To provide hybrid cloud support for SASE, NetWitness has developed a new capability allowing the deployment of components (Decoder and Concentrator) in different cloud regions where the SASE vendor operates. Deployment is per tenant and can connect to an on-prem or cloud-based NetWitness Admin node over a secure network.

Core to this new NetWitness capability is the integration of an overlay network. The NetWitness Peer-to-Peer Network (NW-PPN) provides secure, mutually authenticated, PKI-based communication between NetWitness components. The NW-PPN is based on the Noise Protocol Framework, which leverages the open-source Slack Nebula implementation.


The only port required to be open is UDP port 4242 on the outbound NAT/Firewall specific to the Admin Server. Core to the NW-PPN is the NW-PPN Server. This is a Nebula Lighthouse service deployed on a NetWitness cloud image. The NW-PPN Server collects and provides all NW-PPN Nodes (AdminServer and SASE deployed cloud nodes) with UDP based networking connection information to support peer-to-peer communication via UDP hole punching technique. Additionally, where UDP hole punching is not supported, the NW-PPN Server supports fallback to relaying through the NetWitness NW-PPN Server.

This document describes the components and configuration options specific to the NetWitness SASE cloud deployment process. At the end of this document is a “Quick-Install" guide with an enumerated set of installation steps.