Table of Contents
- Release Notes
-
Getting Started
-
Getting Started With NetWitness
- Getting Started with NetWitness Platform
- Log in to NetWitness Platform
- Changing Your Password
- Identifying Your Role
- NetWitness Platform Basic Navigation
- Setting Up Your Default View by SOC Role
- Manage Home Widgets
- Managing the Springboard
- Managing Dashboards
- Setting User Preferences
- Managing Jobs
- Viewing and Deleting Notifications
- Viewing Help in the Application
- Finding Documents on NetWitness Community
- Troubleshooting for User Setup
- NetWitness Platform Getting Started References
-
Set up your Hosts and Services
- Hosts and Services Basics
- Hosts and Services Set Up Procedures
- Hosts and Services Maintenance Procedures
-
References
- Hosts View
-
Services View
- Edit Service Dialog
- Services Config View
- Services Config View - Appliance Service Configuration Tab
- Services Config View - Data Retention Scheduler Tab
- Services Config View - Files Tab
- Services Explore View
- Services Explore View - Properties Dialog
- Services Logs View
- Services Security View
- Services Security View - Users Tab
- Services Security View - Roles Tab
- Services Security View - Settings Tab
- Services Stats View
- Services Stats View - Chart Stats Tray
- Services Stats View - Gauges
- Services Stats View - Timeline Charts
- Services System View
- Services Topology View
- Services System View - Host Task List Dialog
-
Service Configuration Parameters
- Aggregation Configuration Parameters
- Appliance Service Configuration Parameters
- Archiver Service Configuration Parameters
- Broker Service Configuration Parameters
- Concentrator Service Configuration Parameters
- Core Service Logging Configuration Parameters
- Core Service-to-Service Configuration Parameters
- Core Service System Configuration Parameters
- Decoder Configuration Parameters
- Network Decoder Service Configuration Parameters
- Log Decoder Service Configuration Parameters
- REST Interface Configuration Parameters
- NetWitness Platform Core Service system.roles Modes
- Centralized Service Configuration via Policy
- Troubleshooting Version Installations and Updates
- Quick Start - Investigation
- Quick Start - Endpoints
- Quick Start - UEBA
-
Getting Started With NetWitness
-
Install and Upgrade
- Deploy NetWitness
- Manage Licensing
- Physical Host Installation
-
Virtual Host Installation
- Basic Deployment
-
Install NW Virtual Host in Virtual Environment
- Step 1a. Create Virtual Machine - VMware
- Step 1b. Deploy the Virtual Host in Hyper-V
- Step 1c. Create Virtual Machine in Nutanix AHV
- Step 2. Configure Block Storage to Accommodate NetWitness Platform
- Step 3. Installation Tasks
- Step 4. Configure Host-Specific Parameters
- Step 5. Post Installation Tasks
- Appendix A. Troubleshooting
- Appendix B. Silent Installation Using CLI
- Appendix C. Virtual Host Recommended System Requirements
- Appendix D. Update the Virtual ESA Host Memory
-
NetWitness Storage Configuration
- Storage Overview
- Storage Requirements
- Enable Encryption on Series 6E or Series 7 Hosts
- Prepare Physical Storage
- Prepare Virtual or Cloud Storage
- Configure Storage Using the REST API
- Prepare Unity Storage
- Migrate Data to Another Storage Type
-
SASE Node-x (Decoder/Concentrator) - GCP Persistent Disk (PD) Storage Configuration
- Introduction
- Identify Storage Requirements
- Identify or Define Storage Model
- Deploy SASE Node(s)
- Configure SASE Node(s) Storage
- Extend Storage for SASE Node
-
Appendix
- Appendix A - Defining a Custom Host Model
- Appendix B - Sample Scenario for Configuring SASE Decoder Storage
- Appendix C - Sample Scenario for Configuring SASE Concentrator Storage
- Appendix D - Sample Scenario for Extending for SASE Decoder Storage
- Appendix E - Sample Scenario for Extending SASE Concentrator Storage
- Appendix A. How NetWitness Platform Hosts Store Data
- Appendix B. Encrypt a Series 6E Core or Hybrid Host (encryptSedVd.py)
- Appendix C. Troubleshooting
- Appendix D. Sample Storage Configuration Scenarios
- Appendix E: Sample Storage Configuration Scenarios for 8 or 12 Drive Powervault
- Appendix F. Sample Storage Configuration Scenarios for S7 Physical Hosts with12-Drive PowerVault MD2412
- AWS Deployment
- Azure Deployment
- Google Cloud Platform Deployment
- Endpoint Agent Installation
- UEBA Standalone Installation
- Upgrade to NetWitness Platform 12.5.1
- Upgrade to NetWitness Platform 12.5
- Upgrade to NetWitness Platform 12.4.2
- Upgrade to NetWitness Platform 12.4.1
- Upgrade to NetWitness Platform 12.4
- Upgrade to NetWitness Platform 12.3.1
- Upgrade to NetWitness Platform 12.3
- Upgrade to NetWitness Platform 12.2
- Windows Legacy Log Collection Configuration
- NetWitness Export Connector Deployment
-
Configure and Manage
- SASE Integration Overview
- SASE Configuration for Palo Alto Networks
-
SASE Installation and Configuration
- SASE Hybrid Cloud Overview
- SASE Installation
- SASE Configuration
- nw-create-cloud-hybrid Command Help
- SASE Deployment
- SASE Undeployment
- SASE Backup
- SASE Restore
- SASE Upgrade
- Reissue All Certificates
- Reissue Node Certificates
- Check Certificate Status
- Check Overlay Network Status
- GCP Cloud Quick-Install Guide
- Limitations
- SASE Node(s) Backup and Restore using GCP Snapshots
- Troubleshooting NetWitness SASE Deployment
-
Response Actions Configuration
- Response Actions
- Integrate the Connector with NetWitness Platform
- Create and Manage Response Actions
- Response Actions History View
- Quick Actions
- Response Actions and Quick Actions Use Case Examples
- Correlation between Response and Quick Actions
- Quick Action History
- Connect with Threat Connect using HTTPS
- NetWitness Response Actions Reference Information
-
Policy-based Centralized Content Management
- About Policy-based Centralized Content Management
- Enable or Disable Policy-based Centralized Content Management for All or Individual Services
- Migrate Content from Core Services to Content Library
- Migrate ESA Deployments to Policies and Groups
-
Manage Content Library
- Import Content to Content Library
- Import GeoIp Data
- Create an Application Rule
- Clone Application Rule
- Edit Application Rule
- Delete Application Rule
- View Application Rule Details
- Create a Network Rule
- Clone Network Rule
- Edit Network Rule
- Delete Network Rule
- View Network Rule Details
- Create an ESA Rule
- Edit an ESA Rule
- Delete an ESA Rule
- About MITRE ATT&CK Tactics and Techniques
- About SASE Integration Plugins
- Manage Search Pattern Rules
- Filter Content Rules
- Manage Groups
- Manage Policies
- Manage Services
- Manage ESA Datasources
- Manage Deployments
- Troubleshooting
- References
- Appendix A: Endpoint Risk Scoring Rules
- Appendix B: Position Tracking Information
-
Decoder and Log Decoder Configuration
- Decoder and Log Decoder Quick Setup
-
Configure Common Settings on a Decoder
-
Configure Capture Settings
- (Optional) Configure System-Level (BPF) Packet Filtering
- (Optional) Configure a Decoder to Capture Data Across All Types of Network Interfaces
- (Optional) Configure Meta-Only Decoders
- (Optional) Configure Selective Network Data Collection
- (Optional) Configure a Decoder to Write Standard pcap-formatted Files
- (Optional) Multiple Adapter Packet Capture
- (Optional) Internet Content Adaptation Protocol Capture
- (Optional) Data Plane Development Kit Packet Capture
- (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface
- (Optional) Process Raw Syslog Data without Priority Field
- (Optional) Configure Decoder to Support OpenAppID
- Enable and Disable Parsers and Log Parsers
- Start and Stop Data Capture
-
Configure Capture Settings
- Configure Decoder Rules
- Configure Parsers and Feeds
-
Decoder and Log Decoder Additional Procedures
- Configure 10G Capability | NetWitness
- Configure 10G Capability
- Configure a Log Decoder to Accept Protobuf
- Configure Session Split Timeouts
- Configure Syslog Forwarding to Destination
- Configure Transaction Handling on a Decoder
- Configure Data Export
- Decrypt Incoming Packets TLS 1.2
- Decrypt Incoming Packets TLS 1.3
- Edit Decoder System Configuration Settings
- Enable CPU Usage Stats for Installed Content
- Enable Parser Mappings
- Enable or Disable Lua and Flex Parsing Systems
- Map IP Address to Service Type
- Event Time Support
- Obtain Log Files from a Pre-11.0 Log Decoder
- Upload a Log File to a Log Decoder
- Upload a Packet Capture File
- F5 BIG IP - NetWitness Perfect Forward Secrecy Inspection Visibility
- Troubleshooting Packet Drops
- https://community.netwitness.com/t5/netwitness-platform-online/support-for-the-ja4-entity-for-ueba/ta-p/718055
-
Decoder and Log Decoder References
- Services Config View - Capture Policies Tab
- Services Config View - Edit Policies Wizard
- Services Config View - Data Privacy Tab
- Services Config View - Data Retention Scheduler
- Services Config View - Feeds Tab
- Services Config View - Upload Feeds Dialog
- Services Config View - Files Tab
- Services Config View - General Tab
- Services Config View - Parsers Tab
- Services Config View - Parser Mappings Tab
- Services Config View - Data Export Tab
- Services Config View - Rules Tab
- Services Config View - App Rules Tab
- Services Config View - Correlation Rules Tab
- Services Config View - Network Rules Tab
- Services System View - Decoders
- NetWitness Extended Meta Key Configuration
- Broker and Concentrator Configuration
- Core Database Tuning
- Live Services Management
-
Log Collection Configuration
- About Log Collection
- Log Collection Architecture
- Basic Implementation
- Log Collection Basics
-
Collection Protocols
- Configure AWS (CloudTrail) Event Sources
- Configure Azure Event Sources
- Configure Check Point Event Sources
- Configure File Event Sources
- Configure Logstash
- Configure Netflow Event Sources
- ODBC
- Configure SDEE Event Sources
- Configure SNMP Event Sources
- Configure Syslog Event Sources
- Configure VMware Event Sources
- Configure Windows Event Sources
- Windows Legacy Configuration
- Reference
- Log Collection: Troubleshoot
- Meta Export Installation and Configuration
- Event Source Management
- Log Parser Customization
- Logstash Integration Configuration
- Archiver Configuration For Logs
- Workbench Configuration For Logs
-
Event Stream Analysis Configuration
- Event Stream Analysis Overview
- Configure ESA Correlation Rules
-
Additional ESA Correlation Rules Procedures
- Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys
- Configure Advanced Settings for ESA Correlation
- Configure Character Case for Advanced ESA Rules
- Deploy Endpoint Risk Scoring Rules on ESA
- Change Memory Threshold for ESA Rules
- Start, Stop, or Restart ESA Service
- View Audit Logs and Verify ESA Component Versions
- ESA Primary Disaster Recovery
-
Alerting with ESA Correlation Rules
- Getting Started with ESA
- How ESA Handles Sensitive Data
- ESA Rule Types
- Working with Trial Rules
- Add Rules to the Rules Library
- Download Configurable RSA Live ESA Rules
- Add a Rule Builder Rule
- Working With Rules
- Choose How to Be Notified of Alerts
- Add a Data Enrichment Source
- Deploy Rules to Run on ESA
- View ESA Stats and Alerts
- Add an Advanced EPL Rule
- Configure an In-Memory Table Using an EPL Query
- ESA Alert References
-
Context Hub Configuration
- How Context Hub Works
- Configure Lists as a Data Source
- Configure Archer as a Data Source
- Configure Active Directory Data Source
- Configure Respond Data Source
- Configure File Reputation Server Data Source
- Configure STIX as a Data Source
- Configure RESTAPI as a Data Source
- Configure Data Sources Settings
- Import or Export Lists for Context Hub
- Manage Meta values for Context Hub Lists
- Manage Meta Type and Meta Key Mapping
- Context Hub Data Sources Tab
- Context Hub Lists Tab
- Context Hub STIX Tab
- Troubleshooting
-
Malware Analysis Configuration
- How Malware Analysis Works
-
Basic Setup
- Configure Malware Analysis Operating Environment
- Configure General Malware Analysis Settings
- Configure Indicators of Compromise
- Configure Installed Antivirus Vendors
- Enable Community Scoring
- (Optional) Configure Auditing on Malware Analysis Host
- (Optional) Configure Hash Filter
- (Optional) Configure Malware Analysis Proxy Settings
- (Optional) Register for a ThreatGRID API Key
- Additional Procedures for Configuring Malware Analysis
- Supported Antivirus Vendors
-
Malware Analysis References
- Services Config View - General Tab
- Services Config View - Indicators of Compromise Tab
- Services Config View - IOC Summary Tab
- Services Config View - Auditing Tab
- Services Config View - Hash Tab
- Services Config View - AV Tab
- Services Config View - Proxy Tab
- Services Config View - ThreatGRID Tab
- Services Config View - Integration Tab
-
NetWitness Endpoint Configuration
- NetWitness Endpoint Overview
- Agent Modes
- Endpoint Server Configuration
- Deploy Endpoint Application Rules and ESA Correlation Rules
- Setup Meta Forwarding to Log Decoder
- Endpoint Sources
- Create Groups and Policies
- Manage Groups
- Manage Policies
- Change Policy Ordering for Groups
- Configure Data Retention Policy
- Manage Role Permissions at Endpoint Server Level
- Manage Inactive Agents
- Configure Retention Policy for Memory Dumps and MFT
- (Optional) Installing and Configuring Relay Server
- Endpoint YARA Rules
- Configure OPSWAT
- Integrate NetWitness Endpoint 4.4.0.2 or Later with NetWitness Endpoint 11.3
- Endpoint References
- Troubleshooting
- Appendices
-
Respond Configuration for Incident Management
- About this Document
- NetWitness Respond Configuration Overview
- Configuring NetWitness Respond
-
Additional Procedures for Respond Configuration
- Set Up and Verify Default Incident Rules
- Configure Risk Scoring Settings for Automated Incident Creation
- Configure Custom Respond Server Alert Normalization
- Configure Analyst UI for Respond Server Alert Normalization
- Configure Incident Email Notification Settings
- Set a Retention Period for Alerts and Incidents
- Obfuscate Private Data
- Manage Incidents in Archer Cyber Incident & Breach Response
- Configure the Option to Send Incidents to Archer
- Configure Threat Aware Authentication
- Set a Counter for Matched Alerts and Incidents
- Edit the Incident Rules Export ZIP File
- Configure a Database for the Respond Server Service
- Generic Bi-directional NetWitness Integration
- NetWitness Respond Configuration Reference
-
Reporting Configuration
- How Reporting Engine Works
- Configure Reporting Engine
- Configure the Data Sources
- Configure Data Privacy for Reporting Engine
- Configure Data Source Permissions
- Configure Reporting Engine Settings
- How to Define Reports, Charts, and Alerts
- Configure Reporting Engine General Settings
- Reporting Engine Reference
-
Warehouse Connector Configuration
- How Warehouse Connector Works
- Install Warehouse Connector Service on a Log Decoder or Decoder
- Configure a Warehouse Connector Service
- Configure the Data Source for Warehouse Connector
- Configure the Destination
- Configure a Stream
- Monitor a Warehouse Connector
- Add Warehouse as a Data Source to Reporting Engine
- Analyze a Warehouse Report
- View the Warehouse Connector Service
- Troubleshoot the Warehouse Connector
- Manage a Stream
- Manage a Lockbox
- Warehouse Connector Pre-Upgrade and Post-Upgrade Steps
- Warehouse Connector Configuration References
- UEBA Configuration
-
Service Configuration
- Introduction
- Admin-server Configuration
- Analysis-server Configuration
- Config-server Configuration
- Content-server Configuration
- Contexthub-server Configuration
- Correlation-server Configuration
- Endpoint-broker-server Configuration
- Endpoint-server Configuration
- Enrichment-server Configuration
- Integration-server Configuration
- Investigate-server Configuration
- Launch-framework Configuration
- License-server Configuration
- Metrics-server Configuration
- Node-infra-server Configuration
- No-op-server Configuration
- Orchestration-server Configuration
- Relay-server Configuration
- Respond-server Configuration
- Security-server Configuration
- Source-server Configuration
-
System Security and User Management
- Set Up System Security
- How Role-Based Access Control Works
- Manage Users with Roles and Permissions
- Set Up Multi-Factor Authentication
- Set Up Single Sign-On Authentication
- (Optional) Set Up Public Key Infrastructure (PKI) Authentication
- Troubleshooting
- References
- Data Privacy Management
-
System Configuration
- System Configuration Overview
-
Standard Procedures
- Access System Settings
- Configure the Customer Experience Improvement Program
- Configure Notification Servers
- Configure Notification Outputs
- Configure Templates for Notifications
- Configure Email Server and Notification Account
- Configure Global Audit Logging
- Configure Centralized Audit Logging
- Configure Investigation Settings
- Configure Live Services Settings
- Configure Log File Settings
- Configure Syslog and SNMP Settings
- AdditionalProcedures
- Troubleshooting System Configuration
- References
-
System Maintenance
- Overview
- Review Best Practices
-
Health and Wellness
- Monitor Health and Wellness using NetWitness Platform UI
- Monitor using New Health and Wellness
- Manage NetWitness Platform Updates
- Reissue Certificates
- DisplaySystem and Service Logs
- Maintain Queries Using URL Integration
- Manage the deploy_admin Account
- NW Server Host Secondary IP Configuration Management
- Change Host Network Configuration
- Manage Custom Host Entries
- Configure FIPS Support
- Configure DISA STIG Hardening
- Troubleshoot NetWitness Platform
- Troubleshooting Cert-Reissue Command
-
References
-
Health and Wellness
- Health and Wellness View - Alarms View
- Event Source Monitoring View
- Health and Wellness Historical Graphs
- Health and Wellness Settings View - Archiver
- Health and Wellness Settings View - Event Sources
- Health and Wellness Settings View - Warehouse Connector
- Monitoring View
- Policies View
- System Stats Browser View
- New Health and Wellness Settings
- System View - System Info Panel
- System Updates Panel - Settings View
- System Logging - Settings View
- System Logging - Realtime View
- System Logging - Historical View
-
Health and Wellness
- Disaster Recovery Tool
-
Investigate and Respond
-
NetWitness Investigation
- How NetWitness Investigate Works
- Configuring NetWitness Investigate Views and Preferences
- Beginning an Investigation
-
Refining the Results Set
- Use Meta Groups to Focus on Relevant Meta Keys
- Use Columns and Column Groups in the Events List
- Use Saved Queries to Encapsulate Common Areas for Investigation
- Drill into Metadata in the Events View
- Filter Results in the Events View
- Filter Results in the Navigate View
- Filter Results in the Legacy Events View
- Create a Query in the Navigate and Legacy Events Views
- Search for Text Patterns in the Navigate and Legacy Events Views
- View and Modify Queries Using URL Integration
- Create a Future Alert from Events View
- Generate Reports from Events View
- Create Events Widget from Investigate View
-
Reconstructing and Analyzing Events
- Examine Event Details in the Events View
- Analyze Events in the Events View
- Reconstruct an Event in the Legacy Events View
- Look Up Additional Context for Results
- Launch a Lookup of a Meta Key
- Launch a Malware Analysis Scan from the Navigate View
- Group Events from Split and Related Sessions in the Events and Legacy Events Views
- Visualize Metadata as Parallel Coordinates
- Visualize the Current Drill Point in Informer
- Downloading and Acting Upon Results
- Troubleshooting Investigate
-
Investigate Reference Materials
- Add Events to an Incident Dialog
- Add/Remove from List Dialog
- Column Groups Dialogs
- Context Lookup Panel
- Create an Incident Dialog
- Events View
- Events View - Email Tab
- Events View - File Tab
- Events View - Host Tab
- Events View - Packet Tab
- Events View - Text Tab
- Investigate Dialog
- Investigation Tab - User Preferences Panel
- Investigate View
- Legacy Event Reconstruction View
- Legacy Events View
- Manage Default Meta Keys Dialog
- Meta Groups Dialogs
- Navigate View
- Query Dialog
- Saved Queries Dialogs
- Create Springboard Panel Dialog
- Create Future Alert Dialog
- Schedule Report Dialog from Events View
- Create Chart Dialog from Events View
- Timeline Settings Panel
- Create Search Pattern Dialog
- Settings Dialogs for Investigate Views
-
Malware Analysis
- Malware Analysis Functions
- Malware Scoring Modules
-
Conducting Malware Analysis
- Begin a Malware Analysis Investigation
- Implement Custom YARA Content
- Examine Scan Files and Events in List Form
- Configure the Malware Analysis Summary of Events View
- Filter Dashlet Data in the Summary of Events View
- Upload Files for Malware Analysis Scanning
- View Detailed Malware Analysis of an Event
- Malware Analysis Reference Materials
-
NetWitness Endpoint Investigation
- Introduction to Endpoint Investigation
- Workflow of an Investigation
- Investigate Files
- Investigate Hosts
- Standalone Scan on Air-gapped Windows Hosts
- Investigate Process
- Change File Status and Remediate
- Analyze Downloaded Files
- Perform Forensic Investigation
- Analyze Events
- Network Isolation
- High Availability (Endpoint Recovery)
- NetWitness Endpoint with Third-Party Antivirus Products
- Troubleshooting NetWitness Endpoint
-
NetWitness Endpoint Reference Materials
- Files View
- Hosts View
- Hosts View - Details Tab
- Hosts View - Process Tab
- Hosts View - Autoruns Tab
- Hosts View - Files Tab
- Hosts View - Drivers Tab
- Hosts View - Libraries Tab
- Hosts View - Anomalies Tab
- Hosts View - Downloads Tab
- Hosts View - System Information
- Hosts View - Agent History Tab
- Hosts View - YARA Rules Tab
- User and Entity Based Analytics
-
Respond to Incidents
- NetWitness Respond Process
- Responding to Incidents
- Determine which Incidents Require Action
- Investigate the Incident
- Use MITRE ATT&CK® Framework
- Generate Reports from Respond View
- Escalate or Remediate the Incident
- Incident Response Use Case Examples
- Reviewing Alerts
- Whitelist Alerts
- Review Endpoint Alerts using Process Tree
- ESA Primary Disaster Recovery
- NetWitness Respond Reference Information
-
Generate Reports
- Reporting Overview
- Configure and Generate a Report
- Configure a Rule
- Create and Schedule a Report
- View a Report
- Investigate a Report
- Manage a List or Rule or Report
- Working with Charts
- Working with Alerts
- Appendix
-
Reporting References
- Build Chart View
- Build List View
- Build Report View
- Build Rule View
- Chart Permissions Dialog
- Chart View
- Execution History Panel
- Generate List Dialog
- Import Chart Dialog
- Import Report Dialog
- Investigate a Chart View
- List Permissions Dialog
- List View
- Reports Permissions Dialog
- Report View
- Rule Permissions Dialog
- Rule View
- Select a Logo Dialog
- Schedule a Chart View
- Schedule Report Panel
- Scheduled Reports View
- Test a Chart View
- View a Chart Panel
- View All Charts Panel
- View a Report Panel
- View All Reports Panel
- Alerting References
-
NetWitness Investigation
- Develop and Integrate
- Third Party Integrations
- Service Level Objective and CVEs
- Getting Help with NetWitness
SASE Node(s) Backup and Restore using GCP Snapshots
NetWitness provides backup/restore of SASE node(s) in GCP that follows the same process as on-prem node(s). GCP provides a snapshot feature to backup GCP instances periodically and restore them in case of node destruction or failure.
SASE Node-X backup and restore uses Google snapshots.
Refer to Snapshots overview | Filestore | Google Cloud for more details on snapshots.
Note: Snapshots are taken only for VM boot disk instances and not configured for storage disks (For example, disks defined in host-models.yml configured for NW databases such as packetdb/index).
Perform the following tasks to backup/restore the SASE node(s):
-
Task 2. Create Snapshot Schedule for Orchestrated SASE Node-X
-
Task 3. Restore SASE Node-X (For example, concentrator or decoder) from Snapshot
Task 1. Create Snapshot of Orchestrated SASE Node-X
During the orchestration of SASE Node-X, if the storage is set to true under the Storage section of /opt/rsa/saTools/cloud/sase-deployment-models.yml, additional disks are created with the specifications defined under the Storage section. These disks are configured as storage devices for the orchestrated Node-X service. Currently, both the Decoder and Concentrator are supported. The snippet below describes the creation of two disks, concentrator0 and index0, with disk type and size.
Follow the below steps to create snapshot of orchestrated SASE Node-X:
-
Login to the GCP account, select Snapshots > CREATE SNAPSHOT.
-
Fill in all the mandatory fields such as Name (For example, VM name + snapshot i.e., 20545-concentrator-us-east1-b-snapshot, Type (Snapshot), Location - Regional (Same as the VM instance location. In this case: us-east-1), select Enable application consistent snapshot checkbox and click Create to create the snapshot.
-
The new snapshot is displayed in the snapshot window.
Task 2. Create Snapshot Schedule for Orchestrated SASE Node-X
Refer to Create schedules for disk snapshots | Compute Engine Documentation | Google Cloud for more details.
Follow the below steps to create snapshot schedule for orchestrated SASE Node-X:
-
Select the SNAPSHOT SCHEDULES tab to create snapshot schedules for this instance.
-
Refer to the link Create schedules for disk snapshots | Compute Engine Documentation | Google Cloud.
Click on the Name to select the disk. Click Edit to change the properties.
-
Select the Snapshot schedule from the drop-down. This is the schedule created in the previous step. The selected schedule details are described below the snapshot drop-down. Click Save.
Task 3. Restore SASE Node-X (For example, concentrator or decoder) from Snapshot
-
Identify the snapshot corresponding to the image that needs restoration.
-
Note the failed Node-X Name and Network settings (gcp - IP, Subnet, and gateway). The new image MUST have the same name and IP settings as the failed node. The name/ip address are added to /etc/hosts of all the nodes in the NW environment. Fixed static IP assignment is an option.
-
Attach the Storage disks of the failed instance to the new instance restored from a snapshot. When restoring an image from a snapshot, the /etc/fstab is restored and contains the mounts for the Storage disks. These disks MUST be attached before the NW server (For example, concentrator or decoder) is booted.
-
SSH to the new instance and confirm that the service is running. Next, log in to the Admin server UI and confirm that the service on the new instance is online.
Original Settings
[root@20545-concentrator-us-east1-b ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc mq state UP group default qlen 1000
link/ether 42:01:0a:0a:14:08 brd ff:ff:ff:ff:ff:ff
inet 10.10.20.8/32 brd 10.10.20.8 scope global dynamic eth0
valid_lft 2686sec preferred_lft 2686sec
inet6 fe80::4001:aff:fe0a:1408/64 scope link
valid_lft forever preferred_lft forever
3: nebula1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1300 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.30.30.4/24 scope global nebula1
valid_lft forever preferred_lft forever
inet6 fe80::e337:8b00:d411:132a/64 scope link flags 800
valid_lft forever preferred_lft forever
[root@20545-concentrator-us-east1-b ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Tue May 23 18:49:10 2023
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/netwitness_vg00-root / xfs defaults 0 0
UUID=7e02d023-b265-4f18-9f4f-3aecf28681bf /boot xfs defaults 0 0
/dev/mapper/netwitness_vg00-usrhome /home xfs nosuid 0 0
/dev/mapper/netwitness_vg00-varlog /var/log xfs defaults 0 0
/dev/mapper/netwitness_vg00-nwhome /var/netwitness xfs nosuid,noatime 0 0
/dev/mapper/netwitness_vg00-swap swap swap defaults 0 0
/dev/concentrator/root /var/netwitness/concentrator xfs noatime,nosuid 1 2
/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2
/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2
/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2
[root@20545-concentrator-us-east1-b ~]#
Detailed Steps
Step 1. Create a GCP VM instance from the snapshot with the same name and specifications
gcloud compute instances create 20545-concentrator1-us-east1-b
--project=dev-nw-eng
--zone=us-east1-b
--machine-type=n2-standard-4
--network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=20545-ppn-node-subnetwork-us-east1
--maintenance-policy=MIGRATE
--provisioning-model=STANDARD
--service-account=97611879986-compute@developer.gserviceaccount.com
--create-disk=auto-delete=yes,boot=yes,device-name=20545-concentrator1-us-east1-b,disk-resource-policy=projects/dev-nw-eng/regions/us-east1/resourcePolicies/20545-concentrator-us-east1-b-snapshot-schedule-1,mode=rw,size=196,source-snapshot=projects/dev-nw-eng/global/snapshots/20545-concentrator-us-east1-b,type=projects/dev-nw-eng/zones/us-east1-b/diskTypes/pd-balanced
--labels=goog-ec-src=vm_add-gcloud
--reservation-affinity=any
Step 2. Create a VM instance from the snapshot
Step 3. Configure Networking
-
Select Advanced Options > Networking > Select the required Network Tags. Retain the default value for HostName.
-
Select Network Interfaces > Edit network interface > Networks in this project.
-
Select the appropriate Network and Subnetwork from the drop-down.
-
Select IPv4 (single-stack) and Primary Internal IPv4 Address from the drop-down.
Note: This address MUST match the IPv4 address of the failed node being replaced.
Reserving Static Internal IPv4 Address
Select the Primary internal IPv4 address drop-down and select RESERVE STATIC INTERNAL IPV4 ADDRESS.
Configure static internal IP addresses | Compute Engine Documentation | Google Cloud
terra form: Configure static internal IP addresses | Compute Engine Documentation | Google Cloud
gcloud cli:
Enter the below details and click Reserve:
Name - lower case text to reflect the VM instance Name IPv4 address. For example: 20545-concentrator-us-east1-b-ipv4address
Static IP address - Let me choose
Custom IP address - IPv4 address in the cloud_node_subnet defined in /opt/rsa/saTools/cloud/sase-deployment-models.yml.
Purpose - Non Shared
Under Alias IP ranges, select None for the External IPv4 address and click Done.
Step 4. Configure Storage Disks
Select Disks > ATTACH EXISTING DISK. Select the appropriate storage disk from the Disk drop-down. Select the Read/Write Mode and Keep disk Deletion Rule and Save. Repeat this (adding Disks) for all the remaining Storage disks for this instance.
Example: For concentrator service, at least two Storage disks are attached.
gcloud commands
Click CREATE to complete the VM instance creation from the snapshot.
Equivalent gcloud code to create a new VM instance with Storage disks attached from snapshot:
gcloud compute instances create 20545-concentrator-us-east1-b \
--project=dev-nw-eng \
--zone=us-east1-b \
--machine-type=n2-standard-4 \
--network-interface=private-network-ip=10.10.20.8,stack-type=IPV4_ONLY,subnet=20545-ppn-node-subnetwork-us-east1,no-address \
--maintenance-policy=MIGRATE \
--provisioning-model=STANDARD \
--service-account=97611879986-compute@developer.gserviceaccount.com \
--
--tags=20545-ssh \
--create-disk=auto-delete=yes,boot=yes,device-name=20545-concentrator-us-east1-b,mode=rw,size=196,source-snapshot=projects/dev-nw-eng/global/snapshots/20545-concentrator-us-east1-b,type=projects/dev-nw-eng/zones/us-east1-b/diskTypes/pd-standard \
--disk=boot=no,device-name=20545-concentrator-us-east1-b-concentrator0,mode=rw,name=20545-concentrator-us-east1-b-concentrator0 \
--disk=boot=no,device-name=20545-concentrator-us-east1-b-index0,mode=rw,name=20545-concentrator-us-east1-b-index0 \
--labels=goog-ec-src=vm_add-gcloud \
--reservation-affinity=any
Terraform
# This code is compatible with Terraform 4.25.0 and versions that are backwards compatible to 4.25.0.
# For information about validating this Terraform code, see https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build#format-and-validate-the-configuration
resource "google_compute_instance" "20545-concentrator-us-east1-b" {
attached_disk {
device_name = "20545-concentrator-us-east1-b-concentrator0"
mode = "READ_WRITE"
source = "projects/dev-nw-eng/zones/us-east1-b/disks/20545-concentrator-us-east1-b-concentrator0"
}
attached_disk {
device_name = "20545-concentrator-us-east1-b-index0"
mode = "READ_WRITE"
source = "projects/dev-nw-eng/zones/us-east1-b/disks/20545-concentrator-us-east1-b-index0"
}
boot_disk {
auto_delete = true
device_name = "20545-concentrator-us-east1-b"
initialize_params {
size = 196
type = "pd-standard"
}
mode = "READ_WRITE"
}
can_ip_forward = false
deletion_protection = false
enable_display = false
labels = {
goog-ec-src="vm_add-tf"
}
machine_type = "n2-standard-4"
name = "20545-concentrator-us-east1-b"
network_interface {
network_ip = "10.10.20.8"
subnetwork = "projects/dev-nw-eng/regions/us-east1/subnetworks/20545-ppn-node-subnetwork-us-east1"
}
scheduling {
automatic_restart = true
on_host_maintenance = "MIGRATE"
preemptible = false
provisioning_model = "STANDARD"
}
service_account {
email = "97611879986-compute@developer.gserviceaccount.com"
scopes = ["https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/trace.append"]
}
tags = ["20545-ssh"]
zone = "us-east1-b"
}
On this page
