Configuring downloadable OVA

Forcepoint ONE SSE provides an OVA that you can download to setup syslog streaming for log ingestion. The OVA is a docker container built in VMware and admins must have vCenter in order to install it.

Before you begin

The VM machine that the OVA is installed on, must meet the following minimum requirements:
  • At least 2 CPU cores
  • 8 GB of RAM
  • 200 GB of Drive storage space

Forcepoint ONE SSE's OVA connector utilizes UDP for streaming logs. This means you cannot use the OVA option when using a firewall that utilizes TCP. For example, Zscaler's NSS. For TCP based firewalls, Forcepoint ONE SSE recommends you to setup log streaming using Rsyslog.

Note: Existing customers utilizing the Discovery OVA downloaded from Forcepoint ONE SSE or customers who have a customized self-deployed environment will need to update the certificates manually. Refer to Forcepoint ONE Discovery OVA Certificate Update.

The steps below will walk you through how to download and configure the OVA for log streaming.

Steps

  1. Navigate to Analyze > Discovery > Reports.
  2. Under the Syslog Collector section, click the OVA Virtual Appliance link and the Certificates link to download the OVA and certificates needed for configuration.
  3. With the OVA downloaded:
    1. Open up your vSphere admin console and navigate to VMs and Templates.
    2. Expand appropriate vCenter.
    3. Select the data center, right click the appropriate VMware ESX host and then select Deploy OVF template.
  4. On the Select an OVF template tab, select Local File and then click Choose Files to locate the OVA you just downloaded. Select all the files under the unzipped folder and click Confirm.
  5. Enter a name for your VM. The wizard will walk you through verification, select the appropriate DataCenter under vCenter for the template location and then select the appropriate ESX server and DataStore.


  6. Select Thin Provision for the disk format and then select VM Network as the destination on the next page.


  7. With the OVA uploaded successfully, select the VM you created and power it on. If you are not using SSH keys for the VM, you can use the following credentials to login to the OVA VM:
    • User: ubuntu
    • PW: onprem123!


  8. On vCenter, go to Storage and select a datastore. Under the selected datastore, select Files, create a folder and then upload the certificates ISO you downloaded.
  9. Navigate to Hosts and Cluster, right-click on the VM created and then click Edit Settings. Under CD/DVD drive 1, select Datastore ISO File and select the ISO you just uploaded in step 8. Check the Connect At Power On box and set the Virtual Device Node to IDE 0 and IDE(0:0) CD/DVD drive 1.

  10. At this point, you will need to set the IP of the OVA VM to static and assign the IP, Gateway, and DNS server. Run the following commands to do so and save to the VM:
    # sudo nano /etc/network/interfaces
    You will see an output like this:
    # auto eth0
    iface eth0 inet dhcp

    Change it to be a static IP address and then set the information replacing all the values in red with your own Static IP, netmask, gateway, DNS IPs:
    # auth eth0
    Iface eth0 inet static
    address xx.x.x.xxx
    netmask 255.255.0.0
    gateway xx.x.x.x
    dns-nameservers xx.x.x.xx
    dns-nameservers x.x.x.x
    Push Ctrl-O to save the file, ctrl-X to exit and then reboot the VM to have your changes be applied.
    • Once the VM is rebooted you should confirm you can ping bitglass.com and that nslookup can resolve bitglass.com.
    • You will need to point your firewall syslog server to the VM ip port 514
    • You will also need to execute the setup: sudo ./run_setup.sh

    If you have a permission issue, run: chmod +x “path of” the error that you receive.

    The setup should complete successfully.

  11. You should test to see if you have your syslog client working properly by running the following commands:
    # tcpdump -i any port 514
    # tcpdump -I any port 1999

    You should see a stream of packets on both commands – ctrl-C to stop. If not check your Syslog client (router) to confirm you have the IP of the VM up to date and that you have the config pointing to that IP. If you still do not see the traffic, contact Forcepoint support for further troubleshooting.

  12. Finally, if you currently do not use an external proxy server, run the following command Run /home/ubuntu/run_setup.sh and then point your firewall logs to UDP port 514 of the OVA host.
    Each vendor will differ on how to do this so here are some sample instructions for PANW and Blue Coat.
  13. If you are using an external proxy server, you will need to do the following:
    1. Run the command Run /home/ubuntu/run_setup.sh and answer Y when it asks Do you have an external proxy server.
    2. Copy the CA certificate for external proxy server to rsyslog-ops node in home directory.
    3. Open /home/ubuntu/syslog_config.ini and fill in the following fields:
      External_proxy_ca_certificate = <name of the certificate file for external proxy server>
      http_proxy = <external proxy server with the port>
      https_proxy = <external proxy server with the port>
      no_proxy = <IP address of the Gateway>
    4. Run /home/ubuntu/onprem_setup_rsyslog.sh setup_ops syslog_config.ini and then reboot the VM.
    5. Run the following commands:
      /home/ubuntu/onprem_setup_rsyslog.sh ops_health
      /home/ubuntu/onprem_setup_rsyslog.sh deploy_tools
      /home/ubuntu/onprem_setup_rsyslog.sh deploy_rsyslog
      /home/ubuntu/onprem_setup_rsyslog.sh rsyslog_health