Configure OpenConfig Streaming Telemetry

Before you begin

  • Ensure that the threat defense device where you want to deploy the health policy configuration allows installation of the SSL certificate and private key.

  • Ensure that you configure a gNMI client that supports the OpenConfig streaming telemetry implementation, from which you can make the gRPC requests to the gNMI server on the threat defense.

  • To use dial-out mode and configure OpenConfig streaming telemetry, ensure that you configure a gRPC tunnel server and client on the management system. This tunnel configuration enables communication between the gNMI client and the threat defense device.

  • You must be an admin user to perform the following task.

Procedure

Step 1

Choose System > Policy.

Step 2

Click the Edit health policy icon next to the threat defense health policy that you want to modify.

Step 3

Go to Settings tab.

Step 4

Move the OpenConfig Streaming Telemetry slider to enable the configuration. This configuration is disabled by default.

Step 5

Upload the SSL Certificate. The gNMI server uses this certificate to enable server authentication for the TLS connection and encrypt all communications through the channel.

The OpenConfig streaming telemetry configuration supports only certificate with PEM format. The management center performs the following certificate validations to ensure encrypted communication between the appliance and gNMI collectors without connection failures:

  • Verifies that the ASCII text is a valid certificate file.

  • Checks the expiration date of the uploaded certificate.

  • Verifies the number of expected certificates and private key in the uploaded PEM file. The file must have minimum one certificate and the number of private key in the certificate must always be 1.

  • Verify and accept key block types PRIVATE KEY, RSA PRIVATE KEY, ENCRYPTED PRIVATE KEY, or RSA ENCRYPTED PRIVATE KEY.

  • For the encrypted PEM file, verify that the Proc-Type: 4,ENCRYPTED? keyword is present.

  • Verifies that the passphrase is valid for the encrypted PEM files.

Step 6

(Optional) Specify the Passphrase if the private key files are encrypted.

Step 7

Choose the deployment mode to use for streaming telemetry over gNMI protocol.

For DIAL-IN mode:

  1. Assign a port number for the gNMI service.

    The gNMI server opens the port and waits for gRPC requests from the collector.

  2. Specify the IPv4/IPv6 address of the gNMI collectors that can connect to the threat defense device.

  3. Click Add Collector to add more gNMI collectors. You can add a maximum of five collectors.

For DIAL-OUT mode:

  1. Specify the hostname and port number for the gNMI collector, which can subscribe to streaming telemetry from the threat defense device.

  2. Click Add Collector to add more gNMI collectors. You can add a maximum of five collectors.

Step 8

Specify the username and password to validate the gNMI collector.

The threat defense server uses this credential to authenticate the gNMI collector when receiving the SubscribeRequest RPC message. Each telemetry message is not authenticated using the username and password. The system uses the previously authenticated encrypted streaming channel to carry telemetry messages.

Step 9

Click Save.

What to do next

Deploy the health policy to your threat defense device, for the configuration changes to take effect.