Skybox Appliance 5500
Quick Start Guide
10.1.200
CentOS Linux release 7.7.1908 (Core)
Страница 1: ...Skybox Appliance 5500 Quick Start Guide 10 1 200 CentOS Linux release 7 7 1908 Core ...
Страница 2: ...l system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of Skybox Security Skybox Skybox Security Skybox Firewall Assurance Skybox Network Assurance Skybox Vulnerability Control Skybox Threat Manager Skybox Change Manager Skybox Appliance 5500 6000 7000 8000 8050 and the Skybox Security logo are either regis...
Страница 3: ...12 Starting Skybox Appliance 12 System configuration 13 Configuring connection 13 Setting up the Appliance for configuration 15 First time configuration 15 What s next 15 Configuring the Appliance 17 Configuration and management options 17 Setting up network interface bonding 19 Supported bond modes 19 Setting up SNMP configuration 21 RADIUS authentication 21 LDAP authentication 22 Changing the TL...
Страница 4: ...sole 39 Updating via RMM 39 Updating the firmware 39 Configuring Java for login 45 Adding your own certificate 49 Exporting the Server certificate and private key from the Java keystore 50 Restoring the Appliance to factory defaults 52 Monitoring SNMP 53 Troubleshooting 55 Wiping the hard disk drive 56 CIS benchmarks for CentOS 7 57 Regulatory and safety information 64 Product regulatory complianc...
Страница 5: ... and Collector are preinstalled on Skybox Appliance and run at startup In this chapter Basic architecture 5 Related documentation 5 Basic architecture The Skybox platform consists of a 3 tiered architecture with a centralized server Skybox Server data collectors Skybox Collectors and a user interface Skybox Manager Skybox can be scaled to suit the complexity and size of any infrastructure See the ...
Страница 6: ...ackaging has not been damaged and verify that all tamper evident seals are intact Verify that the Appliance serial number purchase order number and FedEx tracking number match the information provided by Skybox Customer Support What s in the box The following items are included in the shipping carton Skybox Appliance Rack mount kit Front bezel AC power cord RJ45 to DB9 serial console cable Skybox ...
Страница 7: ...rt External I O connectors back panel DB 15 video connector DB 9 serial port A connector 2 USB 2 0 Ports 2 USB 3 0 Ports 6 RJ 45 network interface LAN connectors supporting 10 100 1000 Mb Compliant standards Ctick NRTL CE FCC EMC BSMI KC and more For detailed information see Regulatory and safety information on page 64 Environmental specifications Environmental specifications for Skybox are listed...
Страница 8: ...ons shall comply with FCC and CISPR 22 limits for Class A products Test reports are made available through EPG Product Regulations MTBF estimates for Skybox Appliance The estimated mean time between failures MTBF and Failures in Time FIT for Skybox Appliance 5500 are listed in the following table Subassembly MTBF hours FIT failures 10 9 hours Intel Server Board S1200V3RPM 371523 2692 Backplane boa...
Страница 9: ...red for use C NIC 1 activity LED D NIC 3 activity LED E System cold reset button F System status LED G Power button with integrated LED H Hard drive activity LED I NIC 4 activity LED J NIC 2 activity LED Front panel LED functions LED Color State Description Power Sleep Green on Power on Green blinking Sleep Off Power off NIC LEDs Green on Network link but no network activity Green blinking Network...
Страница 10: ...voltage Amber blinking Non Critical Alarm Redundant fan failure redundant power module failure non critical temperature and voltage Off Power off System unplugged Power on System powered off and in standby no prior degraded non critical critical state Back panel connectors The Appliance back panel includes the connectors shown in the following figure PORT MAPPING The mappings between physical port...
Страница 11: ...s DHCP NIC2 eno2 is enabled and configured as static with the IP address 192 168 1 1 24 You can change these values File system partitions The Skybox Appliance file system is partitioned as follows SWAP 4 GB tmp 5 of the entire space 20 of the entire space var 45 of the entire space opt All remaining space on the disk ...
Страница 12: ... telecommunications lines connected to I O connectors or ports on the back of the chassis 4 Provide electrostatic discharge ESD protection by wearing an antistatic wrist strap attached to a chassis ground any unpainted metal surface when handling components Required tools and supplies Phillips cross head screwdriver 1 bit and 2 bit Recommended Antistatic wrist strap and conductive foam pad Install...
Страница 13: ...dures see Back panel connectors on page 10 Configuration via console To configure connection using a mouse keyboard and screen 1 Connect one end of a standard network cable to the NIC 1 eno1 port on the Appliance back panel connect the other end of the cable to a network socket 2 Connect a mouse keyboard and screen to the connectors on the Appliance back panel 3 Log in to the Appliance using the d...
Страница 14: ...rify that the Power LED turns green 4 Log in to the Appliance using the default user name root and the default password skyboxview 5 Configure a network interface with an IP address netmask and default gateway a Run the command set_appliance_network b Select a network interface to configure c Select the IP mode static or DHCP If you select static mode provide the IP address netmask and default gat...
Страница 15: ...ce Administration password click Change Skyboxview Password To configure the date and time 1 On the System tab select Date and Time Configuration 2 To configure the date and time manually a Select Manual Date and Time Configuration b Click Change Date and Time set the date and time for Skybox s time zone c Click Change Time Zone set the time zone for the location of the Appliance so that reports a...
Страница 16: ...e is available only from syslog change events that are sent to the syslog server in the Appliance You collect the change events using Change Tracking Events Syslog Import tasks Syslog server The syslog server in the Appliance is preconfigured and is enabled by default Updates to the configuration files of the syslog server and syslog log file rotation are included when necessary as part of Skybox ...
Страница 17: ...n Provides information about Skybox configuration Network tab Note that configuration changes made in this tab are only saved after you click Save Network Configuration Network Configuration Enables you to configure network settings connection method IP address netmask and gateway and bonding for each network interface connection and to configure the DNS servers Note For non virtual Appliances thi...
Страница 18: ...oggles between Server mode the Appliance functions as both the Skybox Server and a Skybox Collector and Collector mode the Appliance functions only as a Skybox Collector SNMP Select Enable SNMP Service to set up SNMP configuration host configuration and sending traps see Setting up SNMP configuration on page 21 You can also download the Appliance MIBs Security tab Appliance Passwords Enables you t...
Страница 19: ... dialog box add a new bond interface 5 Select the interfaces to bond to this new interface as slaves 6 Select the method for assigning the IP address for this interface If you select static mode provide the IP address netmask and gateway 7 Select the mode in which the bond is to work we recommend active backup For information about the supported bond modes see Supported bond modes on page 19 8 Cli...
Страница 20: ...ication Prerequisites ethtool support in the base drivers for retrieving the speed and duplex of each slave A switch that supports IEEE 802 3ad Dynamic link aggregation Most switches require configuration to enable 802 3ad mode mode 5 balance tlb Adaptive transmit load balancing Channel bonding that does not require any special switch support The outgoing traffic is distributed according to the lo...
Страница 21: ... the notification receiver traps server 4 When you are finished click Save SNMP Configuration to save the configuration and update the service with the new configuration RADIUS authentication This topic explains how to configure RADIUS authentication for Skybox Appliance Note To use RADIUS authentication the pam_radius package must be installed on the Skybox Server To check whether the package is ...
Страница 22: ... 10 Add the new user on the OS level by running useradd user1 There is no need to set the password it comes from RADIUS You can now log in to Skybox with the user credentials user1 password using the password stored on the RADIUS server for this user LDAP authentication This topic explains how to configure LDAP authentication for Skybox Appliance Prerequisites To use LDAP authentication the LDAP s...
Страница 23: ...e Directory 2008r2 values With rfc2307 group members are listed by name in the member uid attribute With rfc2307bis and IPA group members are listed by DN and stored in the member attribute LDAP Bind User DN The user bind DN to use for performing LDAP operations This user needs to have read permissions to read the user groups Example CN LDAPUser CN Users DC YOURDOMAIN DC LOCAL LDAP Bind User Passw...
Страница 24: ...7 Safari 9 Android 5 0 and Java 8 SSLProtocol all SSLv3 TLSv1 TLSv1 1 SSLCipherSuite ECDHE ECDSA AES256 GCM SHA384 ECDHE RSA AES256 GCM SHA384 ECDHE ECDSA CHACHA20 POLY1305 ECDHE RSA CHACHA20 POLY1305 ECDHE ECDSA AES128 GCM SHA256 ECDHE RSA AES128 GCM SHA256 ECDHE ECDSA AES256 SHA384 ECDHE RSA AES256 SHA384 ECDHE ECDSA AES128 SHA256 ECDHE RSA AES128 SHA256 4 Uncomment either Medium or Low not both...
Страница 25: ...A256 ECDHE ECDSA AES128 SHA256 ECDHE RSA AES128 SHA ECDHE ECDSA AES128 SHA ECDHE RSA AES256 SHA384 ECDHE ECDSA AES256 SHA384 ECDHE RSA AES256 SHA ECDHE ECDSA AES256 SHA DHE RSA AES128 SHA256 DHE RSA AES128 SHA DHE DSS AES128 SHA256 DHE RSA AES256 SHA256 DHE DSS AES256 SHA DHE RSA AES256 SHA ECDHE RSA DES CBC3 SHA ECDHE ECDSA DES CBC3 SHA EDH RSA DES CBC3 SHA AES128 GCM SHA256 AES256 GCM SHA384 AES...
Страница 26: ...d port as necessary 3 Click Apply Syslog Configuration How to work with syslog files Updates to the configuration files of the syslog server and to the syslog log rotation file are included when necessary as part of Skybox updates Users can also modify the following files locally for local changes syslog configuration file etc syslog ng syslog ng conf cron file etc cron daily syslog ng archive How...
Страница 27: ...me IP address _ time of creation zip How can the logs be imported into Skybox Device logs can be imported using the following tasks depending on the information that you are looking for Change Tracking Events Syslog Import Traffic Events Syslog Import At a minimum you need the following information in the task to import the logs In the Basic tab The directory path of the files var log syslog ng ne...
Страница 28: ...kybox Manager system requirements Skybox Manager is a Java client application that connects to the Skybox Server through port 8443 You can install multiple Skybox Managers on a single computer this is useful when connecting to Skybox Servers of different versions Operating system The following operating systems are supported for Skybox Manager Windows 7 Windows 10 64bit only Windows Server 2012 Wi...
Страница 29: ...stallation under Drive Program Files or any other path containing a space is not supported Post installation notes Skybox Manager is configured to communicate with the server over 8443 TCP If there is a firewall between Skybox Manager and Skybox Server access on this port must be explicitly permitted The user running Skybox Manager must have Modify permissions for the directory where Skybox Manage...
Страница 30: ...box Appliance 5500 Quick Start Guide Skybox version 10 1 200 30 2 Delete any other files in this directory including any previous installation file the directory must contain only the new installation file ...
Страница 31: ...ack them up manually before updating CentOS The backed up files are at var tmp appliance_update_ installed_version backup appliance_bac kup To update the operating system Note The machine reboots as part of the update process 1 Download the following files to your computer not to the Appliance server where patch is the patch number Skybox_ patch appliance_update Skybox_ patch appliance_update md5 ...
Страница 32: ...ive The default location is var tmp appliance_update_ patch backup Note After the update finishes a log of the process details is at opt skyboxview utility log appliance_update_ patch log 9 Optional If something went wrong with the update process you can either restore settings files manually or restore all the files at once overwriting all the original files but preserving the original ownership ...
Страница 33: ... DVD R We recommend that you use either a DVD R DL Dual Layer or a flash drive if you need to burn the ISO Note For flash drives we recommend using Rufus to burn the ISO https rufus ie To boot from the ISO During startup select F6 and then select the device DVD or flash drive from which to boot ISO burning ...
Страница 34: ...ter 9 Starting in version 9 0 600 security hardening was added to prevent local users from logging in via SSH The following lines were added to etc ssh sshd_config AllowUsers root skyboxview AllowGroups root skyboxview SSH hardening ...
Страница 35: ...Updating via the console 39 Updating via RMM 39 Checking your firmware revision via the console To check the firmware revision on your Appliance Note Run all commands from the command line on the Appliance 1 Run get_appliance_details The Appliance model number is shown in the MODEL field 2 Run ipmitool mc info grep Firmware Revision The result shows the firmware revision number for example Firmwar...
Страница 36: ...re that you have permission to log in to the RMM interface of the Appliance from your local machine For instructions see Configuring Java for login on page 45 To check the firmware revision on your Appliance 1 Open Microsoft Explorer 2 Enter the RMM address of the Appliance as the URL 3 Authenticate using the user name and the password 4 If you are not sure of your model number a Click the FRU Inf...
Страница 37: ...pdates for Skybox Appliance Skybox version 10 1 200 37 Important You must know the model number for the update 5 From the System Information tab on the Summary page check the firmware revision number in the field BMC FW Rev ...
Страница 38: ...ownload 26962 Intel Server Board S2600GZ GL Firmware Update Package for Extensible Firmware Interface EFI product 56255 7000 https downloadcenter intel com download 28535 Intel Server Board S1200SP BIOS and Firmware Update Package for EFI product 88955 8000 8050 https downloadcenter intel com download 28002 Intel Server Board S2600WT BIOS and Firmware Update for EFI product 78563 Each of these fir...
Страница 39: ...OS update procedure 6 The update procedure asks if you want to update the FRU SDR select the option to update both of them 7 Select No to update product and other prompts Note During the update the speed of your system fan changes This is normal 8 Follow onscreen directions at the end of the BIOS update Important After a firmware update the system takes longer too boot while the backup firmware re...
Страница 40: ...f a USB flash drive 2 Connect the USB flash drive to the back panel of the Appliance machine 3 Make sure that no other USB is connected 4 Connect to RMM as in steps 1 through 3 in the previous procedure and click the Remote Control tab 5 Click Launch Console 6 In the dialog box that appears as shown click OK 7 In the Security Warning dialog box that appears as shown click Continue ...
Страница 41: ...accept and click Run A console window opens 9 Log in as root 10 Make sure that Skybox is not running on the Appliance machine before performing the update a To shut down Skybox Server run the command service sbvserver stop b To shut down Skybox Collector run the command service sbvcollector stop 11 Reboot the machine ...
Страница 42: ...k Start Guide Skybox version 10 1 200 42 12 When the system starts press F2 until you get the menu for booting 13 From the menu select Boot Manager and press Enter 14 From the Boot Manager select Launch EFI Shell and press Enter ...
Страница 43: ...Chapter 10 Firmware updates for Skybox Appliance Skybox version 10 1 200 43 After about 5 seconds the following screen appears 15 Press Enter ...
Страница 44: ...Skybox Appliance 5500 Quick Start Guide Skybox version 10 1 200 44 When the procedure is almost finished the screen displays the following 16 Wait 2 minutes and log in again to the remote console ...
Страница 45: ...ybox Appliance Skybox version 10 1 200 45 17 Press 5 to exit the update 18 Press any key to continue CONFIGURING JAVA FOR LOGIN This procedure enables you to log in to the RMM interface of the Appliance machine from your local computer ...
Страница 46: ...Skybox Appliance 5500 Quick Start Guide Skybox version 10 1 200 46 1 From the Windows Start menu select Configure Java 2 The Java Control Panel appears ...
Страница 47: ...Chapter 10 Firmware updates for Skybox Appliance Skybox version 10 1 200 47 3 Click the Security tab ...
Страница 48: ...Skybox Appliance 5500 Quick Start Guide Skybox version 10 1 200 48 4 Click Edit Site List 5 Add the URL of the RMM interface of the Appliance machine ...
Страница 49: ...006 2019 ssl error pid 10480 tid 140600437254272 SSL Library Error error 0D08303A asn1 encoding routines ASN1_TEMPLATE_NOEXP_D2I nested asn1 error Sun Nov 03 16 26 23 623012 2019 ssl error pid 10480 tid 140600437254272 SSL Library Error error 0D0680A8 asn1 encoding routines ASN1_CHECK_TLEN wrong tag Sun Nov 03 16 26 23 623019 2019 ssl error pid 10480 tid 140600437254272 SSL Library Error error 0D0...
Страница 50: ...ile etc pki tls certs ca chain cert pem 7 Restart the Apache server by running systemctl restart httpd 8 Make sure that the root CA certificate is installed in your browser s trusted CA certificate repository 9 Access the Appliance Administration at https common_name 444 In this chapter Exporting the Server certificate and private key from the Java keystore 50 Exporting the Server certificate and ...
Страница 51: ... p12 nokeys out etc pki tls certs skybox_cert pem 5 When prompted Enter Import Password enter skyboxview 6 Export the private key from the new keystore using the following command It will be exported directly to etc pki tls private openssl pkcs12 in server keystore p12 nodes nocerts out etc pki tls private skybox_key pem 7 When prompted Enter Import Password enter skyboxview 8 Remove the new P12 k...
Страница 52: ...lts 1 Insert the DVD in the DVD ROM drive 2 Reboot the Appliance 3 As soon as you see the Skybox Installation Menu window press any key Note If you do not press a key within a few seconds the Appliance boots from the local drive 4 In the menu select Skybox Appliance Installation Note The restore process takes approximately 25 minutes 5 After the installation finishes proceed from System configurat...
Страница 53: ... Raw idle CPU time 1 3 6 1 4 1 2021 11 53 0 Raw nice CPU time 1 3 6 1 4 1 2021 11 51 0 Memory statistics Total swap size 1 3 6 1 4 1 2021 4 3 0 Available swap space 1 3 6 1 4 1 2021 4 4 0 Total RAM in machine 1 3 6 1 4 1 2021 4 5 0 Total RAM used 1 3 6 1 4 1 2021 4 6 0 Total RAM free 1 3 6 1 4 1 2021 4 11 0 Total RAM shared 1 3 6 1 4 1 2021 4 13 0 Total RAM buffered 1 3 6 1 4 1 2021 4 14 0 Total c...
Страница 54: ...Skybox Appliance 5500 Quick Start Guide Skybox version 10 1 200 54 Skybox Collector status 1 3 6 1 4 1 8072 1 3 2 3 1 4 19 49 46 51 46 54 46 49 46 52 46 49 46 49 57 55 54 56 46 50 ...
Страница 55: ...ails script from the CLI Sample output of get_appliance_details APPLIANCE_VERSION 8 5 103 7 1 11 CORES 2 MODE SERVER MODEL RAM 32014 MB SERIAL_NUMBER SKYBOXVIEW 8 0 513 Hardware issues If there is a hardware issue on the Appliance usually indicated by the system status LED turning amber or blinking 1 Run getlogs as the root user The diagnostic log file diagnostic_ timestamp log is in the Skybox_Ho...
Страница 56: ... might be required for example if you are sending the Appliance back to Skybox for replacement Caution This procedure wipes the HDD completely Afterwards it will not be bootable or function at all The following command overwrites all partitions master boot records and data dd if dev urandom of dev sda bs 1M Wiping the hard disk drive ...
Страница 57: ...ntal or malicious misconfigurations or modified binaries 1 3 2 Ensure that file system integrity is regularly checked Periodic checking of the file system integrity is needed to detect changes to the file system Rationale Periodic file checking enables the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion 1 4 1 Ensure that permissio...
Страница 58: ...is not used very often remove it to reduce the amount of potentially vulnerable code running on the system 1 7 1 3 Ensure that the remote login warning banner is configured properly The content of the etc issue net file is displayed to users prior to login for remote connections from configured services Unix based systems have typically displayed information about the OS release and patch level wh...
Страница 59: ...ure ICMP redirects are not accepted Rationale It is possible for even known gateways to be compromised Setting net ipv4 conf all secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways 3 2 4 Ensure that suspicious packets are logged When enabled this feature logs packets with un routable source addresses to the kernel log Rationale Enabling this ...
Страница 60: ...at rename a file attribute system calls and tags them with the identifier delete Rationale Monitoring these calls from non privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring This audit option looks at all events system administrators want to look for specific privileged files that ...
Страница 61: ...o the SSH server 5 2 6 Ensure that SSH IgnoreRhosts is enabled The IgnoreRhosts parameter specifies that rhosts and shosts files are not used in RhostsRSAAuthentication or HostbasedAuthentication Rationale Setting this parameter forces users to enter a password when authenticating with SSH 5 2 7 Ensure that SSH HostbasedAuthentication is disabled The HostbasedAuthentication parameter specifies whe...
Страница 62: ...abet numeric other And more The following options are set in the etc security pwquality conf file minlen 14 Password must be at least 14 characters dcredit 1 Provide at least one digit ucredit 1 Provide at least one uppercase character ocredit 1 Provide at least one special character lcredit 1 Provide at least one lowercase character Note The values shown are sample values Rationale Strong passwor...
Страница 63: ...es are the least secure See the chmod 2 man page for more information Rationale Data in world writable files can be modified and compromised by any user on the system World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system s integrity 6 1 11 Ensure that no unowned files or directories exist Sometimes w...
Страница 64: ...stems test equipment and so on other than an ITE application will require further evaluation and may require additional regulatory approvals Note The use and or integration of telecommunication devices such as modems and or wireless devices have not been planned for with respect to these systems If there is any change of plan to use such devices then telecommunication type certifications will requ...
Страница 65: ...h worldwide regulatory requirements A Material Declaration Data Sheet is available for Intel products For more reference on material restrictions and compliance you can view Intel s Environmental Product Content Specification at http supplier intel com ehs environmental htm Europe European Directive 2002 95 EC Restriction of Hazardous Substances RoHS Threshold limits and banned substances are note...
Страница 66: ...mmunications Commission Korea CU Russia Ukraine Certification Ukraine BSMI Certification RPC Number Class A Warning Taiwan FCC Marking Class A USA This device complies with Part 15 of the FCC Rules Operation of this device is subject to the following two conditions 1 This device may not cause harmful interference and 2 This device must accept interference receive including interference that may ca...
Страница 67: ...ecycling Package Marks China Will be added on Package label Other Recycling Package Marks Internatio nal Will be added on Package label Battery Perchlorate Warning Information USA CA Perchlorate Material Special handling may apply See www dtsc ca gov hazardouswaste perchlorate This notice is required by California Code of Regulations Title 22 Division 4 5 Chapter 33 Best Management Practices for P...
Страница 68: ...ted and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio c...
Страница 69: ...ation of this notice This digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus set out in the interference causing equipment standard entitled Digital Apparatus ICES 003 of the Canadian Department of Communications Europe CE Declaration of Conformity This product has been tested in accordance to and complies with the Low Voltage Directive 73 23 EEC ...
Страница 70: ...ense and Product 2 Certification No On RRL certificate Obtain certificate from local Intel representative 3 Name of Certification Recipient Intel Corporation 4 Date of Manufacturer Refer to date code on product 5 Manufacturer Nation Intel Corporation Refer to country of origin marked on product CNCA CCC China The CCC Certification Marking and EMC warning is located on the outside rear area of the ...
