The sase-deployment-models.yml file contains the cloud node deployment configuration. The template in /opt/rsa/saTools/cloud/sase-deployment-models.yml includes the following attribute definitions:

  • provider – This is the cloud provider. Different providers will have different schemas. Currently only the Google Cloud Platform (GCP) is supported. Contains Cloud implementations.
  • gcp - Google Cloud Platform provider. Contains model definitions.
  • default – Out of the box model definition. The attributes in this model definition should be updated to suite the customer’s requirements.
  • image – This is the image name to be used as the base image in the gcp project. The image name is in the following format: “rsa-nw-<version>-<build#>-lite”. If left blank, the SASE deployment configuration will default to the version and build number on the Admin Server (version and build number can be found in the initial lines of the /etc/netwitness/component-descriptor/data/nw-component-descriptor.json file on the admin server). The image name can be overridden with this attribute if required.
  • image_project – NetWitness Cloud project that maintains the NetWitness SASE image. Must be set to: nw-onprem-images-prod.

  • vpn_provider – This is the VPN provider for the SASE deployment model. The different providers have differing integration points with NetWitness which require varying configuration. Supported VPN providers: Broadcom/PaloAlto/Netskope.
  • vpc_ppn_cidr – Virtual Private Cloud network address in C.I.D.R format. The value must not conflict with another defined VPC in the cloud project.
  • ppn_cidr – NetWitness overlay network range to be used. It is in C.I.D.R format. This value must not conflict with networks on either the on-prem network that hosts the NetWitness Admin Server or in the cloud project. The default NetWitness Private Peer Network value is 172.30.30.0/24.
  • admin_cidr_ip – This is the Admin Server’s nw-ppn ip address in C.I.D.R format. This address MUST be within the ppn_cidr range and suggested to be within the .2 value range.
  • default_region – Region that is used by default to deploy the nw-ppn-server (Lighthouse server). Set to the VPN provider’s region of deployment.
  • ppn_server – This is the Nebula Lighthouse Server instance. It is based on a NetWitness image. The Nebula rpm and corresponding certs are installed, and the instance is configured as the nw-ppn-server (Lighthouse server in Nebula terminology).
    • name – Name of the instance known to the nw-ppn network.
    • ppn_cidr_ip – This node’s ip in C.I.D.R format. This address MUST be within the ppn_cidr range and suggested to be within the .1 value range.
    • zone_suffix – This value is concatenated with the region to define the zone that the ppn-server will be installed into on GCP.
    • machine_type – The GCP machine type to use when creating the nw-ppn-server instance.
    • boot_disk_size – The size of the attached file system of the nw-ppn-server instance when it is created.
    • boot_disk_type – The type of attached boot disk.
    • cloud_subnet – The subnet address range in C.I.D.R format will be used to create a subnet for the nw-ppn-server node. This address MUST be in the vpc_ppn_cidr range.
    • whitelist – List of IPs or IP ranges in C.I.D.R. format that will be added to the ppn-server ingress firewall. This should be a comma-separated list of all externally facing outbound IPs that can be used to access the PPN server. It should be the complete list of edge proxy addresses that the AdminServer may try to route through to access the PPN server. For Example: '10.11.12.13/32' or '10.11.12.13/32,10.11.12.0/24'
  • regions – Container for each region definition.

    Note: When adding new regions, the region’s defined cloud_node_subnet address MUST be unique.

    • us-east1 – Region definition. Add additional regions under the parent Regions node for additional region usage. Set to the VPN provider’s region of deployment.
    • region_name – Exact name of region as defined by cloud provider, i.e., us-east1. Set to the VPN provider’s region of deployment.
      • cloud_node_subnet – The subnet address range in C.I.D.R format that will be used to create a subnet for the nodes defined in the nw-nodes attribute in this region. This address MUST be in the vpc_ppn_cidr range and MUST be unique if multiple regions are defined.
      • nw-nodes – Container element defining all nodes that will be created within this region. Nodes do not necessarily get created in the order listed. The default set of nw-nodes is limited to a NetWitness Decoder and Concentrator. Node defined here using the following defined attributes will be created under the parent region.
    • <node-name> – Node to be created. This element is just an arbitrary name for the type of node to be created and provisioned in this region’s subnet.

      • name – Name of the instance known to the nw-ppn network.

      • zone_suffix – This value is concatenated with the region to define the zone that the NetWitness node will be installed into on GCP.

      • boot_disk_size – The size of the attached boot disk.

      • boot_disk_type – The type of attached boot disk.

      • nic_type – The type of vNIC to be used on this interface. Possible values: GVNIC, VIRTIO_NET.

      • egress_tier – A selection of available network options that controls the egress bandwidth. Possible values: TIER_1, DEFAULT. The nic-type must be GVNIC for this setting to take effect.

        Note: machine_type must be a supported type.

      • model_name – This is the host configuration model name. These configuration models are defined in /root/.sase/host-models.yml which provides the host drive and machine type configuration attributes.

      • additional_storage – This flag dictates the deployment of the drive model defined in host-models.yml file. Must be set to true in production.

      • bootstrap – Used to determine if the calling script will automatically bootstrap and accept the node keys in the Admin Server. This allows for either automated or manual orchestration of a NetWitness Category to the node.

      • orchestrate – Used to determine if the calling script will automatically orchestrate a NetWitness Category to the node.

      • category – The NetWitness Category to be orchestrated. Must be an exact value (Case Sensitive).

      • Configure_block_storage – Automates the block storage configurations for the SASE Cloud node.

      • Configure_warm_storage – Automates the warm packet storage configurations for the SASE Cloud node.

    The /opt/rsa/saTools/cloud/host-models.yml defines the available and tested storage models for the specific NetWitness version. The /opt/rsa/saTools/cloud/host-models.yml will be copied to the deployment location, /root/.sase/host-models.yml when using the SASE Deployment Script (nw-create-cloud-hybrid) on first use. The host model chosen from the host-models.yml file is very customer specific and MUST be specified by updating the node configuration’s host_model value of the sase-deployment-models.yml as defined above. The following is the available production host_model options for Decoder and Concentrator SASE Nodes:

    Model Description
    c1r6m30 Defines storage configuration for decoder at 1gbps capture (c1) with 6-day retention (r6) and 30-day meta retention (m30) for concentrator.
    c1r12m60 Defines storage configuration for decoder at 1gbps capture (c1) with 12-day retention (r12) and 60-day meta retention (m60) for concentrator.
    c1r23m120 Defines storage configuration for decoder at 1gbps capture (c1) with 23-day retention (r23) and 120-day meta retention (m120) for concentrator.

To help determine the appropriate model to choose, see the SASE section in the NetWitness Storage Guide for more details.

Each host model defines the following:

models – Container for all the above models.

  • <model-name> i.e., c1r6m30 – Storage model for 1gpbs capture with 6-day decoder packet retention and 30-day concentrator retention.

  • Decoder – Contains attributes specific to a Decoder deployment.

    • machine_type – Defines the virtual machine type. Ex: n2-standard-32

    • storage_class – Defines the type of cloud storage. Ex: STANDARD. This attribute is not currently used but is defined for future use.

    • warm_retention – Size (in TB) of cloud/bucket storage used for warm retention. This attribute is not currently used but is defined for future use.

    • disks – Defines the block storage disk properties for NW services. Disk properties for each NW service (Decoder, Concentrator) must be defined separately.

    • decodersmall – Decoder service storage volume name for meta/session/index databases. Multiple volumes must be created when the disk size exceeds 65000GB. The volume names are incremented starting with 0. Ex: decodersmall0

      • disk_name – Unique name for disk. Ex: decodersmall

      • disk_type – Type of disk. Ex: pd-standard

      • disk_size – Size (in GB) for the above disk.

    • decoder – Decoder service storage volume name for packet database. Multiple volumes must be created when the disk size exceeds 65000GB. The volume names are incremented starting with 0. Ex: decoder0

      • disk_name – Unique name for disk. Ex: decoder

      • disk_type – Type of disk. Ex: pd-standard

      • disk_size – Size (in GB) for the above disk.

  • Concentrator – Contains attributes specific to a Concentrator deployment.

    • machine_type – Defines the virtual machine type. Ex: n2-standard-32

    • storage_class – Defines the type of cloud storage. Ex: STANDARD

    • warm_retention – Size (in TB) of cloud/bucket storage used for warm retention. This attribute is not currently used but is defined for future use.

    • disks – Defines the block storage disk properties for NW services. Disk properties for each NW service (Decoder, Concentrator) must be defined separately.

    • concentrator – Concentrator service storage volume name for meta/session databases. Multiple volumes must be created when the disk size exceeds 65000GB. The volume names are incremented starting with 0. Ex: concentrator0

      • disk_name – Unique name for disk. Ex: concentrator

      • disk_type – Type of disk. Ex: pd-standard

      • disk_size – Size (in GB) for the above disk.

    • index – Concentrator service storage volume name for index database. Multiple volumes must be created when the disk size exceeds 65000GB. The volume names are incremented starting with 0. Ex: index0

      • disk_name – Unique name for disk. Ex: decoder

      • disk_type – Type of disk. Ex: pd-standard

      • disk_size – Size (in GB) for the above disk.