV_MON_IPSLA_MET)
  • UDP Jitter for VoIP (reported by FortiSIEM event type PH_DEV_MON_IPSLA_VOIP_MET)
  • HTTP performance (reported by FortiSIEM event type PH_DEV_MON_IPSLA_HTTP_MET)
  • ICMP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_ICMP_MET)
  • UDP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_UDP_MET)

These are the only IP SLA tests monitored by FortiSIEM.

Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-directional traffic statistics are also reported by the initiating router, so you don't need to set up a reverse test between the original initiating and responding routers. FortiSIEM automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics.

Configuring IP SLA Initiator for UDP Jitter

ipsla-init>enable
ipsla-init#config terminal
ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port>ipsla-init(config-sla-monitor-jitter)#frequency default
ipsla-init(config-sla-monitor-jitter)#exit
ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for UDP Jitter for VoIP

ipsla-init>enable
ipsla-init#config terminal
ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port> codec <codec type> advantage-factor 0
ipsla-init(config-sla-monitor-jitter)#frequency default
ipsla-init(config-sla-monitor-jitter)#exit
ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for ICMP Echo Operation

Router> enable
Router# configure terminal
Router(config)# ip sla monitor 15
Router(config-sla-monitor)# type echo protocol ipIcmpEcho <destination-ip-address>Router(config-sla-monitor-echo)# frequency 30
Router(config-sla-monitor-echo)# exit
Router(config)# ip sla monitor schedule 10 start-time now life forever
Router(config)# exit
Configuring the IP SLA Responder for All Cases

ipsla-resp>enable
ipsla-resp#config terminal
ipsla-resp(config)#ip sla monitor responder
Class-Based QoS

CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. FortiSIEM detects the presence of valid CBQoS MIBs and starts monitoring them.

NBAR

Cisco provides protocol discovery via NBAR configuration guide.

Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.

Sample event generated by FortiSIEM

[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceCisco.cpp,[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10.1.20.59,[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752,[recvFlows]=3168,[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277614,[sentBytes64]=232513,[totBitsPerSec]=22528.000000,[recvBitsPerSec]=12288.000000,[sentBitsPerSec]=10240.000000,[phLogDetail]=

Settings for Access Credentials

SNMP Access Credentials for All Devices

These are the generic settings for providing SNMP access to your device from FortiSIEM.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has access credentials for your device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password associated with the user