This native-API-based cloud connector uses the Forescout eyeSight modules to connect and provide visibility across your extended enterprise without disrupting critical business processes. The connector ingests asset data from devices (such as, IT, OT/ICS, IoT, IoMT), which ensures more comprehensive, powerful, flexible, and effective threat detection.
Note the following information about the Forescout connector for Cisco Vulnerability Management:
- Supports on-premises and cloud deployment models
- Ingests the asset data that Forescout supports
- Due to the limitations of Forescout, Cisco Vulnerability Management cannot import vulnerability and fix information
Reference links:
- Getting Started with Cisco Vulnerability Management
- Cisco Vulnerability Management User Training Videos
- Forescout Threat Detection and Response
- Asset Information, Data Mapping and Locator Order
- Troubleshooting Known Issues
- Forescout Marketplace
For help with using or adding this connector, contact Technical support.
Cisco Vulnerability Management and Forescout
Use the Forescout eyeExtend application to build, consume, and integrate the Forescout platform with Cisco Vulnerability Management. Extensions for Forescout are stored in GitHub. To set up this connector, you require the use of the following applications:
- Cisco Vulnerability Management: Uses the data delivery and transformation component to connect with the Forescout Platform.
- Forescout eyeSight: Finds IP-connected devices, classifies them, and finds new devices that connect to your network.
- Forescout eyeExtend: Uses the Connect Plugin to connect and then run Python scripts. For more information about Forescout public documents, see eyeExtend-Connect.
- Forescout Connect Plugin: Uses a socket connection to run Python scripts that are stored in GCS Secret Manager.
- Forescout Webhook: Is a flask rest application that receives asset data from Forescout. It runs in the Google Cloud Run environment for all connector-pipeline projects. It takes incoming asset data from Forescout, validates the requests, and places the data into a bucket. You require a URL, Token, and UID the first time you use it.
To Add the Forescout Connector to Cisco Vulnerability Management
Important! Setup all other connectors you require first, and then setup this connector. Although you can setup this connector, you require a Cisco Vulnerability Management Administrator to create a URL and UID, and send it to you using the Cisco Doc Exchange. Ensure you access this site and agree to the Terms and Conditions.
1. To add Forescout Connector, go to your Cisco Home page, and click Connectors.
2, On the Connectors page, click Add Connector.
3. Scroll down to the Vulnerability Management section, and click FORESCOUT.
4. On the Connectors - FORESCOUT dialog box, enter the following information:
- In the Name field, keep Forescout, or choose a custom name.
- In the API Key field provide a self-generated key that complies with the following requirements:
- Length is between 16 and 128 characters
- Has at least 1 letter
- Has at least 1 special character
- Has at least 1 digit
Important: Save the key securely as it will be used again during the Forescout Cisco Vulnerability Management app configuration.
For Linux and MacOS users
You can use following instructions to generate an API key:- Open terminal.
- Run ”openssl rand -base64 32”.
For Windows users
Use a password generator tool of your choice.
Important: Update the token at least once every three months. If the token is not updated in 3 months, connector runs will fail. - In the Schedule section, choose the frequency, such as Daily. By default, the Cisco Vulnerability Management Forescout application exports updates daily at 12 AM. The extraction takes some time, so schedule the Daily run at 5 AM (recommended time) for the connector.
- In the Activity Inactivity Limit (days) field, choose the number of days (use your standard).
5. To save and add the connector to your Cisco Vulnerability Management instance, click Save and Verify.
Important: You require a URL and UID that are generated after the first connector run. To get them, contact Cisco Technical support who will send the Secret information to you using Cisco Doc Exchange.
Note: The file is deleted within 24 hours.
6. To download the required ForeScout-ciscovm.eca file, go to https://github.com/Forescout/eyeExtend-Connect/blob/master/ciscovm/ForeScout-ciscovm-1.0.0.eca, and then on the Forescout / eyeExtend-Connect page, click Code, and then click the download button.
7. To open the required ForeScout-ciscovm.eca file, click Open file, and then save it where you can find it quickly, such as your desktop.
Use the Forescout Console to Import the Cisco Vulnerability Management eyeExtend Application
1. Use your credentials to log in to the Forescout Console.
2. To import the first Cisco Vulnerability Management eyeExtend application, click Configurations > Connect, click the App tab, and click Import.
Important: If required, to update the application, click Update. If there are any update problems, delete the Cisco Vulnerability Management and its related policy, and then import it again.
3. On the Import File.zip dialog box, click ForeScout-ciscovm-1.0.0.eca, and then click Import.
4. The Forescout portal checks the application. Click Close to continue.
5. Type your Cisco Vulnerability Management credentials, and then to configure the Cisco VM eyeExtend application, on the System Description dialog box, click Add.
6. On the Connect Configuration – Step 1 dialog box, type the URL, UID and AUTH token.
- Cisco Technical support provides the URL and UID.
- In the AUTH token field, enter the API key that you generated in step 4.
7. On the Connect Configuration – Step 2 of 3 dialog box, click Next.
8. On the Connect Configuration – Step 3 of 3 dialog box, if you have a Proxy Server, select it, and then click Finish > OK. If you do not have a Proxy Server, just click Finish > OK.
9. To finalize the Cisco VM App and configuration, click Apply > Close.
Note: The information is saved. On the Forescout Console Application dialog box, click OK.
Test the Cisco Vulnerability Management - Forescout Webhook App
Note: Ensure you test the call to the Forescout Webhook application to confirm it works.
1. To test the Forescout Webhook, in the System Description dialog box, double-click the forescout-webhook… URL, select the configuration, and then click Test.
Note: If all goes well with configuration, the app returns the Test succeeded message.
Important: If the test returns as Failed, ensure you check and update the configuration settings, and then repeat steps 6-9 in the Use the Forescout Console to Import the Cisco VM eyeExtend Application task above.
Note: Always click Apply to confirm any configuration change.
Apply the Cisco VM eyeExtend App Policy
Note: The application includes a default policy template that you can easily apply to a device.
1. To apply the default policy, on the FORESCOUT main menu page, click the Policy tab, and click Add.
2. On the Policy Wizard – Step 1 dialog box, select Cisco VM > Cisco VM Export, and click Next.
3. On the Policy – Wizard – Step 2 of 5 dialog box, leave the default name, and click Next.
4. On the Policy – Wizard – Step 3 of 5 dialog box, choose the devices you want to export.
Note: You can export all devices or just one specific segment. For example, to export a segment, click Segments. On the IP Address Range dialog box, click OK.
5. If you want to export multiple segments, but not all of them, click Cancel and then, click Segments. On the Segments selection dialog box, choose the segments to export, and then click OK.
6. On the Policy – Wizard – Step 4 of 5 dialog box, leave the Main Rule, and click Next.
7. On the Policy – Wizard – Step 5 of 5 dialog box, the Sub-Rules are also predefined, so click Finish.
8. At the bottom of the FORESCOUT home page, click Apply.
9. On the FORESCOUT Console Appliance dialog box, click Yes to save the new policy configurations.
10. To view the results of policy work, on the FORESCOUT home page, click Policies > Cisco VM Export.
Note: To view successful data results, on the Cisco Vulnerability Management dashboard, click Vulnerability Management > Explore.
API Key Update
The API key must be updated at least once every three months.
- Generate a new API key.
For Linux and MacOS users- Open terminal.
- Run ”openssl rand -base64 32”.
Use a password generator tool of your choice. - In the Forescout Connector, paste the new API Key value in the API Key field.
- Click Save and Verify.
- In the Forescout eyeExtend Cisco Vulnerability Management application, enter the new API Key in the AUTH token and Validate PasswordAUTH token fields.
- Click Finish.
About the Cisco Vulnerability Management policy
The policy template applies the following actions to control the export process:
- Export: Starts the re-check process.
- Reset: Cleans up the previous endpoint state, so it can be exported in the next re-check.
Note: The following export states exist: Pending, Failed, Exported, and Unchanged.
Export flow
By default, the policy exports data only for new endpoints or endpoints that were changed from the last export. The recheck for the changed endpoints happens daily at 12 AM (Forescout Coordinated Universal Time).
- If the export for an endpoint fails, the application retries an export in 10 minutes. If the export fails again, the application then attempts the re-export every 2 hours.
- In the case where the endpoint does not have any changes for the exported properties, after one (1) month, it is then re-exported.
Endpoints that have an Exported or Unchanged state also have a daily recheck schedule. They are not moved to the Pending state before the recheck to avoid a redundant Reset execution.
Asset Information
This connector imports general information about devices that have no vulnerability into Cisco Vulnerability Management.
Data Mapping
This connector and Cisco Vulnerability Management have the following data mapping:
Forescout Field and Example | Forescout Internal Name | Cisco Vulnerability Management Field and Example | Required |
MAC Address Example: |
mac |
MAC Address Example: |
At least one |
DHCP Hostname Example: |
dhcp_hostname |
Hostname Example: |
At least one |
IPv4 Address Example: |
ip |
IP Address Example: |
At least one |
NetBIOS Host name Example: SABM\TEST01 |
nbthost |
NetBIOS Example: |
At least one |
DNS Name Example: |
hostname |
FQDN Example: |
At least one |
Operating System Example:
|
os_classification |
"FS OS" tag Example:
|
No |
Segment path Example: |
segment_path |
"FS Segment path" tag Example: |
No |
Vendor and Model Example: |
vendor_classification |
"FS Vendor and Model" tag Example: |
No |
Vendor and Model Example: |
vendor_classification |
"FS Vendor and Model" tag Example: |
No |
Function Example: |
prim_classification |
"FS Function" tag Example: |
No |
Locator Order
The Forescout locator uses the Cisco Vulnerability Management default locator order. For more information about locator order, see Understanding Locator Order.
Troubleshooting Known Issues
This information provided in this section might help you solve problems with the following issues:
- Change the Exported and Unchanged Sub-Policies Schedule
- Update the Pending Sub-Policy Schedule
- Export Pending Assets Manually that are Stalled in Forescout
For more information and help with these issues, contact Cisco Technical support.
Change the Exported Sub-Policies Schedule
1. In the Cisco VM Export list, right-click Exported, and then click Quick Edit > Actions.
2. On the Policy: ‘Cisco VM Export’… dialog box, click Add.
3. In the Search field, type Cisco VM, click Cisco VM Export, and then choose Customize action start time.
4. On the Action Scheduler dialog box, click Wait for, and then change the value to 6 Hours. In the Recurrence pattern section, select Every, change the values to 6 Hours, and then click OK.
5. Click OK.
6. When prompted, to confirm the policy change every time, click Yes.
Change the Unchanged Sub-Policies Schedule
1. In the Cisco VM Export list, right-click Unchanged, and then choose Quick Edit > Actions.
2. On the Policy: ‘Cisco VM Export’… dialog box, click Add.
3. In the Search field, type Cisco VM, click Cisco VM Export, and then choose Customize action start time.
4. On the Action Scheduler dialog box, click Wait for, and then change the value to 6 Hours. In the Recurrence pattern section, select Every, change the values to 6 Hours, and then click OK.
5. Click OK.
6. When prompted, to confirm the policy change every time, click Yes.
Update the Pending Sub-Policy Schedule
1. In the Cisco VM Export list, right-click Pending, and then click Quick Edit > Actions.
2. On the Policy: ‘Cisco VM Export’… dialog box, click Add.
3. In the Search field, type Cisco VM, click Cisco VM Export, and then click Customize action start time.
4. In the Recurrence pattern section, choose Every, change the values to 6 Hours, and click OK.
5. Click OK.
6. When prompted, to confirm the policy change every time, click Yes.
Export Pending Assets Manually that are Stalled in Forescout
Important: If the export fails and is stalled in Forescout, it might be a first-run issue, because there might be a large amount of new assets to export. Ensure you do a manual export for them instead.
- On the FORESCOUT Home page, choose Pending > Cisco VM Export > Pending bucket. To select all assets, for PCs running Windows, press CTRL + A, or for Macs, press Control + A, right-click the selected assets, and then choose Cisco VM > Cisco VM Export.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 1992-2024 Cisco Systems, Inc. All rights reserved.
Comments
Please sign in to leave a comment.