skybox virtual appliance vmware · 2018-02-20 · centos 7 uses a different network naming schema...

Skybox Virtual Appliance VMware

Quick Start Guide

8.5.400

Proprietary and Confidential to Skybox Security. © 2017 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal

https://www.skyboxsecurity.com/support/portal

Skybox version 8.5.400 3

Overview ............................................................................................... 5 Basic architecture ..................................................................................... 5 Related documentation .............................................................................. 5

Creating a Skybox Virtual Appliance on VMware .......................................... 6 Minimal requirements ................................................................................ 6 Creating a new virtual machine .................................................................. 6 Installing VMware tools ........................................................................... 13 File system partitions .............................................................................. 13

Setting up Skybox Appliance ................................................................... 14 System configuration .............................................................................. 14

Initial network IP address configuration ................................................ 14 Setting up Skybox for configuration ..................................................... 15 Network naming schema in CentOS 7 ................................................... 15 First-time configuration ...................................................................... 16

What’s next ........................................................................................... 17

Configuring the Appliance ....................................................................... 18 Configuration and management options ..................................................... 18 Setting up network interface bonding ........................................................ 20

Supported bond modes ...................................................................... 21 Setting up SNMP configuration ................................................................. 22 RADIUS authentication ............................................................................ 22 Changing the TLS version ........................................................................ 23

Customizing the syslog server ................................................................. 25

Installing the Skybox Manager ................................................................. 27 Manager system requirements ................................................................. 27 Installing the Manager ............................................................................. 28 Upgrading the Manager ........................................................................... 28

Contents

Skybox Virtual Appliance VMware Quick Start Guide


Adding a customer certificate .................................................................. 29

Monitoring SNMP .................................................................................... 30

Troubleshooting ..................................................................................... 32

Change log ............................................................................................ 33


Chapter 1

The Skybox™ Virtual Appliance enables you to deploy Skybox easily, without the burden of setting up a server with its OS on your own.

Skybox® is an Automated Risk and Compliance Management (ARCM) platform that helps enterprise IT departments to discover and resolve potential security and compliance risks before they impact your organization.

Skybox is a multi-tier platform. Skybox Appliance runs the Server and users run Managers (clients) that connect to the Server over the network. Skybox also runs an additional Skybox component, the Collector, which connects to data sources and imports the data to the Server.

The Skybox Server and Collector are preinstalled on Skybox Appliance and run at startup.

In this chapter

Basic architecture ................................................................. 5

Related documentation .......................................................... 5

Basic architecture The Skybox platform consists of a 3-tiered architecture with a centralized server (Skybox Server), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skybox can be scaled easily to suit the complexity and size of any infrastructure.

For additional information, see the Skybox architecture topic in the Skybox Installation and Administration Guide.

Related documentation Related documentation includes:

› Skybox online help › Skybox documentation

Overview

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/8.5/8.5.400/Docs


Chapter 2

This chapter describes how to implement the Skybox Virtual Appliance on VMware.

In this chapter

Minimal requirements ............................................................ 6

Creating a new virtual machine .............................................. 6

Installing VMware tools ........................................................ 13

File system partitions .......................................................... 13

Minimal requirements The following are the minimal requirements for creating a Skybox Virtual Appliance on VMware.

Item Standard Deployment Large Deployment (Over 250 Firewalls)

CPU 8 cores 16 cores

RAM 32 GB 128 GB

Available disk space

500 GB 1 TB

Creating a new virtual machine The following instructions explain how to create a new virtual machine to use for the Skybox Virtual Appliance.

Creating a Skybox Virtual Appliance on VMware

Chapter 2 Creating a Skybox Virtual Appliance on VMware


To create a new virtual machine 1 Right-click the host and select New Virtual Machine.

2 On the Configuration page, select Typical.

3 On the Name and Location page, in the Name field, type a unique name for

the Virtual Appliance machine.



4 On the Storage page, select the storage destination (datastore) for the virtual machine files.

5 On the Guest Operating System page:

a. In the Guest Operating System field, select Linux.

b. In the Version field, select Other 2.6.x Linux (64-bit).

6 On the Network page:

a. In the How many NICs do you want to connect field, select 1.



b. Make sure that Connect at Power On is selected for NIC1.

7 On the Create a Disk page:

a. Make sure that the Datastore field contains the name of the storage unit specified on the Storage page.

b. In the Virtual Disk Size field, select 500 GB for a standard deployment or 1 TB for a large deployment.

c. Make sure that the Thick Provision Lazy Zeroed option is selected.



8 On the Ready to Complete page, select Edit the virtual machine settings before completion; click Continue.

9 On the Hardware tab, make sure that:

• Memory is set to 32 GB for standard deployments or 128 GB for large deployments.



10 On the Resources tab, reserve a minimum of 32 GB memory.

11 On the Hardware tab:

a. Make sure that CPUs is set to 2.

b. Select CPUs in the list, and then set:

— Number of virtual sockets to 2

— Number of cores per socket to 1



12 On the Options tab, select Boot Options in the list; make sure that Force BIOS Setup is selected.

13 Click OK.

14 Turn on the machine.

The BIOS setup utility is displayed.

15 On the Boot tab of the BIOS setup utility, change the boot order so that CD ROM Drive is at the top.

16 Press F10 to save the settings and exit the setup utility.

17 Depending on where you chose to store the files, select either Connect to ISO image on local disk or Connect to ISO image on a datastore, and then select the file.

18 Restart the machine (press Alt-Ctrl-Insert).

19 When the Skybox Linux Installation menu appears, select Skybox Appliance Installation.

Note: The restore process takes approximately 20 minutes.

20 Restart the machine.



Installing VMware tools For best results, install VMware tools (right-click the Virtual Appliance machine and select Guest > Install/Update VMware tools).

File system partitions Skybox Appliance’s file system is partitioned as follows:

› SWAP: 4 GB › /tmp: 5% of the entire space › /: 20% of the entire space › /var: 45% of the entire space › /opt: The rest of the disk

Note: On machines with less than 200 GB of disk space, Skybox is installed on a single partition.


Chapter 3

This chapter explains how to set up Skybox Appliance.

In this chapter

System configuration .......................................................... 14

What’s next ........................................................................ 17

System configuration Before running the Skybox Server, configure Skybox Appliance to be part of your network and perform some initial system configuration.

INITIAL NETWORK IP ADDRESS CONFIGURATION 1 Connect the Skybox Appliance using console login with root credentials

(root/skyboxview).

By default, the network interface is configured to receive the IP address from the DHCP server. If you configured the network card to support DHCP, it should already have an IP address configured for the Appliance.

2 To determine if you have received an IP address, type the following command:

• ifconfig –a (If your installation doesn’t support ifconfig, use ip addr)

The output should be: [root@skyboxapp ~]# ifconfig -a ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.254.0 broadcast 192.168.1.255 inet6 fe80::250:56ff:feb7:157f prefixlen 64 scopeid 0x20<link> ether 00:50:56:b7:15:7f txqueuelen 1000 (Ethernet) RX packets 11000863 bytes 1351224859 (1.2 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 711207 bytes 135109186 (128.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Important: ens160 refers to the device name; it might change between systems.

3 If your network doesn’t support DHCP, configure the network manually:

a. Run the command set_appliance_network (this command configures network interfaces with an IP address, netmask, and default gateway).

a. Select a network interface to configure.

b. Select the IP mode (static).

Setting up Skybox Appliance

Chapter 3 Setting up Skybox Appliance


c. Provide the IP address, netmask, and default gateway.

b. Configure the DNS servers; use vi to edit /etc/resolv.conf: nameserver 1.1.1.1 nameserver 1.1.1.2

c. Save and exit the file.

d. vi /etc/sysconfig/network

e. Copy the following lines to the file: NETWORKING=yes HOSTNAME=%hostname.domain% GATEWAY=%defaultgateway%

f. Save and exit the file.

g. Restart the network service or reboot the server using the relevant command:

— Restart network service: systemctl restart network

— Reboot server: reboot

4 Use step 2 to determine if you have received an IP address.

SETTING UP SKYBOX FOR CONFIGURATION

To prepare for configuring the system remotely 1 From a different machine on the network, open a browser to connect to the

Skybox Appliance Administration using the following URL, where <appliance IP address> is the IP address of the Appliance that you configured in Configuring connection:

• https://<appliance IP address>:444

2 The default login is skyboxview; the default password is skyboxview.

The main page of the Skybox Appliance Administration appears.

NETWORK NAMING SCHEMA IN CENTOS 7 CentOS 7 uses a different network naming schema than previous versions. By default, systemd names interfaces using the following methods:



1 Names incorporating firmware-provided or BIOS-provided index numbers for on-board devices (for example, eno1) are applied if the information is applicable and available. Otherwise, method 2 is used.

2 Names incorporating firmware-provided or BIOS-provided PCI Express hotplug slot index numbers (for example, ens1) are applied if the information is applicable and available. Otherwise, method 3 is used.

3 Names incorporating physical location of the connector of the hardware (for example, enp2s0) are applied if applicable. Method 5 is used in all other cases.

4 Names incorporating the interface’s MAC address (for example, enx78e7d1ea46da) are not used by default, but are available if the user chooses.

5 The traditional kernel naming scheme (for example, eth0) is used if all other methods fail.

FIRST-TIME CONFIGURATION You must configure the date and time and change the passwords before using the Skybox Server. All other settings are optional and you can configure them later.

To configure the date and time 1 On the System tab, select Date and Time Configuration.

2 For manual date and time configuration:

a. Select Manual Date and Time Configuration.

b. Click Change Date and Time; set the date and time for Skybox’s time zone.

c. Click Change Time Zone; set the time zone for the location where the Appliance is installed, so that reports and other data are timestamped correctly.

3 For automatic configuration:

a. Select Automatic Date and Time Configuration Using NTP Server.

b. Click Change NTP Server; add the IP address or DNS of the time server to use. For example, 0.asia.pool.ntp.org.

c. Click Change Time Zone; set the time zone for the location where the Appliance is installed, so that reports and other data are timestamped correctly.

To change the passwords 1 On the Security tab, select Appliance Passwords.

2 To change the root password of the machine, click Change Root Password.

3 To change the password of the Appliance Administration, click Change Skyboxview Password.

Chapter 3 Setting up Skybox Appliance


What’s next The Skybox Manager is the client application that communicates with the Server. After installation and configuration of the Appliance, you must install the Manager on at least one remote machine. For additional information, see Installing the Skybox Manager (on page 27).

Using Skybox for change tracking You can use Skybox to track changes on firewalls. Although much of the change information can be collected directly from the firewalls, additional information (including timestamp and user who made the change) is available only from syslog change events that are sent to the syslog server in the Appliance. You collect the change events using Change Tracking Events – Syslog Import tasks.

Syslog server The syslog server in the Appliance is preconfigured and is enabled by default.

Updates to the configuration files of the syslog server and the syslog log file rotation are provided automatically (when necessary) as part of Skybox updates. However, when updates are provided, you must restart the syslog server (on the System tab, disable the syslog server and then enable it again) for it to start using the updates.

For information about customizing the syslog server, see Customizing the syslog server (on page 25).


Chapter 4

The following sections explain how to configure the Appliance.

› Configuration and management options (Appliance Administration) (on page 18)

› Setting up SNMP configuration (on page 22) › RADIUS authentication (on page 22) › Changing the TLS version (on page 23)

In this chapter

Configuration and management options ................................. 18

Setting up network interface bonding..................................... 20

Setting up SNMP configuration .............................................. 22

RADIUS authentication ......................................................... 22

Changing the TLS version ..................................................... 23

Configuration and management options Skybox Appliance’s configuration options are described in the following tables.

About tab

Pane Description

System Information

Provides information about Skybox configuration.

Network tab

Note that changes to the configuration information made in this tab are only saved after you click Save Network Configuration.

Pane Description

Network Configuration Summary

Displays a summary of the Appliance configuration information. Click Export to save this information to an HTML file.

Network Configuration

Enables you to configure network settings (connection method, IP address, mask, and gateway) and bonding for each network interface connection, and to configure the DNS servers. Note: For non-virtual Appliances, this pane includes a

Configuring the Appliance

Chapter 4 Configuring the Appliance


link to a drawing of the back panel to help you understand the connections.

System tab

Pane Description

Date and Time Configuration

Enables you to view and change the exact date and time in the Appliance’s time zone. Notes: • When setting this information manually, set the date

and time and then the time zone for the location where the Appliance is installed, so that reports and other data are timestamped accurately.

• Automatic configuration synchronizes Skybox with an atomic clock. You must provide the IP address or DNS of the NTP server to use. For example, 0.asia.pool.ntp.org (click Change NTP Server). Set the time zone after setting the NTP server.

Syslog Server Starts or stops the syslog server service.

Host Name Enables you to change the name of the Appliance.

Change System Mode

Toggles between Server mode (where the Appliance functions as both Server and a Collector) and Collector mode (where the Appliance functions only as a Collector).

SNMP Select Enable SNMP Service to set up SNMP configuration, host configuration, and sending traps. You can also download the Appliance MIBs. For more information, see Setting up SNMP configuration (on page 22).

Security tab

Pane Description

Appliance Passwords

Enables you to change the root password for the Appliance and the password for the Appliance Administration.

SSH Toggles the SSH service on and off and enables the root user to log in via SSH.

Control tab

Pane Description

Skybox Services Toggles the Server and Collector on and off. Note: Turning a Skybox service off stops the service and switches it to Manual mode. Turning the service on restarts the service and switches it back to Automatic mode.

Appliance Operations

Enables you to reboot or shut down the Appliance.



Support tab

Pane Description

Logs Enables you to view Server, Collector, and other logs of the Appliance. Get Packlogs: Runs the packlogs utility and saves the packlogs (ZIP) file to a local directory so that you can send the file easily to support.

Skybox Manager Enables you to download the Manager for installation.

Setting up network interface bonding Skybox Appliances support network interface bonding for redundancy and also for higher bandwidth.

To create a network interface bonding 1 On the Network tab, click Network Configuration.

2 Select Network Interfaces.

3 Select an interface that you want to add to a network bond and click Add to Network Bond.

The Network Bond Setup dialog box appears.

4 Add a new bond interface. By default, the 1st interface is named bond0, the 2nd bond1, and so on.

5 Select the interfaces that should be bonded to this new interface (as slaves).

6 Select the method for assigning the IP address for this interface: static or DHCP.

When using static mode, you must provide the IP address, netmask, and gateway.

7 Select the mode in which the bond should work; the recommended mode is active-backup.

For information on the supported bond modes, see below.

8 Click Save.

To view a list of the network interface bonding 1 On the Network tab, click Network Configuration Summary.



SUPPORTED BOND MODES The following bond modes are supported. The recommended bond mode is active-backup.

mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor) XOR policy: Transmit based on [(source MAC address XOR'd with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast) Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

Pre-requisites:

1 Ethtool support in the base drivers for retrieving the speed and duplex of each slave.

2 A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.

mode=5 (balance-tlb) Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

Prerequisite:

› Ethtool support in the base drivers for retrieving the speed of each slave.



mode=6 (balance-alb) Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

Setting up SNMP configuration

To use the Appliance as an SNMP Server 1 On the System tab, click SNMP.

2 Select Enable SNMP Service.

3 Set the following values.

• On the General tab:

— System Location: physical location of the Appliance

— Contact Details: email address of administrator

• On the Security tab:

— Read Only Community: SNMPv1 or SNMPv2 community string

— Source: Name or IP address / subnet, represented as IP/MASK (10.10.10.0/255.255.255.0) / IP/BITS (10.10.10.0/24).

Multiple sources must be comma-separated

• On the Notification (Traps) tab:

— Destination: Name or IP address of the notification receiver traps server

— Traps Community: SNMP community of the notification receiver traps server

4 When you are finished, click Save SNMP Configuration to save the configuration and update the service with the new configuration.

RADIUS authentication This topic explains how to configure RADIUS authentication for Skybox Appliance.

Note: To use RADIUS authentication, the pam_radius package must be installed on the Skybox Server. You can check whether it is installed using the rpm –qa|grep pam_radius command. If you need help installing it, contact Skybox Professional Services.

To configure RADIUS authentication 1 Open /etc/pam.d/sshd in your editor and find the following 2 lines:

#Radius module to be used with Radius server auth sufficient pam_radius_auth.so





2 Save and close the file.

3 Open /etc/pam_radius.conf and find the following entry: 127.0.0.1 secret 1

4 Replace that line with the relevant information for your RADIUS server.

For example, if the RADIUS server’s IP address is 192.168.1.1 and the shared secret is radiussecret, replace the preceding line with: 192.168.1.1 radiussecret 1

5 Save and close the file.

6 Add the new user on the OS level, using the following command: useradd <user1>

There is no need to set the password; it comes from RADIUS.

You can now log in to Skybox with the user’s credentials: <user1> / <password> (using the password stored on the RADIUS server for this user).

Changing the TLS version The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security (TLS) protocols.

There are 3 possible configurations for TLS:

› Default Security configuration for SSL: All TLS versions are enabled › High Security configuration for SSL: TLS versions 1.2 and higher are enabled › Medium Security configuration for SSL: TLS versions 1.1 and higher are

enabled

Only 1 configuration can be active at any time. We recommend that you use the highest level possible for your browser to increase the security of communication between the browser and the Appliance web server.

The configuration settings are stored in the following file: /etc/httpd/conf.d/ skyboxwebadmin.conf



To change the TLS configuration settings 1 Make a backup of the skyboxwebadmin.conf file.

2 Open the skyboxwebadmin.conf file (with vi).

3 Comment out the default security configuration by adding “#” at the beginning of the SSLProtocol and SSLCipherSuite lines.

#Default Security configuration for SSL SSLProtocol All +TLSv1.2 +TLSv1.1 +TLSv1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA

4 Uncomment either High or Medium (not both) by deleting “#” from the appropriate SSLProtocol & SSLCipherSuite lines.

Note: Do not uncomment the title line itself (High/Medium Security).

#High Security configuration for SSL #SSLProtocol -all +TLSv1.2 #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$ #Medium Security configuration for SSL #SSLProtocol All +TLSv1.2 +TLSv1.1 #SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !DES

5 Save the file.

6 Restart httpd using the following command: systemctl restart httpd


Chapter 5

The syslog server in Skybox Appliance is preconfigured and is enabled by default.

Updates to the configuration files of the syslog server and the syslog log file rotation are provided automatically (when necessary) as part of Skybox updates. However, when updates are provided, you must restart the syslog server (on the System tab, disable the syslog server and then enable it again) for it to start using the updates.

In addition to the automatic updates, users can modify the files locally for local changes:

› The syslog configuration file is located at /etc/syslog-ng/syslog-ng.conf

› The log rotation file is located at /etc/logrotate.conf

Note: If you modify the files locally, you must also restart the server afterwards.

Where are the logs stored? When the syslog server is enabled, new log files are stored in one of the following locations (depending on the type of log):

• /var/log/syslog-ng/new

• /var/log/firewall_assurance/change_logs/new

The logs are kept for 48 hours in the new directory, and are then archived for 3 more days in the parallel old directory:

• /var/log/syslog-ng/old

• /var/log/firewall_assurance/change_logs/old

What are the log files named? A separate log is generated for each device from which logs are received. The file names have the following format:

• New logs: <host name | IP address>_<time of creation>.log

• Archived logs: <host name | IP address>_<time of creation>.zip

How can the logs be imported to Skybox? Device logs can be imported using the following tasks, depending on what information you are looking for:

› Change Tracking Events – Syslog Import › Traffic Events – Syslog Import

At a minimum, you need the following information (in the task) to import the logs:

Customizing the syslog server



› In the Basic tab:

• The directory path of the files (/var/log/syslog-ng/new and /var/log/firewall_assurance/change_logs/new)

• Modules: The scope of devices whose logs are to be imported

› In the Advanced tab:

• The date format used by the device

• (For Cisco and Juniper traffic events) The positions of the Device ID and date in the log


Chapter 6

You can install the Manager from the DVD included with Skybox or you can download it from the Skybox Appliance over HTTP using the Appliance’s IP address (https://<appliance IP address>:444/manager). For additional information, see Installing the Manager (on page 28).

The Manager runs on Windows.

In this chapter

Manager system requirements .............................................. 27

Installing the Manager ......................................................... 28

Upgrading the Manager ....................................................... 28

Manager system requirements The Skybox Manager is a Java client application that connects to the Skybox Server (through port 8443).

You can install multiple Managers on a single computer; this is useful when connecting to Servers of different versions.

Operating system The following operating systems are supported for the Manager:

› Windows 7 › Windows 8 › Windows 10 (64bit only) › Windows Server 2012

Browser The following browsers are supported for the Manager:

› Microsoft Internet Explorer 9 or higher

Note: Microsoft Edge is not supported.

› Google Chrome › Mozilla Firefox › Safari (for Skybox Horizon)

Installing the Skybox Manager



Hardware The hardware requirements for the Manager are listed in the following table.

Item Minimum Recommended

CPU Intel i3 or equivalent

Intel i5 or equivalent

RAM 2 GB 4 GB

Available disk space

1 GB 2 GB

Installing the Manager

Note: Skybox Manager runs on most Microsoft Windows operating systems. For details, see Manager system requirements (on page 27).

Installing the Manager requires administrator privileges.

To install the Manager 1 Run the installation file (SkyboxManager-<version#>-<build#>.exe).

2 Follow the directions in the wizard.

Note that for Windows 7 and Windows 8, installation under <Drive>:\Program Files is not supported.

Important: The Manager communicates with the server over 8443/TCP by default. If there is a firewall between the Manager and the Server, access on this port should be explicitly permitted.

Upgrading the Manager In some cases, the Manager installation file on the Appliance is outdated. In this case, you can download the new Manager installation file (or you might receive it from Skybox Security’s product support team) to replace the old installation file. This way, when Skybox users install the Manager from the Appliance, they are installing the latest version.

To replace the Manager installation file 1 Copy the installation file (SkyboxManager-<version#>-<build#>.exe) to the

Appliance using PuTTY, WinSCP, or any other client program.

Save the file at /opt/skyboxwebadmin/web/manager/

2 Delete any other files in this directory, including the previous installation file that was there. The directory must contain only the new installation file.


Chapter 7

If you want to connect to the Appliance Administration via a customer certificate, you need to add the certificate to the Apache server.

To connect to the Appliance Administration via a customer certificate 1 Locate (or generate) the validated certificate and key files.

2 Upload the certificate files to the Skybox Server in the following directory: /etc/httpd/conf.d

a. SSLCertificateFile must be your certificate file (for example, <your domain name>.crt).

b. SSLCertificateKeyFile must be the key file generated when you created the CSR.

c. SSLCertificateChainFile must be the intermediate certificate file (for example, DomainCertCA.crt)

3 Save a backup of /etc/httpd/conf.d/skybox.conf, and then open the file.

4 In the file, make the following changes, replacing the sample file names here with the actual file names.

a. ServerName skyboxapp ServerName www.<your domain>.org

b. SSLCertificateFile: /etc/pki/tls/certs/localhost.crt /etc/httpd/conf.d/<your domain name>.crt

c. SSLCertificateKeyFile: /etc/pki/tls/private/localhost.key /etc/httpd/conf.d/<your key>.key

d. Add the following new line: SSLCertificateChainFile /etc/httpd/conf.d/DomainCertCA.crt

5 Save the file.

6 Restart Apache using the following command: systemctl restart httpd

7 Access the Server.

Adding a customer certificate


Chapter 8

Skybox Appliance supports standard Linux OIDs. The following are some OIDs that you can monitor:

CPU load statistics

› 1 minute load: .1.3.6.1.4.1.2021.10.1.3.1 › 5 minute load: .1.3.6.1.4.1.2021.10.1.3.2 › 15 minute load: .1.3.6.1.4.1.2021.10.1.3.3

CPU statistics

› Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0 › Raw user CPU time: .1.3.6.1.4.1.2021.11.50.0 › Percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0 › Raw system CPU time: .1.3.6.1.4.1.2021.11.52.0 › Percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0 › Raw idle CPU time: .1.3.6.1.4.1.2021.11.53.0 › Raw nice CPU time: .1.3.6.1.4.1.2021.11.51.0

Memory statistics

› Total swap size: .1.3.6.1.4.1.2021.4.3.0 › Available swap space: .1.3.6.1.4.1.2021.4.4.0 › Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0 › Total RAM used: .1.3.6.1.4.1.2021.4.6.0 › Total RAM free: .1.3.6.1.4.1.2021.4.11.0 › Total RAM shared: .1.3.6.1.4.1.2021.4.13.0 › Total RAM buffered: .1.3.6.1.4.1.2021.4.14.0 › Total cached memory: .1.3.6.1.4.1.2021.4.15.0

System uptime

› System uptime: .1.3.6.1.2.1.1.3.0

Skybox Server and Collector In addition to the standard OIDs, the following OIDs are supported for Skybox components.

Monitoring SNMP

Chapter 8 Monitoring SNMP


› Skybox Server status: .1.3.6.1.4.1.8072.1.3.2.3.1.4.19.49.46.51.46.54.46.49.46.52.46.49.46.49.57.55.54.56.46.49

› Skybox Collector status: .1.3.6.1.4.1.8072.1.3.2.3.1.4.19.49.46.51.46.54.46.49.46.52.46.49.46.49.57.55.54.56.46.50

Additional SNMP configuration For further SNMP configuration, refer to:

› The MIB files on the Appliance, located at: /usr/local/snmpsa/mibs

› The SNMP configuration file: /etc/snmp/snmpd.conf


Chapter 9

Obtaining version information when the Appliance Administration is not available If you need to know the version of the Appliance (also named the image version) and other information about the Apliance at a time when the Appliance Administration is not available, you can find this information by running the get_appliance_details script from the CLI.

The following is a sample output of this script: APPLIANCE_VERSION: 8.5.103-7.1.11 CORES: 2 MODE: SERVER MODEL: RAM: 32014 MB SERIAL_NUMBER: SKYBOXVIEW: 8.0.513

Hardware issues Whenever there is a hardware issue on the Appliance (usually indicated by the system status LED turning amber or blinking), do the following:

1 Run getlogs as the root user.

The diagnostic log file, diagnostic_<timestamp>.log, is located in <Skybox_Home>/server/log

2 Open a support case and attach the (most recent) diagnostic file.

Troubleshooting


Chapter 10

Skybox Appliance for ISO version 8.5.xxx uses CentOS 7 (earlier versions used CentOS 6).

The major changes from CentOS 6 to CentOS 7 relevant to Skybox Appliance are summarized in the following table.

Features CentOS 7 CentOS 6

Kernel version 3.10.x-x kernel 2.6.x-x Kernel

General availability date of 1st major release

2014-06-09 (Kernel Version 3.10.0-123) 2010-11-09 (Kernel Version 2.6.32-71)

First process systemd (process ID 1) init (process ID 1)

Runlevel Runlevels are named targets as shown below: • runlevel0.target poweroff.target • runlevel1.target rescue.target • runlevel2.target multi-user.target • runlevel3.target multi-user.target • runlevel4.target multi-user.target • runlevel5.target graphical.target • runlevel6.target reboot.target /etc/systemd/system/default.target (this is linked to the multi-user target by default)

Traditional runlevels defined: • runlevel 0 • runlevel 1 • runlevel 2 • runlevel 3 • runlevel 4 • runlevel 5 • runlevel 6

The default runlevel is set in /etc/inittab.

Host name change In Red Hat Enterprise Linux 7, as part of the move to the new init system (systemd), the hostname variable is set in /etc/hostname

In Red Hat Enterprise Linux 6, the hostname variable is set in the /etc/sysconfig/network configuration file.

Change network card name

Naming convention: eth0, eth1, and so on

Naming convention based on BIOS location and other parameters. For example, ens0s01, enp02, eno1

Change in UID allocation

Default UID assigned to users starts from 1000. This can be changed in /etc/login.defs

Default UID assigned to users starts from 500. This can be changed in /etc/login.defs

Change in file system structure

/bin, /sbin, /lib, and /lib64 are now nested under /usr

/bin, /sbin, /lib, and /lib64 are usually under /

Change log



Boot loader GRUB 2 Supports GPT, and additional firmware types including BIOS, EFI and OpenFirmware. Ability to boot on various file systems (including XFS, ext4, NTFS, HFS+, and RAID)

GRUB 0.97

System and service manager

systemd systemd is a system and service manager for Linux, and replaces SysV and Upstart used in previous releases of Red Hat Enterprise Linux. systemd is compatible with SysV and Linux Standard Base init scripts.

Upstart

Enable / start service

For CentOS 7, the systemctl command replaces service and chkconfig. • Start service: systemctl start nfs-server.service

• Enable service: To enable the service (for example, the nfs service) to start automatically on boot: systemctl enable nfs-server.service

Although you can still use the service and chkconfig commands to start/stop and enable/disable services, respectively, they are not 100% compatible with the RHEL 7 systemctl command (according to Red Hat).

Use the service and chkconfig commands. • Start Service: service start nfs or /etc/init.d/nfs start

• Enable Service: To start with specific runlevel: chkconfig --level 3 5 nfs on

Default firewall firewalld (dynamic firewall) The built-in configuration is located under the /usr/lib/firewalld directory. The configuration that you can customize is under the /etc/firewalld directory. It is not possible to use firewalld and iptables at the same time. But you can disable firewalld and use iptables as before.

iptables

Network bonding Team driver • /etc/sysconfig/network-scripts/ifcfg-t

eam0 • DEVICE="team0" • DEVICETYPE="Team"

Bonding • /etc/sysconfig/network-s

cripts/ifcfg-bond0 • DEVICE="bond0"

Network time synchronization

chrony suite (faster time sync compared with ntpd)

ntpd

Default database MariaDB The default implementation of MySQL in Red Hat Enterprise Linux 7

MySQL

skybox virtual appliance vmware · 2018-02-20 · centos 7 uses a different network naming schema...

Documents