Transcription
GuideCisco publicCisco Security Analytics andLogging 2021 Cisco and/or its affiliates. All rights reserved.Page 1 of 15
Contents1. Introduction32. Security Analytics and Logging Licensing Structure (a la Carte) in CCW63. Ordering Cisco Security Analytics and Logging84. Cisco Services135. Cisco Capital Financing146. Expected Retention Period15 2021 Cisco and/or its affiliates. All rights reserved.Page 2 of 15
1. Introduction1.1 Purpose, Audience, and ScopePurpose: This document describes the offer structure, required components, and the procedure to order Cisco Security Analytics and Logging (SAL). The SAL offer has two distinct delivery mechanisms, as shown below: A cloud-delivered, Software-as-a-Service (SaaS) offering with a cloud-native data store, referred to asSAL (SaaS) An on-premises appliance-based software application with an on-premises data store, referred to asSAL (On prem)Audience: Cisco sales teams, Cisco Security Specialized Partners, and Cisco customers.Scope: This ordering guide covers the following: Cisco Security Analytics and Logging Overview Cisco Security Analytics and Logging Licensing Structure Ordering Security Analytics and Logging via Cisco Commerce Workspace (CCW) Security Analytics and Logging Software Support1.2 Cisco Security Analytics and Logging OverviewCisco Security Analytics and Logging provides scalable central log management for streamlining informationtechnology operations, forensics, and threat investigation, as well as detecting advanced threats by identifyingsuspicious patterns of traffic within customers’ network environments, using metadata generated from traffictraversing the network. The supported sources of traffic include event logs from Cisco’s Firewalls, which can becombined with flow logs from internal network elements and public cloud infrastructure for enhanced end-toend visibility. This functionality therefore provides aggregated analysis by correlating logs generated at theperimeter, private network, and public cloud infrastructures. Other contextual information supplements thesesuspicious patterns to improve the overall threat posture, and establish specific threat levels associated withobserved activities and/or traffic flows. This process is described as “behavioral threat detections.”Behavioral threat detection algorithms use traffic metadata, rather than actual packet contents, to alert users forindicators of compromise. SAL detects anomalous behaviors symptomatic of threats that have bypassedperimeter and signature-based defenses. Typical examples include, but are not restricted to, unknown (zeroday) malware, insider threats resulting from stolen credentials or bad actors, or any traffic patterns that do notconform to the normal behavior of entities. In this manner, threats that have breached perimeter defenses usingan encrypted payload can also be exposed. 2021 Cisco and/or its affiliates. All rights reserved.Page 3 of 15
SAL (SaaS) is a mature full-feature offering providing cloud-based and cloud-delivered log management forNext-Generation Firewalls (NGFWs) running Cisco Firepower Threat Defense (FTD) software, as well asdevices running the Adaptive Security Appliance (ASA) software, independent of their management platform.SAL (SaaS) enables event viewing via APIs in Cisco Defense Orchestrator (CDO) for firewall event logs,including logs emitted by devices not managed by CDO. Refer to the Getting Started Guide for more details.Higher-level SAL (SaaS) licenses enable advanced security analytics for detecting suspicious or malicioustraffic patterns from firewall logs, with the option to aggregate them with internal network and/or public cloudlogs. Security alerts are visible in Cisco Secure Cloud Analytics (SCA), enabled through a cross-launch fromCDO using Cisco’s Secure Sign-On (SSO). This advanced threat detection capability is only available in SAL(SaaS) today through the cloud data store. Users of SAL (SaaS) get the right to use SCA and CDO for loggingand analytics-related outcomes, respectively, without the need for separate licenses for these two cloudproducts.SAL (On prem) provides scalable data storage in the customer’s own premises, and currently supports FTDevent logs generated by Cisco’s NGFW and NGIPS devices. The solution is hosted on Cisco Secure NetworkAnalytics (SNA) appliances, both hardware or virtual editions. The appliances hosting SAL (Op) integrate withFMC via APIs in a manner in which FMC logging and analysis capabilities can leverage this external data storeto greatly extend and exponentially enhance FMC’s own scale of operations. A configuration wizard in the FMCgreatly simplifies the process to log to SAL (Op) or SAL (SaaS). Support for FTD-Data Plane and ASA syslog isscheduled for the fall of 2021, subsequent to which aggregation will also be possible in SAL (On prem).1.2.1 Required components and setup to run Cisco Security Analytics and Logging (SaaS): Secure Event Connector: To capture Firewall Event Logs from on-premises or cloud deployments, aSecure Event Connector (SEC) is needed. The SEC is a containerized application that can be installed onan on-premises or cloud Secure Device Connector (SDC), or even be set up to run in standalone mode.It receives events from Firepower Threat Defense (FTD) devices and Adaptive Security Appliance (ASA)devices and forwards them to Cisco SAL in the cloud. Installation instructions can be found here. WhileSEC remains the most scalable route to send logs to SAL (SaaS), firewall devices running CiscoFirepower version 6.5 or later can send event logs directly to SAL Cloud, without the need for an SEC.This capability has been found to reliably support sustained peak rates of up to 8,500 events per second(eps) per firewall device. The Cisco Firewall Management Center (FMC) version 7.0 supports this directto-cloud route of devices under its management through its “Integrations” settings. Secure Cloud Analytics On-Premises Sensor: To capture Private Network Monitoring (PNM) telemetryfrom on-premises endpoints, a Secure Cloud Analytics virtual sensor is needed to collect network flowdata from network elements and send them to Secure Cloud Analytics. The Virtual Appliance (VA) isavailable as an ISO file, which contains the necessary SCA packages as part of an Ubuntu Linux image.A separate email is sent to the customer after provisioning with instructions on how to get the sensorsoftware. There is no additional charge for this sensor agent. This Secure Cloud Analytics referenceguide covers additional options for installing and configuring the VA here.Note: The SCA on-premises sensor is needed only for the highest license of the tier, Total NetworkAnalytics and Detection (TA). 2021 Cisco and/or its affiliates. All rights reserved.Page 4 of 15
1.2.2 Required components and setup to run Cisco Security Analytics and Logging (On Premises): Secure Network Analytics (SNA) Appliances: The SAL (On prem) can hosted on any one of twodeployment architectures: Single-Node: A dedicated and repurposed SNA Manager SMC-2210-K9 that must not have any FlowCollectors associated with it, or the SAL application installation will fail. The hardware appliance canbe purchased as detailed in the Stealthwatch Ordering Guide. Alternatively, SAL can run on a VirtualSNA Manager, accessible as a free download by navigating to Cisco Software Central and followingthe path: Security Network Visibility and Segmentation Stealthwatch Stealthwatch ManagementConsole Virtual Appliance Stealthwatch System Software – 7.3.1 or later. The recommendedspecifications of the virtual machine to meet scale specifications of SAL (On prem) are found here. Multinode: An SNA Manager SMC-2210-K9, SNA Flow Collector FC-4210-K9, and SNA Data StoreDS-6200-K9, which can be purchased as detailed in the Stealthwatch Ordering Guide. Alternatively,SAL can run on virtual appliances, accessible as a free download by navigating to Cisco SoftwareCentral and following the path: Security Network Visibility and Segmentation Stealthwatch Stealthwatch XXX Virtual Appliance Stealthwatch System Software – 7.3.2 or later. Therecommended specifications of the virtual machine hosting the appliances to meet scalespecifications can be found in the documentation here. Security Analytics and Logging (On prem) Application: An SAL (On prem) application needs to beinstalled on the SNA management console and is available as a free download from Cisco SoftwareCentral by following the path: Security Network Visibility and Segmentation Stealthwatch Stealthwatch Management Console Virtual Appliance App Security Analytics and Logging On Prem.1.2.3 Security Analytics and Logging Licenses:Separate Cisco Security Analytics and Logging Licenses are available for both SAL (SaaS) and SAL (On prem).The licenses are usage based, metered on the daily uncompressed volume of data (GB/day) made available toSAL for storage and analysis, either in the cloud or on-premises. SAL (SaaS) licenses are provisioned to a CDOand SCA tenant for which logging and analytics are needed, while SAL (On prem) licenses are tracked againstentitlement in the customer’s Cisco Smart Account. SAL (SaaS) licenses provide the right to use CDO for logviewing and SCA for log analysis without the need to subscribe to these products separately, while SAL (Onprem) licenses provide the right to use SNA without the need for any other software licenses. The SAL licensesare themselves available in three classes or tiers, and follow a nested structure detailed in Section 2.1.3 Estimating Daily Volume (GB/day) RequiredA daily volume estimator has been designed to help customers estimate the daily volume (GB/day) required fortheir Firewall logging needs. This tool estimates logging data volume for licensing both SAL (SaaS) and SAL (Onprem), as well as bandwidth throughput requirements based on most common traffic mixes and networkconditions for an average deployment. The tool takes events per second (eps), firewall models, throughput, orconnections rate as an input, and outputs license volume. Actual logging volumes needed may vary materiallyfrom the tool’s output, based upon actual traffic composition, protocols used, and other deployment factors.Note: The Firewall logging estimator is based on uncompressed logging volume in Gigabytes per day (GB/day)made available to SAL for storage and analysis. Since it is possible that the volume recommended by theestimator tool is materially different from actual volume owing to reasons stated above, the best way toestimate logging volume to be licensed is using the no-commitment 60-day free trial for SAL (SaaS), or runthe 90-day evaluation for SAL (On prem). 2021 Cisco and/or its affiliates. All rights reserved.Page 5 of 15
2. Security Analytics and Logging Licensing Structure (a la Carte) in CCWFigure 1.Example of a Cisco Security Analytics and Logging a la carte PID (Product Identifier) in Subscription Billing Platform on CCW2.1 Security Analytics and Logging LicensesThe Cisco Security Analytics and Logging licenses are available in three tiers and follow a nested model inwhich a specific license contains all features of all lower-level licenses. Each license quantity entitles the user tosend a volume of 1 GB/day for the term of the subscription, which could be 1-, 3-, or 5-year terms. SAL (SaaS)licenses come with 90 days of rolling cloud retention by default. For example, 10 GB/day volume comes with900 GB of 90-day rolling storage, which means that on the 91st day, the 1st days logs are replaced by the 91stday’s logs, and so on for the full term of the subscription. Log retention period can optionally be extended to 1,2, or 3 years for an additional charge. Data received above the daily volume does not result in data beingthrottled, but instead may produce an overage bill if the daily average is exceeded in aggregate over the periodof a full calendar month. SAL (On prem) currently only offers the lowest tier license of Logging andTroubleshooting, with retention being a function of logging rate and storage allocated.2.1.1 License Logging and TroubleshootingThe Logging and Troubleshooting License provides log storage and enables drill-down using advanced searchand filter capabilities in an event viewer, and is available for both SAL (SaaS) and SAL (On prem) offerings.Cloud storage in SAL (SaaS) entitles the user to 90 days of rolling retention based on ingest rate, whereas onpremises log retention is a function of logging rate and storage space available on the appliances. The SaaSlicense presents its outcomes in CDO through the “Event Logging” tab nested under the “Monitoring” menu,whereas the on-premises license supports remote query by the FMC, and provides an aggregated viewer in theSNA Manager under the Dashboard tab. This and all subsequent SAL (SaaS) licenses leverage the Secure EventConnector (SEC) covered in section 1.2.1 for sending Firewall logs to the cloud, although devices runningFirepower version 6.5 or later can send events directly to the cloud without the SEC. The a la carte ProductIdentifier (PID) of this license is SAL-CL-LT-1GB or SAL-OP-LT-1GB for Cloud and On prem, respectively, andthe Cloud overage a la carte PID is SAL-CL-LT-OVRG. The equivalent Firewall bundle PIDs are SEC-LOG-CLand SEC-LOG-OP, and the equivalent Security Choice Enterprise Agreement (Choice EA) Cloud PID is E2SFS-SAL-ESS. 2021 Cisco and/or its affiliates. All rights reserved.Page 6 of 15
2.1.2 License Logging Analytics and DetectionCurrently available only with SAL (SaaS), this license provides Secure Cloud Analytics’ best-in-class behavioralthreat detections, applied on firewall logs ingested as part of the license. This license presents its outcomesthrough the Security Analytics tab nested under the Monitoring tab of the CDO UI, by cross launching the userinto an instance of Secure Cloud Analytics, access to which is included at no extra charge with this license.Alternatively, users can log in directly to the SCA instance/tenant associated with their license. The expansion ala carte PID of this license is SAL-CL-LA-1GB, the Firewall Attach PID is SEC-ANYL-CL, and the associated ala carte Cloud overage PID is SAL-CL-LA-OVRG. The equivalent Choice EA PID license is E2SF-S-SAL-ADV.2.1.3 License Total Network Analytics and DetectionCurrently available only with SAL (SaaS) a la carte, this license applies Secure Cloud Analytics’ behavioralbased detections on both log data and Internal Network telemetry and presents its outcomes by crosslaunching the user into an instance of Secure Cloud Analytics in a similar manner to the previous license. Inaddition, this license analyses network telemetry of up to 10 endpoints per 1 GB/day of log volume purchased.For example, a volume of 10GB/day includes a daily volume of 10GB of logs, plus 10GB/day X 10 100endpoint support for Private Network Telemetry. The storage taken by the private network telemetry does notcome out of the log storage purchased in GB/day volume but is priced into this license and does not contributetoward the daily volume, storage used, or overage calculation. The network telemetric data leverages theSecure Cloud Analytics Virtual Connector for sending private network telemetry to the cloud, in addition to theSEC used for Firewall log data. The expansion PID of this license is SAL-CL-TA-1GB, with volume discountbuilt in for higher quantities, and the associated overage PID is SAL-CL-TA-OVRG. The equivalent Choice EAPID for this license is E2SF-S-SAL-PREM.2.1.4 Overage for a la carte SAL (SaaS) License OnlyThe daily rate purchased for any SAL license does not throttle ingest when the limit is reached, but in the caseof SAL (SaaS) only, the overage may trigger a monthly bill in arrears, spread across a subscription appliedacross multiple tenants. The overage measure is aggregated over the entire calendar month, to allow dailypeaks to be averaged out. For example, a 10GB/day daily volume entitles the license holder up to 300GB oflogs for a month of 30 days. Therefore, if 330 GB of data was sent during the month, an overage bill of 1GB/day[(330GB–300GB)/30 days] may be produced for that month. To help estimate the amount of daily volume forvarious configurations, an estimator tool has been provided based on average events emission rates, as well asa 60-day trial that can be used to assess requirements.2.1.5 Extending Log Retention in SAL (SaaS)Cloud storage does not need to be purchased separately but is entitled for 90 days on a rolling basis at thelicensed daily volume at no additional cost. This means that a 10GB/day daily volume comes with 90 X 10GB/d 900 GB total of rolling storage for logs. On the 91st day, the 1st day logs are purged, and so on for the term ofthe license. In addition to the 90-day default logs retention, an option has been provided to extend the logretention period to 1, 2, or 3 years. Customers who chose this option will be able to retain their logs for thedesired duration for an extra charge. This extended log retention dataset is available for download to the user’slocal disk. The al a carte expansion PID of this license is SAL-CL-1GB-(1/2/3)Y-EXTN, the equivalent ChoiceEA PID is E2SF-S-SAL(E/A/P)-EXTN-(1,2,3)Y, and the Firewall Attach bundle PID is SEC-CL-DR-(1/2/3)YR. 2021 Cisco and/or its affiliates. All rights reserved.Page 7 of 15
2.1.6 Secure Cloud Analytics Add-on Licenses (Optional)Since the Firewall logs and Endpoint Traffic Analytics capability for SAL (SaaS) are provided by Secure CloudAnalytics, customers can optionally order additional endpoint monitoring licenses, or include public cloudmonitoring licenses within the same instance of their SAL tenant in SCA. This add-on option thus provides easeof monitoring additional endpoints and/or public cloud effective mega flows of Secure Cloud Analytics withinSAL tenants. Refer to Sec 2.3 of the Secure Cloud Analytics Ordering Guide for Secure Cloud Analytics licensedetails.3. Ordering Cisco Security Analytics and Logging3.1 Ordering a la Carte via CCW’s Subscription Billing PlatformSAL is available for ordering a la carte through Cisco Commerce using the appropriate subscription partnumber.a. Begin by searching for the Cisco Security Analytics and Logging Product ID: SAL-SUBb. From the subscription configuration:c. Select the requested start date for the term.d. Select the desired term length. The default selection is 36 months; 1-, 12-, 24-, and 60-monthterms are also available. For month-to-month subscriptions, a 1-month initial term must beselected.e. Select the desired auto-renewal term. The default selection is 12 months; 36 months, 60 months,and “Do Not Auto Renew” options are also available. Click Apply. 2021 Cisco and/or its affiliates. All rights reserved.Page 8 of 15
f.Next the user is presented with a choice between Cloud Data Store or On-Premises Data Store,with an option for Cloud Data Store selected by default, which indicates that logs will be stored inthe cloud. This can be changed to On-Premises Data Store by clicking on the tab on the lower endof the screen. For SAL (SaaS), select Cloud Data Store.g. Expanding the Cloud Data Store section presents the user with the three licensing options for SAL(SaaS), and any volume selected in the quantity box next to the desired license will default to therolling retention period of 90 days. Only one of the 3 license options needs to be selected, as thelicenses are nested. The extended retention period of 1, 2, or 3 years can be selected as an add-onoption, should the default 90 days of rolling storage not suffice.h. Finally, the user may want to order Secure Cloud Analytics licenses, which will allow use of thesame SCA portal for analyzing Firewall, Private Network, and/or Public Cloud Logs. That optionalselection shows up underneath the Retention Period selection, and should be used if the use caserequires logs from the different sources to be correlated in the same SCA portal for analysis andthreat detection. Further, a zero-dollar services PID is attached, as can be seen in the summaryview on the right. 2021 Cisco and/or its affiliates. All rights reserved.Page 9 of 15
i.Choosing any of the daily volume automatically populates the billing price PIDs, as well as includesan overage PID. This functionality allows production of an overage bill at the end of each calendarmonth, to be used if the daily volume is exceeded in aggregate over the calendar month. Followingare the expansion PIDS for the various SAL licenses:(i) SAL-CL-LT-1GB: License Logging and Troubleshooting for 1GB/day.(ii) SAL-CL-LA-1GB: License Logging Analytics and Monitoring for 1GB/day.(iii) SAL-CL-TA-1GB: License Total Network Analytics and Monitoring for 1GB/day.(iv) SAL-CL-LT-OVRG: Usage-based overage PID for License Logging and Troubleshooting,not charged at time of placing order but is used to calculate overage charges if entitlementis exceeded.(v) SAL-CL-LA-OVRG: Overage PID for License Logging Analytics and Detection, not chargedat time of placing order but is used to calculate overage charges if entitlement is exceeded.(vi) SAL-CL-TA-OVRG: Overage PID for License Total Network Analytics and Monitoring, notcharged at time of placing order but is used to calculate overage charges if entitlement isexceeded.j.On choosing the license type and quantity, the selection for logs retention is presented, with a 90day default available for no extra charge, while the 1-, 2-, and 3-year optional add-on retentionPIDs.(i) SAL-CL-1GB-1Y-EXTN: 1 year of logs retention (up from default of 90 days).(ii) SAL-CL-1GB-2Y-EXTN: 2 years of logs retention (up from default of 90 days).(iii) SAL-CL-1GB-3Y-EXTN: 3 years of logs retention (up from default of 90 days).k. The last optional step for order completion is to indicate the desired Secure Cloud Analytics PublicCloud Monitoring (PCM) or Private Network Monitoring (PNM) licenses needed. This allowsprovisioning of the SCA PNM or PCM tenant to be the same as the SAL tenant. The PIDs for SecureCloud Analytics are:(i) ST-CL-PCM: Secure Cloud Analytics Public Cloud Monitoring License in effective megaflows.(ii) ST-CL-PNM: Secure Cloud Analytics Network Cloud Monitoring License in endpointsmonitored. When the order configuration is complete, select the Done button at the bottom.l.The process of ordering SAL (On prem) is similar for the Logging and Troubleshooting license, withone significant difference: only the Logging and Troubleshooting license is available in the OnPremises Data Store. The licensing capacity is also based on GB/day, but separate data retentionPIDs are not available. This is because data retention is a function of the logging rate and appliancescapacity, and not fixed as with the Cloud Data Store. 2021 Cisco and/or its affiliates. All rights reserved.Page 10 of 15
m. SAL-OP-LT-1GB: License Logging and Troubleshooting for 1GB/day. This is the only on-premisesdata store license available that allows scalable log storage and supports remote query by the FMC.A zero-dollar services PID is attached, as seen in the summary view on the right.3.2 Discounted Bundling When Attaching with Firewall Subscriptions via CCWSAL is available for order through Cisco Commerce while ordering firewalls as follows:a. Begin by navigating to the firewall model to be ordered (FPR1150-NGFW-K9, for example).b. Make your software choice under the “Subscriptions” category at the top (wherever present) andnavigate to the “Extended Logging and Analytics” category below.c. You are presented with two options to the right: “On-Premises Data Store” or “Cloud Data Store.”Only one option can be selected per firewall being ordered, with either the same or differentsubscription term as the firewall subscription.d. The “Cloud Data Store” option allows selection of either the Logging License, SEC-LOG-CL, or the“Logging Analytics License,” SEC-ANYL-CL. Only one option needs be chosen, as the LoggingLicense is nested under Logging Analytics.e. Choosing any one of the two options will attach a default logging volume in GB/day for that firewallmodel, based on expected daily volume per the Estimator Tool. Logging rate comes with a defaultretention of 90 days rolling storage.f.The last three optional licenses are Data Retention extensions, which extend log retention to 1, 2, or3 years in the cloud. 2021 Cisco and/or its affiliates. All rights reserved.Page 11 of 15
g. If SAL (Op) is desired, the “On-Premises Data Store” tab allows choosing the base Logging andTroubleshooting license, SEC-LOG-OP. This license supports remote query by FMC and is hostedon SNA appliance(s), as detailed in section 1.2.2.h. The process for bundling Extended Logging and Analytics for the Firewall FPR9K series devices isdifferent, as the Security Modules (SM) configured as part of order determines the Logging quantityrequired. The Logging quantities needed are 190, 225 and 257 GBs/day for each SM-40, SM-48and SM-56 respectively, and this quantity needs to be entered manually for the Extended Loggingand Analytics licenses. The system will display a warning of the logging quantities required for eachSecurity Module, as shown below: 2021 Cisco and/or its affiliates. All rights reserved.Page 12 of 15
3.3 Security Buying ProgramsThe offer leverages the Security Choice Enterprise Agreement buying program with the following PIDs:Table 1.The mapping for Choice EA PIDs to SAL (SaaS) a-la-carte PIDsChoice EA SAL PIDsEquivalent a la carte PIDsDescriptionE2SF-S-SAL-ESSSAL-CL-LT-1GBSecurity EA 2.0 SAL, Logging and Troubleshooting (LT)E2SF-S-SAL-ADVSAL-CL-LA-1GBSecurity EA 2.0 SAL, Logging Analytics & Detection (LA)E2F-S-SAL-PREMSAL-CL-TA-1GBSecurity EA 2.0 SAL, Total Network Analytics and Detection (TA)E2SF-S-SALE-EXT-1YRSAL-CL-1GB-1Y-EXTNSec EA2.0 SAL 90 Days to 1Yr Storage Ext Pk-1GBSAL-CL-1GB-1Y-EXTNSec EA2.0 SAL 90 Days to 2Yr Storage Ext Pk-1GBSAL-CL-1GB-1Y-EXTNSec EA2.0 SAL 90 Days to 3Yr Storage Ext -EXT-3YRFor the most up-to-date information regarding product inclusion and ordering processes, please ty/security-analytics-logging/index.html.4. Cisco Services4.1 Cisco Software Support for Security Analytics and LoggingThe basic support option of Cisco Software Support for Security is available for Cisco Security Analytics andLogging subscriptions in CCW. SAL (SaaS) embeds basic online foundational support for the full term of thepurchased software subscription, including access to support through online tools or email. Cisco will respondto a submitted case no later than the next business day during standard business hours.When a Cisco Security Analytics and Logging subscription is ordered, basic support is embedded as part ofthat subscription. It is not a separate orderable service. No additional products or fees are required for both theSaaS and on-premises subscription. For more information about Cisco Software Support for Security, refer tothe service description. 2021 Cisco and/or its affiliates. All rights reserved.Page 13 of 15
Table 2.PIDs for Basic Services–TransactionService PIDDescriptionPriceSVS-SAL-SUP-BBasic embedded software support for SAL (SaaS) in CCW 0SVS-SAL-OP-SUP-BBasic embedded software support for SAL (On prem) in CCW 0SVS-EA2-SAL-SUP-BBasic software support in Choice EA 05. Cisco Capital FinancingThe significant benefits offered by Cisco Security Analytics and Logging make it the natural choice for networksecurity. As with any technology investment, the question is its affordability. The answer is Cisco Capital financing. Whether through flexible repayments to match expenditure to benefit and help mitigate cash flowissues, or an operating lease to help negate capital expenditure, we can provide the financing solution thatworks best for your customers.Cisco Capital can help remove or reduce the barriers preventing organizations from obtaining the technologythey need. Total solution financing programs help our customers and partners: Achieve business objectives Accelerate growth Acquire technology to match current strategies and future needs Remain competitiveCisco Capital also helps your customers achieve financial goals such as optimizing investment dollars, servingmore than 100 countries so that regardless of location, customers and partners have access to a trusted meansto secure Cisco products and services. Learn more.For more information about Cisco Capital financing, visit https://www.ciscocapital.com/ (for channel partners)and https://www.in.cisco.com/FinAdm/csc/ (for Cisco sales teams). 2021 Cisco and/or its affiliates. All rights reserved.Page 14 of 15
6. Expected Retention PeriodThe expected retention period for the SAL service under average deployment conditions (see note below table)is as follows:Table 3.Retention MatrixSustained Equivalent On-premisesFirewallGB/dayEvents perSingleSingleSecondnode* 1TB node 2TB(eps)StorageStorageCloudSinglenode 4TBStorageMultinode**VirtualMultiSinglenode HW SECMultiSECDirect-toCloudExpected Retention period in days (under average deployment 00,00022,464NANANANANAUp to 3yearsUp to 3yearsUp to 3 yearsNotrecommendedwhenindividualdevice’slogging rateexceeds8,500 epsNANote: The on-premises log retention in days above are based on average deployment conditions, andmay vary materially in different production environments.*Single-node Repurposed SMC 2210 (HW or Virtual)**Multi-node SMC 2210 FC 4210 DS 6200 (All appliances HW or Virtual)***Compare FMC native logs retention ½ day @ 20,000 peak epsPrinted in USA 2021 Cisco and/or its affiliates. All rights res
Audience: Cisco sales teams, Cisco Security Specialized Partners, and Cisco customers. Scope: This ordering guide covers the following: Cisco Security Analytics and Logging Overview Cisco Security Analytics and Logging Licensing Structure Ordering Security Analytics and Lo
