A great part of working on the DevNet Sandbox team is the exposure to new Cisco technologies and integrations. Up until recently I had always worked with collaboration stuff. Call manager, Presence, Jabber, Contact Center etc. It’s always good to get out of your comfort zone though and that’s what I decided to do next.
A few months ago, I worked with Gregg Berson, an engineer from the security business unit, on a Firepower Cisco Live US workshop. Gregg’s goal was to show how to integrate Cisco Firepower Management Center (FMC) with Splunk using the eStreamer API and eNcore client. I had never worked on anything like this before and immediately found it really interesting. Gregg’s CLUS workshop went down extremely well and after the event, it came to mind that this workshop could form the basis for an excellent new security sandbox. We set to work!
One of the most important parts of network security is visualizing threats in real time. Splunk is a software platform capable of analyzing and visualizing large amounts of data gathered from applications, sensors; etc. FMC is already equipped with excellent threat visualization dashboard. However, a lot of customers may have a Splunk instance already installed and would like to receive Firepower events on that platform. Firepower provides the eStreamer API to stream events to external sources. eStreamer is built into the FMC GUI and takes a few moments to setup. The encore client is also installed on the Splunk server to receive and interpret these events.
This free sandbox can be found in our portal. Just log in (or register) with Cisco DevNet and reserve the environment for a few days. You can extend if you wish. The lab will take a few minutes to spin up. After that, you’re all set!
The sandbox consists of an FMC server, FTD (firepower threat defense), and Splunk server. Once reserved and active, users have complete admin access to the environment. We have also created a command on the reservation page to generate 10,000 events on the FTD sensor. These are then picked up by the FMC. The FMC eStreamer API sends the events securely to the splunk server, where they can be visualized and mined as necessary. The beauty of the sandbox is that all of the integration is built out during setup, and the lab is ready to go when active. VPN access credentials are provided through the portal. The screenshot below provides an overview of the sandbox environment.
This is what the DevNet Sandbox is all about. Providing access to real world security environments where one can see first-hand how these integrations work. This sandbox is an excellent resource for anyone who wants to learn more about FMC and Splunk. We have also provided a lab guide and quick start instructions. Also, if you are a completely new to FMC or Splunk, check out the DevNet learning lab here.
Working with the security team really opened my eyes as to how interesting and complex this area is. The DevNet sandbox makes it easy to play and experiment with the latest Cisco Security tech. That’s why we build this stuff and why we will continue to do so.