The Forescout Connector

This native-API-based cloud connector uses the Forescout eyeSight modules to connect and provide visibility across your extended enterprise without disrupting critical business processes. The connector ingests asset data from devices (such as, IT, OT/ICS, IoT, IoMT), which ensures more comprehensive, powerful, flexible, and effective threat detection.

Note the following information about the Forescout connector for Cisco Vulnerability Management: 

  • Supports on-premises and cloud deployment models
  • Ingests the asset data that Forescout supports
  • Due to the limitations of Forescout, Cisco Vulnerability Management cannot import vulnerability and fix information 

Reference links:

For help with using or adding this connector, contact Technical support

Cisco Vulnerability Management and Forescout

Use the Forescout eyeExtend application to build, consume, and integrate the Forescout platform with Cisco Vulnerability Management. Extensions for Forescout are stored in GitHub. To set up this connector, you require the use of the following applications:

  • Cisco Vulnerability Management: Uses the data delivery and transformation component to connect with the Forescout Platform.
  • Forescout eyeSight: Finds IP-connected devices, classifies them, and finds new devices that connect to your network.
  • Forescout eyeExtend: Uses the Connect Plugin to connect and then run Python scripts. For more information about Forescout public documents, see eyeExtend-Connect.
  • Forescout Connect Plugin: Uses a socket connection to run Python scripts that are stored in GCS Secret Manager.
  • Forescout Webhook: Is a flask rest application that receives asset data from Forescout. It runs in the Google Cloud Run environment for all connector-pipeline projects. It takes incoming asset data from Forescout, validates the requests, and places the data into a bucket. You require a URL, Token, and UID the first time you use it.

To Add the Forescout Connector to Cisco Vulnerability Management

Important! Setup all other connectors you require first, and then setup this connector. Although you can setup this connector, you require a Cisco Vulnerability Management Administrator to create a URL  and UID, and send it to you using the Cisco Doc Exchange. Ensure you access this site and agree to the Terms and Conditions.

1. To add Forescout Connector, go to your Cisco Home page, and click Connectors.

2, On the Connectors page, click Add Connector.

3. Scroll down to the Vulnerability Management section, and click FORESCOUT.

4. On the Connectors - FORESCOUT dialog box, enter the following information:

  • In the Name field, keep Forescout, or choose a custom name.
  • In the API Key field provide a self-generated key that complies with the following requirements:
    1. Length is between 16 and 128 characters
    2. Has at least 1 letter
    3. Has at least 1 special character
    4. Has at least 1 digit

    Important: Save the key securely as it will be used again during the Forescout Cisco Vulnerability Management  app configuration. 
    You can use following instructions to generate an API key:

    For Linux and MacOS users
    1. Open terminal.
    2. Run ”openssl rand -base64 32”.

    For Windows users
    Use a password generator tool of your choice.
    Important: Update the token at least once every three months. If the token is not updated in 3 months, connector runs will fail.

  • In the Schedule section, choose the frequency, such as Daily. By default, the Cisco Vulnerability Management Forescout application exports updates daily at 12 AM. The extraction takes some time, so schedule the Daily run at 5 AM (recommended time) for the connector.
  • In the Activity Inactivity Limit (days) field, choose the number of days (use your standard).

5. To save and add the connector to your Cisco Vulnerability Management instance, click Save and Verify.

Forescout-config.png

Important: You require a URL and UID that are generated after the first connector run. To get them, contact Cisco Technical support who will send the Secret information to you using Cisco Doc Exchange.

Note: The file is deleted within 24 hours.

6. To download the required ForeScout-ciscovm.eca file, go to https://github.com/Forescout/eyeExtend-Connect/blob/master/ciscovm/ForeScout-ciscovm-1.0.0.eca, and then on the Forescout / eyeExtend-Connect page, click Code, and then click the download button.

7. To open the required ForeScout-ciscovm.eca file, click Open file, and then save it where you can find it quickly, such as your desktop.

Use the Forescout Console to Import the Cisco Vulnerability Management eyeExtend Application

1. Use your credentials to log in to the Forescout Console.

2. To import the first Cisco Vulnerability Management eyeExtend application, click Configurations > Connect, click the App tab, and click Import.

Important: If required, to update the application, click Update. If there are any update problems, delete the Cisco Vulnerability Management and its related policy, and then import it again.

3. On the Import File.zip dialog box, click ForeScout-ciscovm-1.0.0.eca, and then click Import.

4. The Forescout portal checks the application. Click Close to continue.

5. Type your Cisco Vulnerability Management credentials, and then to configure the Cisco VM eyeExtend application, on the System Description dialog box, click Add.

6. On the Connect Configuration – Step 1 dialog box, type the URL, UID and AUTH token.

  • Cisco Technical support provides the URL and UID.
  • In the AUTH token field, enter the API key that you generated in step 4.

7. On the Connect Configuration – Step 2 of 3 dialog box, click Next.

8. On the Connect Configuration – Step 3 of 3 dialog box, if you have a Proxy Server, select it, and then click Finish > OK. If you do not have a Proxy Server, just click Finish > OK.

9. To finalize the Cisco VM App and configuration, click Apply > Close.

Note: The information is saved. On the Forescout Console Application dialog box, click OK.

Test the Cisco Vulnerability Management - Forescout Webhook App

Note: Ensure you test the call to the Forescout Webhook application to confirm it works.

1. To test the Forescout Webhook, in the System Description dialog box, double-click the forescout-webhook… URL, select the configuration, and then click Test.

Note: If all goes well with configuration, the app returns the Test succeeded message.

Important: If the test returns as Failed, ensure you check and update the configuration settings, and then repeat steps 6-9 in the Use the Forescout Console to Import the Cisco VM eyeExtend Application task above.

Note: Always click Apply to confirm any configuration change.

Apply the Cisco VM eyeExtend App Policy

Note: The application includes a default policy template that you can easily apply to a device.

1. To apply the default policy, on the FORESCOUT main menu page, click the Policy tab, and click Add.

2. On the Policy Wizard – Step 1 dialog box, select Cisco VM > Cisco VM Export, and click Next.

3. On the Policy – Wizard – Step 2 of 5 dialog box, leave the default name, and click Next.

4. On the Policy – Wizard – Step 3 of 5 dialog box, choose the devices you want to export.

Note: You can export all devices or just one specific segment. For example, to export a segment, click Segments. On the IP Address Range dialog box, click OK.

5. If you want to export multiple segments, but not all of them, click Cancel and then, click Segments. On the Segments selection dialog box, choose the segments to export, and then click OK.

6. On the Policy – Wizard – Step 4 of 5 dialog box, leave the Main Rule, and click Next.

7. On the Policy – Wizard – Step 5 of 5 dialog box, the Sub-Rules are also predefined, so click Finish.

8. At the bottom of the FORESCOUT home page, click Apply.

9. On the FORESCOUT Console Appliance dialog box, click Yes to save the new policy configurations.

10. To view the results of policy work, on the FORESCOUT home page, click Policies > Cisco VM Export.

Note: To view successful data results, on the Cisco Vulnerability Management dashboard, click Vulnerability Management > Explore.

API Key Update

The API key must be updated at least once every three months.

  1. Generate a new API key.
    For Linux and MacOS users
    1. Open terminal.
    2. Run ”openssl rand -base64 32”.
    For Windows users
    Use a password generator tool of your choice.
  2. In the Forescout Connector, paste the new API Key value in the API Key field.
    Forescout-config.png
  3. Click Save and Verify.
  4. In the Forescout eyeExtend Cisco Vulnerability Management application, enter the new API Key in the AUTH token and Validate PasswordAUTH token fields.
    blobid9.png
  5. Click Finish.

About the Cisco Vulnerability Management policy

The policy template applies the following actions to control the export process:

  • Export: Starts the re-check process.
  • Reset: Cleans up the previous endpoint state, so it can be exported in the next re-check.

Note: The following export states exist: Pending, Failed, Exported, and Unchanged.

Export flow

By default, the policy exports data only for new endpoints or endpoints that were changed from the last export. The recheck for the changed endpoints happens daily at 12 AM (Forescout Coordinated Universal Time).

  • If the export for an endpoint fails, the application retries an export in 10 minutes. If the export fails again, the application then attempts the re-export every 2 hours.
  • In the case where the endpoint does not have any changes for the exported properties, after one (1) month, it is then re-exported.

Endpoints that have an Exported or Unchanged state also have a daily recheck schedule. They are not moved to the Pending state before the recheck to avoid a redundant Reset execution.

Asset Information

This connector imports general information about devices that have no vulnerability into Cisco Vulnerability Management.

Data Mapping

This connector and Cisco Vulnerability Management have the following data mapping:

Forescout Field and Example  Forescout Internal Name Cisco Vulnerability Management Field and Example Required

MAC Address 

Example:
023876fbd383   

mac

MAC Address

Example:
02:38:76:FB:D3:83

At least one 

DHCP Hostname

Example:
ip-10-0-0-10

dhcp_hostname 

Hostname 

Example:
ip-10-0-0-10

At least one 

IPv4 Address

Example:
10.0.0.10

ip

IP Address

Example:
10.0.0.10

At least one 

NetBIOS Host name

Example: SABM\TEST01

nbthost

NetBIOS

Example:
SABM\TEST01

At least one 

DNS Name

Example:
example.com

hostname

FQDN

Example:
example.com

At least one 

Operating System

Example

  • Apple/
    Apple Desktop OS/
    Apple macOS/
    Apple macOS 10/
    Apple macOS 10.12
  • Windows/
    Windows XP/
    Windows XP Professional/
    Windows XP Professional SP3
  • Linux/
    Fedora
os_classification

"FS OS" tag

Example:

  • FS OS:
    Apple/
    Apple Desktop OS/
    Apple macOS/
    Apple macOS 10/
    Apple macOS 10.12
  • FS OS:
    Windows/
    Windows XP/
    Windows XP Professional/
    Windows XP Professional SP3
  • FS OS: Linux/
    Fedora
No

Segment path

Example:
ciscolab

segment_path

"FS Segment path" tag

Example:
FS Segment path:ciscolab

No 

Vendor and Model

Example
ForeScout/
ForeScout CounterACT/
ForeScout CounterACT Appliance 

vendor_classification

"FS Vendor and Model" tag

Example
FS Vendor and Model:
ForeScout/
ForeScout CounterACT/
ForeScout CounterACT Appliance

No

Vendor and Model 

Example
ForeScout/
ForeScout CounterACT/
ForeScout CounterACT Appliance

vendor_classification

"FS Vendor and Model" tag

Example
FS Vendor and Model:
ForeScout/
ForeScout CounterACT/
ForeScout CounterACT Appliance

 No

Function 

Example
Information Technology/
Networking/
Network Access Control 

prim_classification

"FS Function" tag

Example
FS Function:
Information Technology/
Networking/Network Access Control

No

Locator Order

The Forescout locator uses the Cisco Vulnerability Management default locator order. For more information about locator order, see Understanding Locator Order.

Troubleshooting Known Issues

This information provided in this section might help you solve problems with the following issues:

For more information and help with these issues, contact Cisco Technical support.

Change the Exported Sub-Policies Schedule

1. In the Cisco VM Export list, right-click Exported, and then click Quick Edit > Actions.

2. On the Policy: ‘Cisco VM Export’… dialog box, click Add.

3. In the Search field, type Cisco VM, click Cisco VM Export, and then choose Customize action start time.

4. On the Action Scheduler dialog box, click Wait for, and then change the value to 6 Hours. In the  Recurrence pattern section, select Every, change the values to 6 Hours, and then click OK.

5. Click OK.

6. When prompted, to confirm the policy change every time, click Yes.

 

Change the Unchanged Sub-Policies Schedule

1. In the Cisco VM Export list, right-click Unchanged, and then choose Quick Edit > Actions.

2. On the Policy: ‘Cisco VM Export’… dialog box, click Add.

3. In the Search field, type Cisco VM, click Cisco VM Export, and then choose Customize action start time.

4. On the Action Scheduler dialog box, click Wait for, and then change the value to 6 Hours. In the  Recurrence pattern section, select Every, change the values to 6 Hours, and then click OK.

5. Click OK.

6. When prompted, to confirm the policy change every time, click Yes.

Update the Pending Sub-Policy Schedule

1. In the Cisco VM Export list, right-click Pending, and then click Quick Edit > Actions.

2. On the Policy: ‘Cisco VM Export’… dialog box, click Add.

3. In the Search field, type Cisco VM, click Cisco VM Export, and then click Customize action start time.

4. In the Recurrence pattern section, choose Every, change the values to 6 Hours, and click OK.

5. Click OK.

6. When prompted, to confirm the policy change every time, click Yes.

 

Export Pending Assets Manually that are Stalled in Forescout

Important: If the export fails and is stalled in Forescout, it might be a first-run issue, because there might be a large amount of new assets to export. Ensure you do a manual export for them instead.

  • On the FORESCOUT Home page, choose Pending > Cisco VM Export > Pending bucket. To select all assets, for PCs running Windows, press CTRL + A, or for Macs, press Control + A, right-click the selected assets, and then choose Cisco VM > Cisco VM Export.

 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2024 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.