Installation Tasks

Before you begin the installation tasks make sure you open the firewall ports. For more information on the lists of all the ports in a deployment, see the"Network Architecture and Ports" topic in the Deployment Guide for NetWitness Platform XDR 12.4.

Caution: Do not proceed with the installation until the ports on your firewall are configured.

Install 12.4 on the NetWitness Server (NW Server) and Component Hosts

Note: You can perform this task for INTERNAL-NW-12.4.0.0.20806-Full-Signed instance.

Caution: If you want to install the Endpoint Relay Server, do not run the nwsetup-tui script. Follow the instructions in "(Optional) Installing and Configuring Relay Server" in the NetWitness Endpoint Configuration Guide.

IMPORTANT: In NetWitness Platform version 11.6 or later, deployment account password must contain at least one number, one upper and lower case letter, and one special characters (!@#%^,+ . ) along with the existing policy. The same password policy applies while updating deploy_admin password using nw-manage script. If deploy_admin password is changed on Primary NW Server, It must be changed on the Warm Standby Server if it exists.

      1. Log in to the host with the root credentials and run the nwsetup-tui command to set up the host.

        This initiates the nwsetup-tui (Setup program) and the EULA is displayed.

        Note: Use the following options to navigate the Setup prompts.
        1.) When you navigate through the Setup program prompts, use the down and up arrows to move among fields, and use the Tab key to move to and from commands (such as <Yes>, <No>, <OK>, and <Cancel>). Press Enter to register your command response and move to the next prompt.
        2.) The Setup program adopts the color scheme of the desktop or console you use to access the host.
        3.) If you specify DNS servers during the Setup program (nwsetup-tui) execution, they MUST be valid (valid in this context means valid during setup) and accessible for the nwsetup-tui script to proceed. Any misconfigured DNS servers cause the Setup program to fail. If you need to reach a DNS server after setup that is unreachable during setup, (for example, to relocate a host after setup that would have a different set of DNS Servers), see "Change Host Network Configuration" topic in the System Maintenance Guide.
        If you do not specify DNS Servers during setup (nwsetup-tui), you must select 1 The Local Repo (on the NW Server) in the NetWitness Update Repository prompt in step 12 (the DNS servers are not defined so the system cannot access the external repo).

         

        netwitness_1-licenseagreement_655x255.png

      2. Tab to Accept and press Enter.
        The Is this the host you want for your 12.4 NW Server prompt is displayed.

        Main-install.png
      3. Tab to Yes and press Enter to install 12.4 on the NW Server.
        Tab to No and press Enter to install 12.4 on other component hosts.

        Caution: If you choose the wrong host for the NW Server and complete the Setup, you must restart the Setup Program (step 2) and complete steps all the subsequent steps to correct this error.

      4. The Install prompt is displayed (Recover does not apply to the installation. It is for 12.4 Disaster Recovery.).

        NW Server Host prompt:

        adminserver.png

        Other Component Hosts, the prompt is the same, but does not include option 3 Install (Warm/Standby)

      5. Press Enter. Install (Fresh Install) is selected by default.
        The System Host Name prompt is displayed.
        NW Server prompt:
        netwitness_4-syshostname_298x124.png

        Other Component Hosts prompt says <non-nwserver-host-name>

        Caution: If you include "." in a host name, the host name must also include a valid domain name.


        Press Enter if want to keep this name. If not, edit the host name, tab to OK, and press Enter to change it.
      6. This step applies only to NW Server hosts.
        The Master Password prompt is displayed.
        netwitness_5-masterpwd_523x201.png
        The following list of characters are supported for Master Password and Deployment Password:
        • Symbols: ! @ # % ^ +
        • Numbers: 0-9
        • Lowercase Characters: a-z
        • Uppercase Characters: A-Z

No ambiguous characters are supported for Master Password and Deployment Password. For example:
space { } [ ] ( ) / \ ' " ` ~ ; : .< > -

Type the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.

      1. This step applies to both NW Server hosts and component hosts.
        The Deployment Password prompt is displayed.
        netwitness_6-deploypwd_461x184.png
        Type the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.
      2. One of the following conditional prompts is displayed.
        • If the Setup program finds a valid IP address for this host, the following prompt is displayed.
          netwitness_7-ipaddress-stillwanttochngntwksttg-no_267x107.png
          Press Enter if you want to use this IP and avoid changing your network settings. Tab to Yes and press Enter if you want to change the IP configuration on the host.
        • If you are using an SSH connection, the following warning is displayed.

          Note: If you connect directly from the host console, the following warning is not displayed.

          netwitness_8-sshwarning_320x127.png
          Press Enter to close warning prompt.

        • If the Setup Program finds an IP configuration and you choose to use it, the Update Repository prompt is displayed. Go to step 12 and complete the installation.
        • If the Setup Program did not find an IP configuration or if you choose to change the existing IP configuration, the Network Configuration prompt is displayed.

          Caution: Only select "Use DHCP" as an IP address configuration for the NW Server if DHCP issues static IP addresses.

          netwitness_10-staticordhcp-static_495x224.png


Tab to OK and press Enter to use Static IP.

If you want to use DHCP, down arrow to  2 Use DHCP and press Enter.

The Network Configuration prompt is displayed.

netwitness_9-ntwkinterface_332x206.png

      1. Down arrow to the network interface you want, tab to OK, and press Enter. If you do not want to continue, tab to Exit.
        The following Static IP Configuration prompt is displayed.
        netwitness_10-staticipconfig_343x250.png
      2. Type the configuration values, tab to OK, and press Enter. If you do not complete all the required fields, an All fields are required error message is displayed (Secondary DNS Server and Local Domain Name fields are not required). If you use the wrong syntax or character length for any of the fields, an Invalid <field-name> error message is displayed.

        Caution: If you select DNS Server, make sure that the DNS Server is correct and the host can access it before proceeding with the installation.

      3. The Use Network Address Translation (NAT) prompt is displayed.
        netwitness_natprompt_224x110.png
        For the NW Server, tab to No and press Enter.
        For component hosts, if this host requires the use of NAT-based addresses to communicate with the NW Server, tab to Yes. Otherwise, tab to No and press Enter.

      4. The Update Repository prompt is displayed.
        netwitness_8-updaterepo-local_500x223.png

        For the NW Server:

        • Press Enter to choose the Local Repo.
        • If you want to use an external repo, down arrow to External Repo, tab to OK, and press Enter. If you select 1 The Local Repo (on the NW Server) in the Setup program, make sure that you have the appropriate media attached to the host (media that contains the ISO file, for example a build stick) from which it can install NetWitness 12.4. If the program cannot find the attached media, you receive the following prompt.
          netwitness_9-nomediaattchdupdrepo_338x103.png
        • If you select 2 An External Repo (on an externally-managed server), the UI prompts you for a URL. The repositories give you access to RSA updates and CentOS updates. Refer to "Appendix B. Create an External Repo" in this guide for instructions on how to create this repo and its external repo URL so you can enter it in the following prompt.
          Externalupdate-repo.png
          Enter the base URL of the NetWitness external repo and click OK. The Start Install prompt is displayed.

        For component hosts:

        • Select the same repo that you selected when you installed the NW Server host and follow the steps above.
        • The NW Server IP Address prompt is displayed.
          routable server.png
          Type the NW Server IP address. Tab to OK and press Enter.
      5. The Disable firewall prompt is displayed.
        netwitness_10-disablefirewall-no_301x130.png
        Tab to No (default), and press Enter to use the standard firewall configuration.
        To disable the standard firewall configuration, tab to Yes, and press Enter.
        If you select Yes, confirm your selection(select Yes again) or select No to use the standard firewall configuration.
        netwitness_11-disablefirewall-do-not-confirm_486x146.png
      6. The Start Install prompt is displayed.
        netwitness_11-installnowrestart_436x203.png
      7. Press Enter to install 12.4.
        When Installation complete is displayed, you have installed 12.4 on this host.

        Note: Ignore the hash code errors similar to the errors shown in the following figure that are displayed when you initiate the nwsetup-tui command. Yum does not use MD5 for any security operations so they do not affect the system security.

        netwitness_hasherrors.png

      8. (Optional) If your system configuration requires that a component host must use a NAT IP address to reach the NW Server host, you must configure the NAT IP address of the NW Server by running the following command:
        nw-manage --update-host --host-id <NW Server Host UUID> --ipv4-public <NAT IP address>

Set Up ESA Hosts

After you install your NW Server and component hosts, follow these steps to set up your ESA hosts.

    • Install your primary ESA host following the instructions in "Install 12.4 on the NetWitness Server (NW Server) Host and Other Component Hosts" in this guide, and install the ESA Primary service on it after you finish the Set Up program in the UI in netwitness_adminicon_25x22.png (Admin) > Hosts > netwitness_ic-install.png:
      esaprimary_12.2.png
    • (Conditional) If you have a secondary ESA host, install it and install the ESA Secondary service on it after you finish the Set Up program in the UI in netwitness_adminicon_25x22.png (Admin) > Hosts > netwitness_ic-install.png:
      esasecondary_12.2.png

Install Component Services on Hosts

After you have installed NW Server and component hosts, and set up your ESA hosts, follow these steps to install component services, such as Decoders and Concentrators, on your host systems.

      1. Install a component service on the host:
        1. Log into NetWitness and go to netwitness_adminicon_25x22.png (Admin) > Hosts.
          The New Hosts dialog is displayed with the Hosts view grayed out in the background.

          Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

        2. Select the host in the New Hosts dialog and click Enable.
          The New Hosts dialog closes and the host is displayed in the Hosts view.
        3. Select that host in the Hosts view and click netwitness_ic-install.png.
          The Install Services dialog is displayed.
        4. Select the appropriate host type (for example, Concentrator) in Category and click Install.
          componenthosts.png

Complete Licensing Requirements

Complete licensing requirements for installed services. See the NetWitness Platform 12.4 Licensing Management Guide for more information. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

(Optional) Install Warm Standby NW Server

Refer to "Warm Standby NW Server Host" under "Deployment Option Setup Procedures" in the Deployment Guide for NetWitness Platform XDR 12.4 for instructions on how to set up a Warm Standby NW Server.

NetWitness Azure Storage Allocation Procedure

To allocate storage in NetWitness Platform 12.4.0.0, perform the following steps:

        1. In Microsoft Azure portal (https://portal.azure.com/), go to Virtual Machines.
        2. Click the required VM > Disks.

          netwitness_vm_disks_netwitness_storage_allocation_procedure_924x448.png

        3. Click Create and attach a new disk.

          Note: You need to add the appropriate amount of disks / IOPS to meet the retention requirements. If you need to add more than a single disk, a RAID configuration is needed.

          netwitness_create_and_attach_new_disk_928x441.png

        4. In the Disks view:

          1. Enter the Disk name.

          2. Select the storage type of disk.

            Note: Premium SSD with high throughput / IOPS is recommended for Concentrator-IndexDB, Decoder-PacketDB.

          3. Select appropriate disk tier and size based on IOPS / Required retention. For more information, refer Azure Managed Disks documentation (https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types).

          4. Enable Read/write caching.

        5. Click Save to finish adding the disk.

          netwitness_click_save_937x445.png

        6. Once the disk is saved, the success notification messages are displayed in the Notifications view.

          netwitness_notifications_disk_saved_network_storage_allocation_procedure.png

RAID Creation

NetWitness recommends striping the disks to get better performance / IOPS with added disks for deployments that require high IOPS/ throughput (for example: a packet decoder with 1.5Gbps). Mdadm Utility is used to create a raid array.

Parameters related to Raid Array Creation

      • --create: Name of the managed disk you want to create. Usually, the name begins with /dev/md0, /dev/md1, and /dev/md2.

      • --level: Raid level for creating an array. It can be 0, 1, 5, 6, or 10.

      • --raid-devices: Total count of the disks to be configured in an array along with device names separated by space.

        For Example: --raid-devices=5 /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg

Steps to create a Raid Array

Follow the steps below after the required disks are added to the Host VM

          1. Identify the name of the newly added disks. Run the command lsblk.

            For Example: /dev/sde and /dev/sdf

          2. Select the set of disks as part of your RAID-5 configuration.

            For example: Select the disks /dev/sde, /dev/sdf, /dev/sdg, /dev/sdh as part of your PacketDB for Decoder.

          3. Run the command mdadm --create /dev/md0 --assume-clean --level 5 --raid-devices=4 /dev/sde /dev/sdf /dev/sdg /dev/sdh.

          4. Check the status of the disks once the RAID configuration is created. Run the following command

            mdadm--detail

          5. Run the command vgcreate -s 32 decodersmall1 /dev/md0 to create a volume group decodersmall1 which will span across the entire RAID configuration.

          6. Run the command lvcreate -L 4T -n packetdb decodersmall1 to create a logical volume PacketDB on decodersmall1.

          7. Run the command mkfs.xfs /dev/mapper/decodersmall1-packetdb to format the newly created logical volume to an xfs partition required by the NetWitness services.

          8. Make entries in the /etc/fstab configuration file to mount the logical volume (created) and retain the logical volumes even after a system reboot.

          9. Run the command mdadm --detail --scan > /etc/mdadm.conf to create and store the information about the RAID configurations in the file. On system reboot, the RAID configuration is retained.

          10. Run reconfig api on the core-service database node to update the database directory settings.

Example Scenario

The below commands describe the steps to configure a RAID-5 for PacketDB with 4 disks.

mdadm --create /dev/md0 --assume-clean --level 5 --raid-devices=4 /dev/sdc /dev/sdd /dev/sde /dev/sdf

vgcreate -s 32 decoder /dev/md0

lvcreate -L 3.9T -n packetdb decoder

mkfs.xfs /dev/mapper/decoder-packetdb

echo "/dev/decoder/packetdb /var/netwitness/decoder/packetdb xfs noatime,nosuid 1 2" >> /etc/fstab

mount -a

mdadm --detail --scan > /etc/mdadm.conf

Note: For more information regarding Azure Disks, see Azure managed disk types, Configure software RAID, Performance tiers for managed disks, and Change the performance of Azure managed disks using the Azure portal.

Configure Hosts (Instances) in NetWitness Platform XDR

Configure individual hosts and services as described in NetWitness Host and Services Getting Started Guide. This guide also describes the procedures for applying updates and preparing for version upgrades.

Note: After you successfully launch an instance, Azure assigns a default hostname to it. For more information, see "Change Host Network Configuration" in the System Maintenance Guide for instructions on changing a hostname. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Configure Packet Capture

You can integrate one of the following third-party solutions with the Network Decoder to capture packets in the Azure cloud environment.

Integrate Gigamon GigaVUE with the Network Decoder

You can access Gigamon Visibility Platform through the Azure Marketplace on the Azure portal. It is activated by a BYOL license. A thirty-day free trial is also available. For more information on the Gigamon solution, see GigaVUE Cloud Suite for Azure.

For more information regarding GigaVUE Deployment, see https://docs.gigamon.com/doclib515/Content/GV-Cloud-Azure/preface-Azure.html?tocpath=GigaVUE%20Cloud%20Suites%7CAzure%7C_____0.

You will see the traffic incoming on NW Decoder Host once the Monitoring Session is deployed within the Gigamon GigaVUE-FM with Decoder receiver NIC as tunnel.

Integrate Ixia with the Network Decoder

Keysight Ixia CloudLens SaaS is a Network Visibility platform. For more information on the CloudLens solution, see https://www.keysight.com/in/en/products/network-visibility/cloud-visibility/cloudlens/cloudlens-saas.html.

You must complete the following tasks to integrate the Network Decoder with Ixia CloudLens.

Task 1. Deploy Client Machines

Task 2. Create CloudLens Project

Task 3. Install Docker Container on Decoder

Task 4. Install Docker Container on Clients

Task 5. Map Network Decoder to Ixia Clients

Task 6. Validate CloudLens Packets Arriving at Decoder

Task 7. Set the Interface in the Network Decoder

Task 1. Deploy Client Machines

      • Deploy client machines from which you want to route the traffic to the Network Decoder. See the Ixia CloudLens documentation (https:<CloudLensManager_IP>/cloudlens/docs/Default.htm) for specifications needed for supported client machines.

        Note: <CloudLensManager_IP> is the respective CloudLens Manager instance.

        Note: Modify the VM's network security group to allow incoming traffic on following ports:
        - TCP: 22 (SSH): Connection to the instance / VM.
        - IP Protocol: 47 (GRE): Required by CloudLens Sensor Tap to send the tapped traffic to the Sensor Tool.
        - UDP Protocol: 19993 (Encrypted Tunnel) – Required by CloudLens Sensor Tap to send the tapped traffic to the Sensor Tool.
        For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg.

Task 2. Create CloudLens Project

      1. Login to Ixia Cloudlens Manager and go to the Configure Page.

      2. Click + (add) to create a new project.

      3. In the CREATE NEW PROJECT view,

        • Enter the Project Name

          For Example: NetWitness-Ixia.

        • Enter the Project Description

          For Example: NetWitness Ixia Integration.

        netwitness_create_new_project.png

      4. Click OK.

      5. Click SHOW PROJECT KEY to get the API Key for the project.

        The key is required to configure the Host and Tool agents.

netwitness_get_api_key.png

Task 3. Install Docker Container on Decoder

        1. SSH to Network Decoder.

        2. Setup the docker. For more information on how to setup the docker, see https://docs.docker.com/engine/install/centos/.

        3. Run the following commands to setup Docker insecure-registry parameter and pull the sensor image from CloudLens:

          echo "{\"insecure-registries\":[\"<CloudLens_IP_here>\"]}" | sudo tee /etc/docker/daemon.json

          sudo systemctl enable docker.service

          sudo service docker restart

        4. Pull the CloudLens agent docker image. Run the following command:

          sudo docker pull <CloudLens_IP_here>/sensor

        5. Start the CloudLens agent with ProjectKeyFromIxiaProjectPortal retrieved from Task 2. Create CloudLens Project and CloudLens Manager IP. Run the following command:

          sudo docker run -v /lib/modules:/lib/modules -v /var/log:/var/log/cloudlens -v /:/host -v /var/run/docker.sock:/var/run/docker.sock --cap-add SYS_MODULE --cap-add SYS_RESOURCE --cap-add NET_RAW --cap-add NET_ADMIN --name cloudlens-agent -d --restart=on-failure --net=host --log-opt max-size=50m --log-opt max-file=3 <CloudLens_IP_here>/sensor --accept_eula yes --project_key ProjectKeyFromIxiaProjectPortal --server <CloudLens_IP_here> --ssl_verify no

Task 4. Install Docker Container on Clients

      1. SSH to Azure VM with root privileges.

      2. Setup the docker for the OS / Distributions. For more information, see https://docs.docker.com/engine/install/.

      3. Run the following commands to setup Docker insecure-registry parameter and pull the sensor image from CloudLens:

        echo "{\"insecure-registries\":[\"<CloudLens_IP_here>\"]}" | sudo tee /etc/docker/daemon.json

        sudo systemctl enable docker.service

        sudo service docker restart

      4. Pull the CloudLens agent docker image. Run the following command.

        sudo docker pull <CloudLens_IP_here>/sensor

      5. Start the CloudLens agent with ProjectKeyFromIxiaProjectPortal retrieved from Task 2. Create CloudLens Project and CloudLens Manager IP. Run the following command.

        sudo docker run -v /lib/modules:/lib/modules -v /var/log:/var/log/cloudlens -v /:/host -v /var/run/docker.sock:/var/run/docker.sock --cap-add SYS_MODULE --cap-add SYS_RESOURCE --cap-add NET_RAW --cap-add NET_ADMIN --name cloudlens-agent -d --restart=on-failure --net=host --log-opt max-size=50m --log-opt max-file=3 <CloudLens_IP_here>/sensor --accept_eula yes --project_key ProjectKeyFromIxiaProjectPortal --server <CloudLens_IP_here> --ssl_verify no

Task 5. Map Network Decoder to Ixia Clients

Map the Network Decoder to the client machines to route the traffic to the Network Decoder. Do the following:

            1. Go to the CloudLens Manager UI.

            2. Click on your project and open it.

            3. Click Define Group or the Instances count.

              You should see two instances listed, one for your decoder and the other for the client machines.

            4. Apply filter for the decoder instance and click Save Search.

            5. Select Save as a tool.

            6. Specify a name for the tool and the Aggregation Interface.

              Note: Use a meaningful name for the Aggregation Interface (for example cloudlens0. This is a virtual interface that appears in the OS where your Tool is installed. You need to instruct your tool to ‘listen’ to that interface in a subsequent step.

              netwitness_cloudlens_toolname.png

            7. Apply filter for the client host instance from the list and click Save Search.

              netwitness_cloudlens_clienthost.png

            8. Navigate back to the top-level view of the project.

              Your client machine instance and Decoder instance are now displayed.

            9. Drag a connection between the client machine instance and Decoder instance to allow the flow of packets.

              netwitness_cloudlens_createmapping.png

Task 6. Validate CloudLens Packets Arriving at Decoder

Complete the following steps to validate that the packets are actually arriving at the Network Decoder.

      1. SSH to the Network Decoder.

      2. Run the following command.

        ifconfig

        The new aggregation interface you created is displayed.

        netwitness_cloudlens_validate1.png

      3. Generate traffic from the client OS instance CLI (for example: wget http://www.google.com/).

        netwitness_cloudlens_validate2.png

      4. SSH to the Network Decoder and go to your Network Decoder instance CLI.

      5. Run the following command to look for suitable results in the tcpdump.

        tcpdump -I Cloudlens0

        netwitness_cloudlens_validate3.png

Task 7. Set the Interface in the Network Decoder

Complete the following steps in the Network Decoder to set the interface for the Ixia integration.

      1. SSH to the Network Decoder.

      2. Run the following command to restart the decoder service:

        $ sudo restart nwdecoder

        The Network Decoder is now set to capture the network traffic.

      3. Log in to NetWitness and click netwitness_adminicon_25x22.png (Admin) > Services.

      4. Select a Decoder service and click netwitness_ic-actns.png > View > Explore.
      5. Expand the decoder node and click config to view the configuration settings.
      6. Set the capture.selected parameter to the following value.
        packet_mmap_,cloudlens0(bpf)
        netwitness_cloudlens_packetdecoder.png
      7. Restart the Decoder service after you set the capture.selected parameter.