The SASE Hybrid Cloud Configuration is a data driven design. The NetWitness Admin Server contains a script nw-create-cloud-hybrid that has a command --enable-cloud-sase, which will deploy the NetWitness Overlay Network, and the defined NetWitness Nodes in their respectively defined regions in the requested Cloud Platform. The implementation supports deploying the overlay network and NetWitness nodes to the Google Cloud Platform (GCP). The recommended SASE deployment includes 3 cloud compute instances, a PPN-Server node to support Overlay Network communication, a NetWitness Decoder, and a NetWitness Concentrator. The deployed GCP based Decoder and Concentrator will have available storage based on the chosen host-model for each. The Decoder and Concentrator service and storage configuration must be completed after the SASE Deployment following the appropriate NetWitness documentation.

GCP Prerequisites

  1. Customer must have an On-Prem or cloud based NetWitness Admin Server at Version

  2. Customer must have a GCP Cloud Project.

  3. Customer’s GCP Cloud Project must have enabled the following Google APIs.

    1. Cloud Compute API

    2. Cloud Resource Manager API

    3. Identity and Access Management (IAM) API

    4. Cloud DNS API

  4. Customer’s on-prem Admin Server outbound network configuration must allow access to the external-ip of the ppn-server on UDP port 4242.

  5. To deploy resources in the cloud, a service account credential file must be available on the NetWitness Admin Server that has the necessary permission to create vpcs, subnetworks, nats, disks, service accounts, and instances from images.

    1. To enable automated deployment of NetWitness resources to the customer’s GCP Cloud Project, a JSON based Service Account Key File must be generated.

    2. Create a Service Account with the Roles mentioned below. To create a Service Account and its key in GCP, refer to and

      Note: These roles are the default OOTB GCP roles. Permissions can be future limited with custom role(s).

      1. Compute Admin

      1. IAP-secured Tunnel User

      1. Project IAM Admin

      1. Service Account Admin

      1. Service Account User

      1. Storage Admin

    1. Provide the service account email to NetWitness to give access to the gcp image. Email can be found in the token as client_email or from GCP console go to IAM > Service Account.

    1. GCP JSON based service account file must be saved to the On-Prem NetWitness Admin Server to /root/.gcp/gcp-auth-token.json. This is the expected default location of the NetWitness Installation scripts. The JSON token file can be stored in another location on the NetWitness Admin Server, but it will require passing in that location during the SASE deployment installation.

    1. GCP JSON Service Account File must be like:


      "type": "service_account",

      "project_id": "nw-nwp-xxx",

      "private_key_id": "d143529509c56b28e7186fea465XXXXXXXXXXXXX",

      "private_key": "-----BEGIN PRIVATE KEY-----<private key>-----END PRIVATE KEY-----\n",

      "client_email": "<email associated with service account>",

      "client_id": "<client id>",

      "auth_uri": "",

      "token_uri": "",

      "auth_provider_x509_cert_url": "",

      "client_x509_cert_url": "<service account name>",

      "universe_domain": ""


      Note: The Service Account has significant privileges and should be disabled in GCP for security purposes when not required by a NetWitness SASE Deployment or Validation Action via the nw-create-cloud-hybrid script.

  1. The customer’s cloud project can access the NetWitness Production Project that hosts the cloud image that matches the version of the On-Prem NetWitness Admin Server. The minimum NetWitness version is

    GCP Details

    1. The NetWitness GCP production project name is: nw-onprem-images-prod.

    2. This project name MUST be provided as the value for the “image_project” attribute in the sase-deployment-models.yml configuration file prior to SASE Deployment. Details are provided in the later sections.

    3. The NetWitness SASE Image Name will look like: rsa-nw-12-4-0-0-<build #>-lite. The build number can be found in the initial lines of the /etc/netwitness/component-descriptor/data/nw-component-descriptor.json file on the NetWitness Admin Server.