Stealthwatch hints

Upgrade Issues (6.x -> 7.x)

Read the Upgrade Guide in detail and follow every step mentioned there. In short: Rollup Patch, Pre-SWU Patch, Upgrade.
If you still fail, and that happened to me 2 out of 3 upgrades, TAC will help. I tried to write down some of the tips below.

Upgrade Logs

/lancope/var/admin/upgrade/upgradeOutput.log

Finalize pre-SWU Installation from CLI

/lancope/services/secrets-service/finalize.sh

Cleanup unnecessary files

find / -type f -name "*.pcap"
find / -type f -name "*.swu"
find / -type f -name "*.tgz.gpg"

Refresh System Image

this cleans some diskspace and help if you enxperience a slow SMC GUI after the Upgrade to 7.0.
Additional it removes rollup patches.

1. Login as root or sysadmin via ssh on the appliance to use the System Configuration Menu.
2. Root user will have to launch the menu manually at the cli using the 'SystemConfig' command.
3. Select Advanced options
4. Select Refresh the System Image
5. Select yes to continue
6. Select yes to continue
7. Select ok to reboot

FC fails to authenticate to SMC during Upgrade?

update-fcnf-7.0.2.2019.07.05.1356-01 - INFO - >SAFETY CHECK: Partition Patch Satisfied
update-fcnf-7.0.2.2019.07.05.1356-01 - INFO - >Error in authenticating to the appliance 10.1.2.3: 400 Client Error: Bad Request
Remove the Certificate from SMC Admin interface and upload the new one from the FC.

SMC is not in Central Management after Upgrde?

Go to appliance Administration (https://10.2.3.4/smc/index.html), there you should see the note to go to Appliance Setup Tool

Run through the initial Setup Dialog an confirm every settings which should be already there (IP addresses, DNS, NTP etc.). The Appliance will reboot afterwards.

Stealthwatch GUI Admin Passwort Reset

SSH as root to the FC appliance then run these commands:

• systemctl stop LCOrchestrate.service
• systemctl stop lc-tomcat.service
• cd /lancope/var/database/dbs/hsqldb/admin
• rm -rf admin.*
• systemctl start LCOrchestrate.service
• systemctl start lc-tomcat.service

FC fails to re-add to CM due to Certificate Issues

Check Logs for CM

fc01: tail -f /lancope/var/logs/containers/svc-cm-agent.log

find things like

unable to find valid certification path to requested target

fc01:/lancope/var/nginx/ssl# rm -rf *
fc01:/lancope/var/nginx/ssl# /lancope/services/secrets-service/identity_service.py 
Lancope default certificate not detected
A10 certificate not detected
Appliance does not yet have a server identity. Generating one now...
Generating self-signed server identity certificate...
Self-signed server identity certificate generated.
Inserting newly generated server identity into appropriate locations...
New server identity is now active.
fc01:/lancope/var/nginx/ssl#  
fc01:/lancope/var/nginx/ssl# ls -l
total 16
-rw-r--r-- 1 root root 3186 Oct  3 06:50 client.crt
-rw-r--r-- 1 root root 3186 Oct  3 06:50 server.crt
-rw-r--r-- 1 root root 6363 Oct  3 06:50 server.key
fc01:/lancope/var/nginx/ssl# chown tomcat:swadmin *
fc01:/lancope/var/nginx/ssl# chmod 660 *
fc01:/lancope/var/nginx/ssl# ls -l
total 16
-rw-rw---- 1 tomcat swadmin 3186 Oct  3 06:50 client.crt
-rw-rw---- 1 tomcat swadmin 3186 Oct  3 06:50 server.crt
-rw-rw---- 1 tomcat swadmin 6363 Oct  3 06:50 server.key
fc01:/lancope/var/nginx/ssl# 
fc01:/lancope/var/nginx/ssl# systemctl restart lc-tomcat
fc01:/lancope/var/nginx/ssl# systemctl restart sw-nginx.service 

Cisco Cloud Email Security CES Bulk Import SMTP Routes, RAT entries

You want to bulk edit things like SMTP Routes or RAT entries on CES environments? You need CLI access to your ESA instances inside CES?

That's not that simple, there is no direct Access to CLI. There are SSH proxies provided for that usecase. First you need to ask for getting access there. (Some information below was provided by Cisco TAC)

Ask CES Activation Team ces-activations@cisco.com or Cisco TAC for CLI Access

Following are the steps for setting up SSH access.

Access to your IronPort appliances is provided through an SSH Proxy using key authentication. CLI access to your hosted appliances should be limited to key individuals within your organization.

Overview of the Process:

     1) Generate Private/Public keys

     1a) If you require multiple users, you may generate and submit up to 10 keys.

     2) Reply to this email with your *Public* key -attached-.

     3) We will apply your key(s) to our SSH Proxy.

     4) We will then provide you a guide on accessing your machine.

HOW TO: Generate a Private/Public keypair for Hosted CLI access.

For UNIX OSes such as Linux, OS X, Solaris, etc.

SSH-keygen -t rsa -b <bitstrength> -f <filename>

<bitstrength> is an integer number.

<filename> is the path name to a file where the key(s) will be saved to.

Example: SSH-keygen -t rsa -b 2048 -f ~/.SSH/my_key

*Please ensure that you safeguard your private keys.

*DO NOT send us your private keys.

*If you are submitting multiple keys, please provide names and email address associated to each key.

There are numerous SSH client applications available for all major operating systems. Windows users can use puttygen: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 

Howto establish Proxytunnel

PUTTY CONNECTION GUIDE TEMPLATE:

Accessing your IronPort appliances is made through an SSH proxy.

You will initiate a local port forwarding proxy on your workstation.

Your workstation will be listening on a localhost port.

You will then SSH to your localhost, which will forward the SSH traffic to your IronPort appliance.

Enter in the Proxy hostname - Make sure you choose the correct one for your region, US or EU:

There are two US SSH proxies:

f4-ssh.iphmx.com (68.232.128.202)

f5-ssh.iphmx.com (68.232.134.202)

And two EU SSH proxies:

f10-ssh.c3s2.iphmx.com

f11-ssh.c3s2.iphmx.com

Click Data and add dh-user to the auto-login

Click SSH and check Don't start a shell or Comm...

Click Auth and Browse to your Private key.

Click Tunnels supply a Source Port, Destination (Your IronPort Appliance)

Click Add, and it should look like this.

example 

1. esa1.hc***.c3s2.iphmx.com

2. esa2.hc***.c3s2.iphmx.com

You can save this session for future use. Click Session, you may supply a name,

and Save the session. Go Ahead and Open the session to initiate the local port forwarding proxy.

If all goes well you will automatically be logged on to the proxy server.

You won't get a command prompt.

Now you will need to open a new putty window. Use the hostname 127.0.0.1

and use the source port number in the tunnel configuration above.

(2200) Click open to connect to your appliance.

When prompted use your appliance username and password.

Please confirm that you are able to access your appliances via the command line. If you have further questions please feel free to contact us.

Copy Files through Proxytunnel

c:\Program Files\PuTTY>pscp -P 2200 partner_syseng@127.0.0.1:configuration/smtp_routes_export c:\smtp_routes.txt

Using keyboard-interactive authentication.

partner_syseng@esa1.hc***.c3s2.iphmx.com's password:

smtp_routes.txt       | 0 kB |   0.3 kB/s | ETA: 00:00:00 | 100%

c:\Program Files\PuTTY>pscp -P 2200 partner_syseng@127.0.0.1:configuration/RAT_export c:\RAT_export.txt

Using keyboard-interactive authentication.

partner_syseng@esa1.hc***.c3s2.iphmx.com's password:

RAT_export.txt        | 0 kB |   0.2 kB/s | ETA: 00:00:00 | 100%

c:\Program Files\PuTTY>pscp.exe -P 2200 c:\Users\alth\Documents\smtp_routes_import.txt partner_syseng@127.0.0.1:configuration/smtp_routes_import

Using keyboard-interactive authentication.

partner_syseng@esa1.hc***.c3s2.iphmx.com's password:

smtp_routes_import.tx | 13 kB |  13.5 kB/s | ETA: 00:00:00 | 100%

c:\Program Files\PuTTY>pscp.exe -P 2200 c:\Users\alth\Documents\smtp_routes_import.txt partner_syseng@127.0.0.1:configuration/smtp_routes_import

Using keyboard-interactive authentication.

partner_syseng@esa1.hc***.c3s2.iphmx.com's password:

smtp_routes_import.tx | 13 kB |  13.4 kB/s | ETA: 00:00:00 | 100%