Change Host Network Configuration

This topic describes how to change the network configuration for NW Server and component hosts in your environment. The instructions in this section assume that all the hosts in your environment are on the latest release

Note: If your NW Server is referenced by other NW hosts that use a Network Address Translation (NAT) IP address, and you want to change the NAT IP address, you must remove the old NAT IP address and add the new NAT IP address using the instructions provided in NW Server Host Secondary IP Configuration Management.

This section contains the following procedures:

Change Host Network Configuration

Use this procedure to update the network configuration for any host type in your environment for the latest versions.

To change the network configuration of a host:

    1. From the console, log in to the host for which you wish to change the network configuration.

Note: If you are updating the IP address of your NW Server and you are using DHCP, run the following command before you go to step 2:
nw-manage --add-nws-secondary-ip --ipv4 <new DHCP allocated ip address of NW Server>

    1. Run the following command:
      nwsetup-tui
      The nwsetup-tui license dialog is displayed.
      netwitness_nwsetup-tui1.png
    2. Click Accept. The NetWitness Platform Update Configuration dialog is displayed:
      12.png
    3. Select option 2, Update Network Config, and click OK.
      netwitness_staticipconfig.png
    4. Select option 1, Static IP Configuration, and click OK.
      The NetWitness Platform Network Configuration Static IP configuration dialog is displayed.
      netwitness_10-staticipconfig.png
    5. Enter the new network and DNS configuration and click OK.
      The new network and DNS configuration is applied to the host.

Note: While changing the IP address, the user interface may become temporarily unavailable while the update is in process. The user interface will come back up shortly.

Note: After upgrading the NW Server host or a component host to the latest version, review the contents of the /etc/hosts.user file for any obsolete host entries. The /etc/hosts.user file contains system and user-generated entries that are not managed by NetWitness Platform. However, entries from /etc/hosts.user are merged with NetWitness Platform-generated host mappings to create and update /etc/hosts. To avoid conflicts with NetWitness Platform-generated mappings, and to avoid generating connectivity errors resulting from an IP address change, NetWitness recommends that you remove any entries in /etc/hosts.user that include a non-loopback IP address of a NetWitness Platform host. After updating /etc/hosts.user, you must refresh the system by running the following command:
nw-manage --refresh-host --host-key <ID, IP, hostname or display name of host>

Note: While changing a host's IP address or during failover, component hosts can become disconnected from NW Server hosts. Follow these steps to reconnect a host system to its NW Server system.
1. Log in to the component host using SSH or the console.
2. Run the command nw-manage --override-nws-ip --ipv4 <current IP address of the NW Server.
When this command completes, the component host is reconnected to the NW Server at the specified IP address.

Follow the steps in the sections that apply to your environment.

SSO

Update Configuration for Single Sign-On

Note: You must disable SSO configurations ONLY when NW Server IP is changed.

When the host network is configured with a new IP address, the SSO configurations also must be updated.

To do this:

  1. Disable the SSO configuration using nw-shell after failover from new IP.

    To resolve this issue you must disable SSO manually, using the following commands:

    1. SSH to admin server node.
    2. Connect to nw-shell.
    3. Connect to admin server service using the connect --service admin-server command.
    4. Log in to admin server using the login command.
    5. Enter the admin username and password.
    6. Execute the following commands:
      • cd /rsa/security/authentication/web/saml/sso-enabled
      • set false
      • logout
      • exit
      • systemctl restart rsa-nw-admin-server
        netwitness_disablesso_1016x900.png
  2. Change the host IP address to the new IP.

  3. Generate the new metadata and reupload it in ADFS. For more information, see the "Configure SAML 2.0 provider settings for portals" topic in the Microsoft documentation.

For more information, see the "Troubleshooting" topic in the System Security and User Management Guide.

Reporting Engine

Update Configuration for Reporting Engine

Note: You must update the Reporting Engine configurations ONLY when NW Server IP is changed.

When the host network is configured with a new IP address, you must update and verify the Reporting Engin configurations. The hostname for NetWitness configurations under the Output Actions must be updated with the new IP.

To manually configure the new IP, perform the following steps:

  1. Log in to NetWitness Platform.
  2. Navigate to netwitness_adminicon_25x22.png (Admin) > Services > Reporting Engine > View > Config.

  3. Click the Output Actions tab.
  4. Add the new IP address in the Hostname field.
  5. Click Apply.

UCF

To enable UCF to communicate with NetWitness Platform:

  1. On the UCF server, execute the runConnectionManager.bat file (the same file that is used for adding connection details).

  2. Select Option #2, Edit endpoints.

  3. Select the NW Server connection from the options that are displayed.

  4. When you are prompted for Host Address (the old IP address is shown in parentheses) enter the new IP address.

    Note: Do not change any other setting.

PAM

If you have PAM configured, after the failover, you must configure the system again using the instructions in the "Configure PAM Login Capability" topic in the System Security and User Management Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

ECAT

Update the following services:

Incident Message Broker

  1. Log in to the NetWitness Endpoint user interface and go to Configure > Monitoring and External Components Configuration > Incident Message Broker.
  2. Update the server Hostname and IP Address to the current active server and test the settings.
    netwitness_incident-msg-broker.png

NetWitness Suite

  1. Log in to the NetWitness Endpoint user interface and go to Configure > Monitoring and External Components Configuration > NetWitness Suite.
  2. Update the server Hostname and IP address to the current active server and test settings.
    netwitness_netwitnesssuite.png

Syslog Server Settings

If you are forwarding syslog messages to a NetWitness Platform Log Decoder, update the syslog server settings to point to the new IP address of the Log Decoder host.

  1. Log in to the NetWitness Endpoint user interface and go to Configure > Syslog Server.
    netwitness_ecat-syslog.png
  2. Select logdecoder, and in Server Hostname/IP, enter the new IP address of the Log Decoder host.

RSA NetWitness Orchestrator (By Demisto)

Update the Current Active NW Server to Fetch Respond Incidents and Alerts

  1. Log in to Orchestrator and go to Settings > server&services.
  2. Edit the NetWitness instance by updating the server URL to the current active NW Server to fetch respond incidents and alerts.
    Screenshot 2024-09-12 121615.png

Update Component Hosts Acting as Data Sources

If you change the IP address of a component host, for example, a Concentrator, Network or Log Decoder, or Broker, that is acting as data source to the Orchestrator, update the following settings to point to the new IP address of the host.

  1. Log in to Orchestrator and go to Settings > server&services and select the component host.
    netwitness_orch-post-steps-1.png
  2. Enter the new IP address of the component host in Server URL and click Done.
    netwitness_orch-post-steps-2.png

Audit Logging

If you have changed the IP address of the NW Server, you must reconfigure audit logging. For instructions, see "Configure Global Audit Logging" in the System Configuration Guide.

Health and Wellness

If you have any Health and Wellness rules that contain IP addresses that have been changed, you must update those rules with the new IP addresses. For information about managing Health and Wellness rules, see "Monitor Health and Wellness using NetWitness Platform UI" in the System Maintenance Guide.

Malware Analysis

Source host IP address changes are not updated in the NetWitness user interface for Malware Analysis continuous scan configurations. You must manually update this configuration in the Malware Analysis Config view > General > Continuous Scan Configuration and update the source host IP address to the new host IP address.

netwitness_malware-conf.png

Windows Legacy Collection

On occasion, you may need to change the IP address of your Windows Legacy Collector. You may also need to edit any Destination Groups that you have configured.

Change WLC IP Address

The following procedure describes how to change the IP address for your system.

  1. Log onto the Windows Legacy Collector system and manually change the IP address on the system.
  2. In the UI, confirm that the Log Collector service corresponding to the WLC system shows up in error (Red). It might take some time for it to reflect the changed status.
  3. On the NetWitness Server, use the nw-manage utility to view the host information for the WLC using the following command:

    nw-manage --list-hosts

    Sample output from running the command is shown here:

    {
    "id" : "fdb8150c-e040-459e-8cc5-3c60ec2c65ae",
    "displayName" : "WLC-HOST-104",
    "hostname" : "10.101.216.102",
    "ipv4" : "10.101.216.102",
    "ipv4Public" : null
    } ]

    You use the value of "id" from your output in the following step.

  4. Use the nw-manage utility to change the IP address of the WLC. For the host-id argument, use the value for the "id" that you noted from step 3. For the ipv4 value, use the new IP Address to which you are changing.

    nw-manage --update-host --host-id "fdb8150c-e040-459e-8cc5-3c60ec2c65ae" --ipv4 10.101.216.105

  5. After you see the message that the previous command ran successfully, go to the NetWitness Server UI and verify that the WLC service is running without any errors.

Edit Destination Groups For Log Collectors and VLCs

The Windows Legacy Collector is often configured with Destination Groups to forward events to Log Collectors or Virtual Log Collectors. If the IP address of any such Destination LC or VLC is changed, the Windows Legacy Collector can no longer forward events. To remediate this, you must edit the Destination groups for the WLC, making sure to select the new LC or VLC IP Address.

Change Network Configuration for Warm Standby (Secondary) Server

You can change the network configuration of a warm standby (secondary server) by following these steps:

  1. Follow the steps described in Change Host Network Configuration to change the IP address on the secondary server.
  2. Log in to the active NW Server and remove the previous secondary server IP address by running the following command:
    nw-manage --remove-nws-secondary-ip --ipv4 <previous standby server ip address>
  3. On the active NW Server, add the new standby server secondary IP address value by running the following command:
    nw-manage --add-nws-secondary-ip --ipv4 <new standby server ip address>
  4. Schedule the backup of the primary NW Server and the copying of backed-up data to the secondary NW Server. See step 18 in "Setup Secondary NW Server in Standby Role" in the Deployment Guide for NetWitness Platform.

For information about configuring warm standby servers, see "Warm Standby NW Server Host" in the Deployment Guide for NetWitness Platform and NW Server Host Secondary IP Configuration Management.

Reconnecting Component Hosts with NW Server Hosts

While changing a host's IP address or during failover, component hosts can become disconnected from NW Server hosts. Follow these steps to reconnect a host system to its NW Server system.

  1. Log in to the component host using SSH or the console.
  2. Run the following command:
    nw-manage --override-nws-ip --ipv4 <current IP address of the NW Server>
    When this command completes, the component host is reconnected to the NW Server at the specified IP address.