Counteract 6 3 4 0 Installation Guide

CCoouunntteerrAACCTT IInnssttaallllaattiioonn GGuuiiddee

VVeerrssiioonn 66..33..44..00

2

TTaabbllee ooff CCoonntteennttss

Preface .............................................................................................................................5 About this Manual.........................................................................................................5 About the CounterACT Solution ...................................................................................5 CounterACT Package Contents ...................................................................................6

Chapter 1: System Components and Requirements ...................................................7 CounterACT Components ............................................................................................8

CounterACT Appliance............................................................................................8 CounterACT Enterprise Manager ............................................................................9 Recovery Enterprise Manager ...............................................................................10 CounterACT Console.............................................................................................10

Secure, Encrypted Connections.................................................................................11 Remote Management Module 2 (RMM2) Integration (RILO) .....................................11 High Availability Tools ................................................................................................11 Power Outage Handling .............................................................................................11 System Requirements ................................................................................................12

CounterACT Console Hardware Requirements.....................................................12 Network Access Requirements..............................................................................12 Network Deployment Requirements ......................................................................15 Appliance Information Requirements.....................................................................15 Enterprise Manager Information Requirements.....................................................15 Network Connection Requirements .......................................................................16

Chapter 2: Hardware Setup..........................................................................................17 About CounterACT Installation...................................................................................18

Related Documents ...............................................................................................18 Appliance Interface Connections................................................................................18

Management Interface...........................................................................................18 Monitor Interface....................................................................................................19 Response Interface................................................................................................19

Setting Up Switch Connections ..................................................................................20 Standard Installation: Separate Management, Monitor and Response Ports........20 Combined Monitor and Response Port..................................................................20 Combined Management and Response Port (Single VLAN Only) ........................21 Combined Management, Response and Monitor Port (Single VLAN Only) ..........22 Switch Setting Guidelines ......................................................................................22

Creating an Out-of-Band IP Management Interface...................................................23

3

Chapter 3: Appliance Setup, Configuration, Installation and Post-Installation ......26 Setting Up an Appliance.............................................................................................27

Serial Port Setup....................................................................................................27 Installing an Appliance ...............................................................................................28 Post-Installation Procedures ......................................................................................33

Connect an Appliance to the Network ...................................................................33 Integrate the Appliance with Remote Management Module 2 (RMM2) .................33 Verify the Management Interface Connection .......................................................36 Verify Switch/Appliance Connectivity.....................................................................36 Perform a Ping Test...............................................................................................38 Generate a Configuration Summary for an Appliance ...........................................38 Upgrade to the New Version..................................................................................39

Installing a High Availability System...........................................................................39 Verifying FIPS Compliance ........................................................................................39 Enabling FIPS Mode ..................................................................................................40 Additional Installation Tools........................................................................................40

Configuring the Interface Speed/Duplex................................................................40 Restoring System Settings ....................................................................................41

Chapter 4: Installing the Enterprise Manager.............................................................44 About the Installation..................................................................................................45 Setting Up the Enterprise Manager ............................................................................45 Installing the Enterprise Manager...............................................................................46 Post-Installation Procedures ......................................................................................48

Connect the Enterprise Manager to the Network...................................................49 Integrate with an Remote Management Module 2 (RMM2)...................................49 Upgrade to the New Version..................................................................................49

Gradual Upgrade........................................................................................................49 Restoring System Settings .........................................................................................50

Chapter 5: Installing the CounterACT Console..........................................................53 About CounterACT Console Installation.....................................................................54 Logging In...................................................................................................................57 Using the Initial Setup Wizard at the Console ............................................................58 Uninstalling Previous Versions...................................................................................59

Chapter 6: High Availability Systems.........................................................................60 About High Availability................................................................................................61 License Setup Requirements .....................................................................................61 Pre-Installation Requirements ....................................................................................62

4

Optional Switch Connectivity......................................................................................62 Failover.......................................................................................................................63

Criteria ...................................................................................................................63 Node Status...........................................................................................................64

Connecting to the Network .........................................................................................64 High Availability Software Installation.........................................................................65

Identify Ethernet Ports ...........................................................................................65 Primary Appliance Setup .......................................................................................66 Configuring the CounterACT Appliance.................................................................69 Secondary Appliance Setup ..................................................................................70

Moving the Network Location of a High Availability Cluster .......................................71 Backup and Restore...................................................................................................72 High Availability Indicators on the Console ................................................................73 Upgrading 6.0 High Availability Systems to the Latest Version..................................74 Upgrading to High Availability from CounterACT Versions 4.x and 5.x...................... 74 Uninstalling High Availability Mode ............................................................................77 Restoring a Configuration...........................................................................................77

Installing Software and Restoring Configuration on the Primary Node..................77 Configuring the Secondary Node...........................................................................78

Converting a Single Enterprise Manager/Appliance to High Availability ....................78 Appendix A - Site Preparation Form ...........................................................................80

Preface

5

PPrreeffaaccee

This section covers the following topics:

About this Manual

About the CounterACT Solution

CounterACT Package Contents

About this Manual This manual details the CounterACT software installation/configuration procedures and related information for the following components:

Appliance hardware components (CT-Remote CT-100, CT-1000, CT-2000, or CT-4000)

Enterprise Manager hardware component

Console management application

Information regarding Switch setup is also available.

About the CounterACT Solution CounterACT delivers complete endpoint security and lets you effortlessly apply your business security policies to the IT infrastructure, accurately and automatically. CounterACT effectively:

Ensures NAC compliance

Combats worms, self-propagating malware and hackers

Automatically protects network vulnerabilities

Creates a virtual firewall that protects or opens specific network zone.

Lets security teams, IT departments and the Help Desk leverage extensive network information via CounterACT’s web-based Assets Portal

The CounterACT Console User Manual provides more information about these capabilities.

Preface

6

The manual contains the following chapters:

Chapter 1: System Components and Requirements

CounterACT system requirements, including hardware and networking requirements

Chapter 2: Hardware Setup Information about hardware setup options

Chapter 3: Appliance Setup, Configuration, Installation and Post-Installation

How to install and upgrade the Appliance

Chapter 4: Installing the Enterprise Manager

How to install and upgrade the Enterprise Manager

Chapter 5: Installing the CounterACT Console

How to the install the CounterACT Console

Chapter 6: High Availability Systems How to install and configure High Availability CounterACT systems

Appendix A - Site Preparation Form CounterACT site preparation form with required site parameters

CounterACT Package Contents Your CounterACT package includes the following components:

The CounterACT Appliance/Enterprise Manager

Quick Installation Guide

A CounterACT CD containing the Console software, the CounterACT Console User Manual, and this guide

Warranty document

Mounting brackets

Power cord

DB9 Console connecting cable (for serial connections only)

If you are working with a High Availability system, you will receive a separate package with another Appliance and/or Enterprise Manager. See Chapter 6: High Availability Systems for more information.

7

CChhaapptteerr 11:: SSyysstteemm CCoommppoonneennttss aanndd RReeqquuiirreemmeennttss

This chapter includes:

CounterACT Components

Secure, Encrypted Connections

High Availability

Power Outage Handling

System Requirements

Chapter 1 System Components and Requirements

8

CounterACT Components CounterACT components include:

CounterACT Appliance

CounterACT Enterprise Manager

CounterACT Console

CounterACT Appliance The Appliance is a dedicated device that monitors traffic going through your organization’s network. It protects the network against malicious activity, performs NAC extensive protection, lets you create network security zones and handles vulnerabilities.

Multiple Appliance Deployments Multiple CounterACT Appliances are deployed to ensure maximum protection of your organization. Your CounterACT Appliance was installed in order to see vital network traffic.

To handle malware and hackers, the Appliance setup must be:

At the connection point between a protected network area and the rest of the network. This enables protection of a specific network range against infection attempts initiated from the rest of the network and network protection against infection attempts generated from a specific network area (e.g. contractors segment, which might be potentially more dangerous).

Behind a VPN concentrator, where encrypted VPN channels are decrypted and malicious traffic enters your network

Behind remote access servers, where remote access users are entering your network


9

To apply an admission control policy, the Appliance setup must be:

Within broadcast domains, preferably mirroring tagged ports

To work with the Virtual Firewall, the Appliance setup must be:

Between segments/VLANs

CounterACT Enterprise Manager The Enterprise Manager is an aggregation device that communicates with multiple CounterACT Appliances distributed across an enterprise. It manages the CounterACT activity and policies, and collects information about malicious activity that is detected at each Appliance, including infection attempts, identification, notification, restriction and remediation actions taken by CounterACT. This information is available for display and reporting at the Enterprise Manager.


10

Recovery Enterprise Manager The CounterACT Recovery Enterprise Manager is used as a remote recovery device for an Enterprise Manager that is no longer functioning due to for example, a natural disaster or crisis. This device provides complete and continued management of network Appliances from a remote site. The Recovery Enterprise Manager is installed at the Data Center using the same installation procedure as the Enterprise Manager, and is later added at the Console as you would any CounterACT component. Refer to the CounterACT Console User Manual for more information. See www.forescout.com/kb or use the online Help tools at the Console.

CounterACT Console The Console is the CounterACT management application used for viewing and managing important information about Network Access Control (NAC) policies, malicious intrusions, vulnerable network hosts, and more. The Console lets you define the conditions under which hosts are identified and handled by CounterACT. The Console also provides a number of tools:

Policy tools allow you to define a virtual firewall policy and a policy for handling NAC, security and compliance issues, as well as a policy for handling malicious sources.

Sophisticated reporting tools let you generate an extensive range of reports about malicious source activity, NAC activity and vulnerability scanning, as well as CounterACT’s response to these activities.

Control tools allow you to start and stop Appliances and Enterprise Managers and update the configuration defined during installation, for example, the network range CounterACT is protecting or the time zone setting. Other control tools allow you to communicate with your Network Management application and work with 3rd party plugin applications.

Refer to the CounterACT Console User Manual for more information.

http://www.forescout.com/kb�


11

Secure, Encrypted Connections The CounterACT Console connection is encrypted using a proprietary protocol on 13000/TCP. Users are required to enter a user name and password to login to the CounterACT Appliance through the Console.

The connection between multiple Appliances and the Enterprise Manager is also encrypted with the same proprietary protocol.

Remote Management Module 2 (RMM2) Integration (RILO) CounterACT supports Intel Remote Management Module 2 (RMM2) integration with CT1000/2000/4000 components. The Intel RMM2 is an integrated server system solution that gives you location–independent/ OS-independent remote access over the LAN or Internet to CounterACT Appliances/Enterprise Managers. The module is used to carry out KVM access, power on/off/reset and perform troubleshooting and maintenance tasks. See Integrate the Appliance with Remote Management Module 2 (RMM2) for information about setting up this module.

High Availability Tools CounterACT High Availability is implemented in clusters with two Appliances or two Enterprise Manager nodes. Redundancy is achieved by one of the nodes serving as the Active node (managing the activities required for effective NAC) while the second node waits in Standby mode to take over in case of Active node failure. See Chapter 6: High Availability Systems.

Power Outage Handling By default, when there is a power outage, the Appliance and Enterprise Manager are set to the Stay Off mode. You can change this default to Power On mode so that the machine will automatically be powered on after a power outage recovery.

To change the power outage recovery setting to Power On: 1. Reboot the Appliance or Enterprise Manager. 2. While the machine is powering on, select F2. 3. The BIOS Setup Utility screen opens. 4. Select the Server tab. 5. Use the arrow keys to select the Default > Stays Off option. 6. Press Enter and the Down arrow to choose Power On.


12

System Requirements Verify that the following requirements are met before you begin installation and that you have a completed Site Preparation Form (Appendix A - Site Preparation Form).

CounterACT Console Hardware Requirements

Network Access Requirements

Network Deployment Requirements

Appliance Information Requirements

Enterprise Manager Information Requirements

Network Connection Requirements

CounterACT Console Hardware Requirements The computer hosting the CounterACT Console application software is supplied by the customer. Minimum hardware requirements are:

Non-dedicated machine, running Windows XP/98/NT/2003/2000/Vista and Linux

Pentium 3, 1Ghz

512MB RAM memory. 1GB is recommended if you are working with more than 10,000 devices.

Disk Space - 100 MB

CD ROM drive

Network Access Requirements Deploying CounterACT requires TCP/IP communication. This section details CounterACT connectivity requirements. Check your security policy (Router ACLs, etc.), and modify, if required, to allow for this communication.

Each Appliance requires a single management connection to the network. This connection requires an IP address on the local LAN and also requires Port 13000/TCP access from machines that will be running the CounterACT Console. In addition, the following are required:


13

Port Service To/From CounterACT

Function

22/TCP SSH To Allows endpoints to access the CounterACT command line interface (CLI)

25/TCP SMTP From Allows CounterACT access to the enterprise mail relay

80/TCP HTTP To Allows HTTP redirection

443/TCP HTTPS To Allows HTTP redirection using SSL


14

Port Service To/From CounterACT

Function

13000/TCP CounterACT To For systems with only one Appliance – from the Console to the Appliance For systems with more than one CounterACT Appliance - from the Console to the Enterprise Manager and from the Enterprise Manager to the Appliance

53/UDP DNS From Allows CounterACT access to resolve internal IP addresses

123/UDP NTP From Allows CounterACT access to a local time server or ntp.forescout.net ForeScout default is set to ntp.foreScout.net.

161/UDP SNMP From Allows CounterACT access to communicate with network switches and routers

162/UDP SNMP To Allows CounterACT to receive SNMP traps from network switches and routers

10003/TCP SecureConnector To Allows a SecureConnector tunnel between end points and the Appliance. SecureConnector enables access to unmanageable endpoints via a secure executable file that runs at the desktop while the host is connected to the network. Refer to the CounterACT Console User Manual for more information about what SecureConnector does. A SecureConnector connecting to any Appliance or the Enterprise Manager is redirected to the Appliance to which its host is assigned. Arrange connectivity of this port to all Appliances and to the Enterprise Manager to allow transparent mobility within the organization. Port 10003 is default; you can change this.


15

Network Deployment Requirements Each Appliance must be set up at a location in which it sees vital network traffic and can protect devices connected to your switch.

CounterACT supports deployment options for:

Monitoring multiple VLANs (tagged traffic) – recommended, since it provides the best overall coverage while monitoring only a single port.

Monitoring a tagged port (802.1q tagged)

Monitoring a single VLAN (untagged)

Monitoring a single port(s) (untagged)

Important notes:

− Carefully consider the traffic to monitor. − It is recommended to monitor the authentication traffic between end users

and authentication servers. − To notify end users via their web browsers, you need to monitor HTTP

traffic between end users and the Internet/Intranet. Refer to the CounterACT Console User Manual for more information about these features.

Appliance Information Requirements The following information regarding the CounterACT Appliance is required:

CounterACT Appliance IP address

CounterACT Appliance host name

Management interface through which Appliance and Console communicate

Network mask

Default gateway IP address

List of the company’s DNS server addresses – to allow resolving of internal IP addresses to their DNS names

Enterprise Manager Information Requirements CounterACT Enterprise Manager IP address

CounterACT Enterprise Manager host name

Enterprise Manager Administrator password

Management interface

Network mask

Default gateway


16

DNS domain name

DNS server addresses

Network Connection Requirements Network connections must allow full visibility to all response and monitor traffic.

17

CChhaapptteerr 22:: HHaarrddwwaarree SSeettuupp


About CounterACT Installation

Appliance Interface Connections

Setting Up Switch Connections

Creating an Out-of-Band IP Management Interface

Chapter 2 Hardware Installation

18

About CounterACT Installation CounterACT is designed for installation in various environments. The configurations shown here demonstrate some of the more typical options and introduce the terminology involved in the installation. Each Appliance requires three types of connections to the network.

If your management network must be separated from the rest of your network, you can create an Out-of-Band management IP interface setup. This allows the management-related traffic to be routed through a management interface. Other traffic, for example the NAC Policy remote registry queries and HTTP notifications, is routed through standard response interfaces. See Creating an Out-of-Band IP Management Interface for more information. If you are installing CounterACT High Availability systems, the configuration and wiring are explained in Chapter 6: High Availability Systems.

Related Documents

Cisco Switches For information regarding Cisco switches, refer to: http://www.forescout.com/support/files/docs/Configuring-Cisco-SPAN.pdf

Rack Mounting Instructions For information regarding rack-mounting instructions refer to:

CT/AS 100 series: http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-100.pdf

CT/AS 1000/2000/4000 series: http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-1000-2000-4000.pdf

Appliance Interface Connections The Appliance is generally configured with these three connections to the network switch:

Management Interface

Monitor Interface

Response Interface

Management Interface This interface allows you to manage CounterACT and perform queries and deep inspection of endpoints. The interface must be connected to a switch port with access to all network endpoints.

http://www.forescout.com/support/files/docs/Configuring-Cisco-SPAN.pdf�

http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-100.pdf�

http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-1000-2000-4000.pdf�

http://www.forescout.com/downloads/support/CT-AS-Rail-Kit-1000-2000-4000.pdf�


19

Each Appliance requires a single management connection to the network. This connection requires an IP address on the local LAN and Port 13000/TCP access from machines that will be running the CounterACT Console management application. The management port must have access to additional services. See Network Access Requirements for more information.

Monitor Interface This connection allows the Appliance to monitor and track network traffic.

Traffic is mirrored to a port on the switch and monitored by the Appliance. Depending upon the number of VLANs being mirrored, the traffic may or may not be 802.1q VLAN tagged.

Single VLAN (untagged): When monitored traffic is generated from a single VLAN, the mirrored traffic does not need to be VLAN tagged.

Multiple VLANs (tagged): If monitored traffic is from more than one VLAN, the mirrored traffic must be 802.1q VLAN tagged. See IP Layer Response (for Layer-3-Only Core Switch Installation) for a workaround if this is not possible.

When two switches are connected as a redundant pair, the Appliance must monitor traffic from both switches. See Setting Up Switch Connections for related information.

No IP address is required on the monitor interface.

Response Interface The Appliance responds to traffic using this interface. Response traffic is used to protect against malicious activity and to perform NAC policy actions. These actions may include, for example, redirecting web browsers or performing session blocking. The related switch port configuration depends upon the traffic being monitored.

Single VLAN (untagged): When monitored traffic is generated from a single VLAN, the response port must belong to the same VLAN. In this case, the Appliance requires a single IP address on that VLAN.

Multiple VLANs (tagged): If monitored traffic is from more than one VLAN, the response port must also be configured with 802.1q tagging for the same VLANs. The Appliance requires an IP address for each of the monitored VLANs.


20

Setting Up Switch Connections The Appliance was designed to seamlessly integrate with a wide variety of network environments. To successfully integrate the Appliance into your network, verify that your switch is set up to monitor required traffic.

Depending upon the configuration, you can combine ports to reduce the number of cables/ports needed for installation. In each of these cases, the ports/cables can be either copper or fiber connections.

Standard Installation: Separate Management, Monitor and Response Ports

The recommended installation uses three separate cables as detailed in Appliance Interface Connections.

Combined Monitor and Response Port If the switch is capable of receiving data packets into a mirrored port (for example, inpkts enable on a Cisco Catalyst switch), you can combine the monitor and response ports. This configuration is possible for both a single VLAN or a multiple VLAN installation.

Passive Inline Tap Instead of connecting to the switch monitor port, the Appliance can use a passive inline tap.

A passive inline tap requires two monitor ports (one for upstream and one for downstream traffic), except in the case of a “recombination” tap, which combines the two duplex streams


21

into a single port. The traffic on the tapped port and response interface must be on matching VLANs. For example, if the traffic on the tapped port is VLAN tagged (802.1q), the response port must also be a VLAN tagged port. Simply put, the response port must be configured in the same way as the monitor port.

Active (Injection Capable) Inline Tap The Appliance can use an active inline tap. If the tap is injection capable, the Appliance combines the monitor and response ports so there is no need to configure a separate response port on the switch. This option can be used regardless of the type of upstream or downstream switch configuration.

IP Layer Response (for Layer-3-Only Core Switch Installation) The Appliance can use its own management interface to respond to traffic. Although this option can be used with any monitored traffic, it is recommended in situations where the Appliance monitors ports that are not part of any VLAN, and cannot respond to monitored traffic using any other switch port. This is typical when monitoring a link connecting two routers. This option limits the ability to respond to ARP requests, which limits the ability of the Appliance to detect scans aimed at the IP addresses included in the monitored subnet. This limitation does not apply when traffic between two routers is being monitored.

Combined Management and Response Port (Single VLAN Only) If the Appliance is protecting a single VLAN and the management IP is on the same VLAN, you can combine the management and response ports. This configuration is quite common for


22

installation on an access layer switch. This configuration is not possible on a multiple VLAN installation.

Combined Management, Response and Monitor Port (Single VLAN Only) If the Appliance is protecting a single VLAN, the management IP is on the same VLAN and the switch is capable of response into the monitor port, then all the cables can be combined into a single port. This configuration is quite common for installation on an access layer switch. This configuration is not possible on a multiple VLAN installation.

Switch Setting Guidelines

VLAN (802.1q) Tags Monitoring a Single VLAN (untagged): If the monitored traffic is from a

single VLAN, then traffic does not need 802.1q tags.

Monitoring Multiple VLANs (tagged): If the monitored traffic is from two or more VLANs, then both the monitored and response ports must have 802.1q tagging enabled. Monitoring multiple VLANs is recommended as it provides the best overall coverage while minimizing the number of mirroring ports.

If the switch cannot use a VLAN tag on the mirroring port, then perform one of the following:

− Mirror only a single VLAN − Mirror a single, untagged uplink port − Use the IP Layer response option


23

If the switch can only mirror one port, then mirror a single uplink port. This may be tagged. In general, if the switch strips the VLAN tags, you must use the IP Layer response option.

Additional If the switch cannot mirror both transmitted and received traffic, then either

monitor the entire switch or complete VLANs (this provides transmit/receive) or monitor just one interface (which does allow transmit/receive). Verify that you do not overload the mirroring port.

Some switches (e.g. Cisco 6509) may require that former port configurations be completely deleted before entering new configurations. Not deleting old port information commonly causes the switch to strip 802.1q tags.

Creating an Out-of-Band IP Management Interface If your management network must be separate from the rest of your network, you can create an Out-of-Band IP management interface setup. When you do this, management related traffic is transmitted through the management interface, while other traffic (for example, the NAC Policy remote registry queries and HTTP notifications) is transmitted through another interface. If this is the case, both interfaces will have an IP address.

In order to create such a setup, first create an Out-of-Band IP management interface. If necessary, you may need to configure a gateway and routing rules. These tasks can be carried out by running the fstool netconfig command.

To create and configure the interface: 1. Log into the CounterACT Appliance as root. 2. Run the following command.

fstool netconfig

The following menu opens:

CounterACT Machine Network Configuration Options:

1) Configure network interfaces

2) Configure default gateway

3) Configure static routing rules

4) Restart network services

5) Quit

Choice (1-5): 1

3. Type 1 to configure the interface as required. After creating the interface, the menu reopens.


24

4. Type either 2 to Configure default gateway or 3 to Configure static routing rules.

The current Machine Static Routing Table Configuration opens. You will be prompted if no routing has been defined.

5. Type A and then press Enter to choose an interface in which to add a route.

A menu opens with the interface you selected and configuration parameters. Sample configuration parameters:

1) eth0 Address: 10.0.4.197 Netmask: 255.255.255.0

Choice (1-1) : 1

6. Press Enter to configure the routing.

Sample Configuration:

Destination Net IP address : 13.0.0.0

Destination Genmask IP address : 255.0.0.0

Gateway IP address [0.0.0.0] : 10.0.4.108 -----------------------------------------------------

CounterACT Machine Static Routing Table Configuration

-----------------------------------------------------

Destination Gateway Genmask Iface

13.0.0.0 10.0.4.108 255.0.0.0 eth0

12.0.0.0 10.0.4.108 255.0.0.0 eth0

11.0.0.0 10.0.4.109 255.0.0.0 eth0

(E)dit,(A)dd ,(D)elete,(S)ave,(B)ack :

7. Type S and press Enter to save the configuration.

Additional Example

In this example, the CounterACT device has one in-band interface on the Intranet, and one Out-of-Band interface on the management segment. The mail server also has interfaces on both the Intranet and the management segment. In this example, mails from the CounterACT device need to be routed through the management segment to the mail server, and then sent to the Intranet.

To configure the mail routing: 1. Run the following command.


25

fstool netconfig


CounterACT Machine Network Configuration Options:

1) Configure network interfaces

2) Configure default gateway

3) Configure static routing rules

4) Restart network services

5) Quit

Choice (1-5): 3

2. Type 3 and then A to add an interface. 3. When prompted, choose the interface to the management segment. 4. Configure the Destination Net IP Address to the IP address of the mail server. 5. Configure the Destination Genmask to 255.255.255.255. 6. Configure the Gateway IP Address to the default gateway of the management interface.

26

CChhaapptteerr 33:: AApppplliiaannccee SSeettuupp,, CCoonnffiigguurraattiioonn,, IInnssttaallllaattiioonn

aanndd PPoosstt--IInnssttaallllaattiioonn


Setting Up an Appliance

Installing an Appliance

Post-Installation Procedures

Installing a High Availability System

Integrate the Appliance with Remote Management Module 2 (RMM2)

Verifying FIPS Compliance

Enabling FIPS Mode

Additional Installation Tools

Chapter 3 Installing the Appliance

27

Setting Up an Appliance 1. Remove the following items from the shipping container.

Appliance

Power cord

2. Connect the power cord to the power connector on the Appliance rear panel. See Connect an Appliance to the Network for a diagram that details a sample rear panel.

3. Connect the other end of the power cord to a grounded AC outlet. 4. Set up the keyboard and monitor to the Appliance or set up the Appliance for serial

connection. See Serial Port Setup. 5. Power on the Appliance from the front panel. 6. If the Appliance is installed in the location at which it will operate, connect it to the

network. For information about performing this connection, see Connect an Appliance to the Network. If the Appliance is not in its final location, you can perform the Appliance configuration now and connect it to the network later.

Serial Port Setup If you cannot carry out the installation with a keyboard and monitor, it can be performed using a remote serial port connection.

If you are working with the CT- Remote Appliance, you cannot perform the full installation via a serial port.

Verify that you have the following:

A CounterACT Appliance with a serial port

Another computer that will act as the client to control the installation process. Verify that all output is redirected and displayed on the terminal client

A serial cable (supplied with the Appliance)

A terminal client, such as "Hyper Terminal" (Windows) or "minicom" (Linux)


28

To set up a serial port connection: 7. Connect the two computers to each other. Connect the serial cross-cable to the

CounterACT computer. 8. Configure the terminal client according to the following parameters:

Baud: 19200 Parity: None Data Bit: 8 Stop Bits: 1 Flow Control: None (minicom enables flow control by default - edit the configuration to disable) Emulation: ANSI (at least for minicom)

You may have to type the following command at the boot prompt in order to see the output on the computer connected though the serial cable. Note that you may not see the text as you type this.

− Type the following for CT-100: console=ttyS0,19200 − Type the following for CT-1000/200 console=ttyS1,19200

9. Continue the setup procedure according to Installing an Appliance.

Installing an Appliance Numerous configuration definitions set here can later be updated through the CounterACT Console. Refer to the CounterACT Console User Manual for more information.

1. Power on the Appliance.

The FIPS (Federal Information Processing Standard) option lets you configure CounterACT to meet FIPS 140-2 (level 2) requirements. This option is only recommended for CounterACT deployments in the US Federal government, where FIPS is required. See Enabling FIPS Mode for more information.

When this is complete, the following menu opens:


29

Configure CounterACT- X.X.X 2) Restore saved CounterACT- X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine

Choice (1-8) : 3

During configuration, you are asked to specify the Ethernet monitor interfaces and response interfaces.

2. Once these parameters are determined, connect the interface cables to the associated Ethernet ports.

3. In order to identify and mark the ports on the rear panel, type 3 and press Enter.

A menu opens indicating which interface has been detected. The associated port LED blinks on the rear panel.

4. Mark the port on the panel so it is easily identifiable and press Enter.

Another menu opens indicating the next detected interface. The associated port LED now blinks.

5. Mark this port as well and press Enter. This process continues until all active interfaces are detected.

6. Once all interfaces have been detected, press Enter.

The following menu reopens:

1 – Configure CounterACT- X.X.X 2) Restore saved CounterACT- X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine

Choice 1-8: 1

7. Type 1 and press Enter. The following menu opens:


30

>>>>>> CounterACT Initial Setup <<<<<<

You are about to setup CounterACT. During the initial setup process you will be prompted for basic parameters that are essential to connect to this machine. Once this phase is done, you will be instructed to complete the setup by connecting to the machine via CounterACT GUI. Continue (yes/no)? [yes]:

8. Press Enter to continue. The following menu opens: >>>>>> CounterACT Component Selection <<<<<<

Choose component to install:

1. CounterACT Appliance

2. CounterACT Enterprise Manager

Choice : 1

9. Type 1 and press Enter. The setup is initialized. This may take a moment. The following menu opens: >>>>>> Setting Host Name <<<<<<

Enter the ForeScout Linux Operating System host name. It is recommended that the host name you set will be unique.

10. Type a host name. This name can be used when logging into the Console. In addition, it is used at the Console to help you identify the CounterACT Appliance you are viewing. The following menu opens: >>>>>> Setting Description <<<<<<

Enter a short description of this Appliance (e.g. New York office). Description:

11. Type a unique description for this Appliance. The following menu opens: >>>>> CounterACT Appliance Administrator Password <<<<<<

This password is used to login as 'root' to the CounterACT Linux Operating System and to the CounterACT Console. The password should be between 6 and 15 characters long and should contain at least one non-alphabetic character. CounterACT administrator password:

Verify password:

12. Type a password to use when logging into the Appliance and the Console and press Enter.


31

13. Retype the password. If you forget it after completing the setup, you can create a new one from the Console. Refer to the Console Online Help.

Log into the Appliance as root and log into the Console as admin.

After the password is saved, the following menu opens:

>>>>>> Network Settings <<<<<<

Management interface (one of: eth0, eth1, eth2, eth3, eth4, eth5, eth6, eth7, eth8) : eth0

Appliance IP address : 10.0.4.194 Network mask [255.255.255.0] : Default gateway : 10.0.4.253 DNS domain name: qa.def.dom DNS server addresses: 10.0.0.3 10.0.0.4

14. Type in network parameters at each of the relevant prompts and press Enter. 15. The management interface is the interface through which CounterACT components

communicate. Add a VLAN ID for the interface option only if the interface used to communicate between CounterACT components is plugged into a tagged port. The DNS resolves internal IP addresses. While most internal DNS servers may resolve external addresses as well, some may not. Thus you may have to include an externally-resolving DNS server at the end of the list. Nearly all DNS queries performed by the Appliance will be for internal addresses, so the internal servers must be listed first.

After entering the last parameter, you are prompted to perform general connectivity tests, reconfigure settings, or complete the setup:

>>>>>> Configuration Summary <<<<<<

Host name: q4blade Interface: eth0 IP address: 10.0.4.197 Network mask: 255.255.255.0 Default gateway: 10.0.4.253 DNS server: 10.0.0.3 10.0.0.4 Domain name: qa.def.dom

(T)est,(R)econfigure,(D)one : T

16. Type T and press Enter to verify the following: − Connected interfaces − Connectivity of the default gateway − DNS resolution

Results will indicate if any test failed so that you can reconfigure as needed.

If there are no failures, the following menu opens:


32

Checking eth0...OK. (100Mb/s Full duplex)

Checking default gateway...OK.

Checking DNS resolution...OK.

Press ENTER to review configuration summary

17. Press Enter and type D to complete the installation.

The following menus open:

Finalizing setup -: Done.

Starting CounterACT Appliance: Done.

>>>>>> CounterACT Installation is Complete <<<<<<

The Appliance installation is complete. The Setup Wizard, automatically initiated from the CounterACT Console, will guide you through the rest of the Appliance setup.

Use the following URL to install the Console: http://10.0.4.227/guisetup.html

- If you want to use this Appliance as a standalone, continue the setup by logging in to the Appliance at the Console and completing the Wizard.

- If you want to register this Appliance with an Enterprise Manager that has already been setup, log in to the Enterprise Manager and register it from the Options window. Open this window by selecting the Options icon on the Consoler toolbar. After it has been registered, the Setup Wizard will guide you through the setup steps.

Press ENTER to clear the screen

18. Press Enter to start work using the evaluation license, which is valid for 30 days unless you request and receive an extension. During this period, you should have received a permanent license from ForeScout and placed it in an accessible folder on your disk or network. Install the license from this location before the 30-day demo license expires.

You will be alerted that your license is about to expire in a number of ways:

− Through periodic email reminders − Through the Status and License columns in the CounterACT Devices pane

(accessible through the Options icon from the Main Console), which will indicate how many days remain until the license expires.

http://10.0.4.227/guisetup.html�


33

− Through the Status pane in the CounterACT Devices pane, which also shows the time until license expiration.

− Through an icon and tooltip on the Console, Status bar.

Refer to the CounterACT Console User Manual located on the CounterACT CD in the /docs folder for information about installing the license.

Post-Installation Procedures After installing an Appliance, perform the following tasks:

Connect an Appliance to the Network

Integrate the Appliance with Remote Management Module 2 (RMM2)

Verify the Management Interface Connection

Verify Switch/Appliance Connectivity

Perform a Ping Test

Generate a Configuration Summary for an Appliance

Upgrade to the New Version

Install the CounterACT Console. See Chapter 5: Installing the CounterACT Console.

Run the Installation Wizard. Refer to the CounterACT Console User Manual.

Connect an Appliance to the Network During configuration, you are asked to specify the Ethernet monitor and response interfaces. Once these parameters are determined, connect the interface cables to the associated Ethernet port on the rear panel of the Appliance.

Integrate the Appliance with Remote Management Module 2 (RMM2) CounterACT supports Intel Remote Management Module 2 (RMM2) integration with CT1000/2000/4000 components. The module is an integrated server system solution that gives you location–independent/ OS-independent remote access over the LAN or Internet to


34

CounterACT Appliances/Enterprise Managers. The RMM2 module is used to carry out KVM access, power on/off/reset and troubleshooting and maintenance tasks. Perform the following in order to setup and run the module:

1. Set up the Module The RMM2 connects to an Ethernet network. It is customary to connect it to a management network. For more information about RMM2 the module and connecting it to the network, refer to the Intel Remote Management Module 2 User Guide:

ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2_user_guide.pdf

2. Acquire an IP Use DHCP

If available, use DHCP to acquire an IP. The MAC address of the RMM2 module is indicated near the RMM2 port and on the appliance documents.

Without Using DHCP

If DHCP is not available, use the psetup utility on a computer connected to the same broadcast domain as the RMM2. Psetup is a utility that is used to probe and configure the Intel RMM2. Setup link are shown below.

Psetup for Windows

http://www.forescout.com/support/files/utils/psetup/psetup_1.2.3.exe

md5: 551f0c2bd8a801ed3b3d24febb0cfe70

size: 139264 Psetup for Linux

You must run the utility in a GUI Linux environment (X Windows). http://www.forescout.com/support/files/utils/psetup/psetup1.2.2

md5: 358350dbf9d4438aad22b8c265136bca

size: 1566036 Linux Release Notes

http://www.forescout.com/support/files/utils/psetup/ReleaseNotes_Psetup_Linux_V122.txt

md5: a3fba30b7a60c97fd9a66b03d9917d6b

size: 4133

See the RMM2 user guide for more details:

ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2

ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2_user_guide.pdf�

ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2_user_guide.pdf�

http://www.forescout.com/support/files/utils/psetup/psetup_1.2.3.exe�

http://www.forescout.com/support/files/utils/psetup/psetup1.2.2�

http://www.forescout.com/support/files/utils/psetup/ReleaseNotes_Psetup_Linux_V122.txt�

http://www.forescout.com/support/files/utils/psetup/ReleaseNotes_Psetup_Linux_V122.txt�

ftp://download.intel.com/support/motherboards/server/sb/d93678001_rmm2�


35

3. Access and Configure the Module In general no configuration is required. It is highly recommended however to update the default password.

Enter the IP address of the RMM2 module in your browser to access the management module.

1. The Intel remote Management Module 2 page opens.

2. Login. The default username is admin and the default password is password. The main

screen opens.

3. Select the User Management >Change Password menu option.


36

4. Update the password and login again. 5. Select Device Settings form the main screen and configure the module as required.

Verify the Management Interface Connection Test the management interface connection to verify that the management interface is correctly configured.

To run the test: 1. Log into the Appliance. 2. Run the following command:

fstool linktest

The following information is displayed:

Management Interface status

Pinging default gateway information

Ping statistics

Performing Name Resolution Test

Test summary

Verify Switch/Appliance Connectivity Verify that the switch is properly connected to the Appliance:


37

To verify connectivity: 1. At the Appliance for each interface detected, run the following command:

fstool ifcount

This tool continuously displays network traffic on the specified interfaces. It works in two modes: per interface or per VLAN (during the display, the mode can be changed). The tool displays the total bits per second and the percentage of traffic for the various interfaces. For example, to view traffic information for each interface, run the following command (separate each interface with a space): root@CounterACT root]# fstool ifcount eth0 eth1 eth2

Note that:

− The monitor interface primarily sees mirrored traffic above 90%. − The response interface primarily sees broadcast traffic. − Both the monitor and response interfaces see the expected VLANs.

2. Proceed by entering one of the following commands: V – display in VLAN mode I – display in interface mode P – show previous N – show next q – quit displaying

VLAN Mode: update=[4] [eth3: 14 vlans] Interface/Vlan Total Broadcast Mirrored *To my MAC *From my MAC eth3.untagged 4Mbps 0.2% 99.8% 0.0% 0.0% eth3.1 9Mbps 0.0% 100.0% 0.0% 0.0% eth3.2 3Mbps 0.1% 99.9% 0.0% 0.0% eth3.4 542bps 100.0% 0.0% 0.0% 0.0% eth3.20 1Kbps 100.0% 0.0% 0.0% 0.0% Show [v]lans [i]nterfaces <-[p]rev [n]ext-> [q]uit

Interface Mode: update=[31] [eth0: 32 vlans] [eth1: 1 vlans] Interface Total Broadcast Mirrored To my MAC From my MAC eth0 3Kbps 42.3% 0.0% 14.1% 43.7% eth1 475bps 0.0% 100.0% 0.0% 0.0%

*To my MAC - destination MAC is the Appliance's MAC. *From my MAC - traffic sent by this Appliance (source MAC is the Appliance's MAC, destination can be broadcast or unicast).


38

3. If you do not see any traffic, verify that the interface is up and running using the following command at the Appliance: [root@CounterACT root]# ifconfig [interface name] up.

Perform a Ping Test

Run the following command from the Appliance to a network desktop to verify connectivity:

Ping [network desktop IP]

By default, the Appliance itself does not reply to ping.

Generate a Configuration Summary for an Appliance You can generate a configuration summary of Appliances in your enterprise including, for example, the Appliance version, channel, switch, and additional networking information. This makes it easier to:

Identify a missing configuration at a glance.

Document an Appliance configuration so that a replacement system can be easily configured.

To generate a summary: 1. Log into the Appliance. 2. Run the following command:

fstool netconfig_sum


Version information Version Build number Internal Version Build date

Host information Hostname Domain name Dns Network information Gateway eth0 Address: Netmask:

3. Provide the information required.


39

Upgrade to the New Version The Installer program automatically identifies an earlier Appliance version on your system. Upgrade options allow you to either maintain the configuration parameters from the previous version or define new parameters.

Review the version Release Notes for important information before performing an upgrade. The Release Notes are located on your CounterACT CD ROM under the /docs folder and on the ForeScout web site.

Upgrading with the CD 1. Insert the CounterACT Installation CD ROM into its drive. 2. Login as root. 3. Mount the CD ROM with the following command:

mount /mnt/cdrom

4. At the prompt, run the following commands: cd /mnt/cdrom

./ca_setup

A prompt indicates that you are about to upgrade the software. These procedures are detailed in Installing an Appliance. You can maintain previous values, which appear as the default, or define new values.

Upgrading from the Console You can also perform the software upgrade from the Console. If you upgrade from the Console, you cannot update the installation parameters. For complete procedures, refer to the Console User Manual.

Installing a High Availability System If you are working with a High Availability system, install CounterACT using the procedure described in Enabling FIPS Mode. Then install the nodes as described in Chapter 6: High Availability Systems.

Verifying FIPS Compliance To verify that your system is FIPS (Federal Information Processing Standard) compliant, log into the Appliance/Enterprise Manager and run the following command: fstool version



40

root@haha-em-1 root]# fstool version

CounterACT Appliance version information ---------------------------------------- Version : X.X.X Build date : Mon Dec 31 09:29:27 2007 High Availability supported : No FIPS supported : Yes

Enabling FIPS Mode The FIPS option lets you configure CounterACT to meet FIPS 140-2 (level 2) requirements. This option is only recommended for CounterACT deployments in the US Federal government, where FIPS is required. SSH cannot be used to connect to Appliances in FIPS mode.

To install CounterACT to operate in FIPS mode: 1. Install all enterprise Appliances in FIPS mode.

− When installing the Appliance at the Data Center, type 6 and press Enter. 1) Configure CounterACT- X.X.X 2) Restore saved CounterACT- X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8) : 6

2. To continue, follow the directions in Installing an Appliance. 3. SSH is blocked since it is not FIPS-140-2 Level 2 compliant. Therefore, a terminal

application is added. To use the terminal: − Run the fsterm.bat file located in the current directory at the location at

which the Console is installed. For example, C:\Program Files\ForeScout CounterACT\GuiManager\current\fsterm.bat.

− Create a shortcut to easily open the file.

Additional Installation Tools This section details additional tools that can be used for the installation.

Configuring the Interface Speed/Duplex You can modify the default interface speed and duplex values.

1. Log into the CounterACT Appliance. 2. Run: fstool ethset


41

Interface speeds and duplex configuration:

Interface Driver Cur-Speed/Duplex Conf-Speed/Duplex Link Status

eth0 e100 100baseT/Half Auto/Auto link ok

eth1 e100 Auto/Full Auto/Auto link ok

The current interface speed and duplex configuration opens (as above) along with the following message.

CounterACT Interface Speeds and Duplex Configuration Options:

1) Edit interface speeds and duplex options

2) Blink interfaces

3) Quit

Choice (1-3) : 1

3. Type 1 and press Enter to display a list of available Ethernet ports. 4. Choose the interface to configure and press Enter. The current configuration opens

along with configuration options. The following menu shows an example: Choose eth0 configuration:

1) Auto 2) 10baseT/Half 3) 10baseT/Full 4) 100baseT/Half 5) 100baseT/Full 6) 1000baseT/Full

5. Configure as required and press Enter. 6. Type 2 and press Enter to identify the Ethernet interfaces (ports).

Restoring System Settings Backup and restore procedures allow you to save your system settings and later restore them to an Appliance. Use this feature in cases of Appliance hard drive failures or when data on an Appliance is lost for any other reason. Refer to the CounterACT Console User Manual for more information.

To restore: 1. Power on the Appliance. When it finishes booting, the following menu opens:

CounterACT boot is complete.

Press Enter to continue.

2. Press Enter to start the restore procedure. The following menu opens:


42

1 – Configure CounterACT-X.X.X 2 – Restore saved CounterACT-X.X.X configuration 3 – Identify network interfaces 4 – Configure keyboard layout 5 – Turn machine off Choice (1-5): 2

3. Type 2 and press Enter.


Restore options:

1) Restore from USB storage device 2) Restore from CD-ROM 3) Restore from floppy diskette 4) Get shell prompt 5) Cancel

Choice (1-5) :

4. Select the relevant restore option and press Enter.


The restore process will now search for backup files in the selected media. Note that backup file names must have a ".fsb" extension. Insert the media where the backup file reside and press ENTER to continue

5. Insert the media where the backup file resides and press Enter.

The following menu opens, displaying all .fsb files found on the media:

Searching for backup files in USB storage device(s)...

Choose backup file:

1) qcc-V4.0.3-2004_12_22_15_27.fsb

2) Cancel

Choice (1-2) :

6. Select the relevant backup option and press Enter.



43

Verifying /tmp/usbmnt/qcc-V4.0.3-2004_12_22_15_27.fsb... ------------------------- Backup Volume Information -------------------------

Product : CounterACT

Host-name : qcc Address : X.x.x.x Backup date : Wed Dec 22 15:27:43 IST 2004 Restore? (yes/no) :

7. Type yes and press Enter.


************** CounterACT version X.X.X Restore **************

>>> Installing Packages <<<…

Checking stored Packages...... done.>>> Configuring the System <<<…

>>> Installing Database <<<Creating database... done.…

Restoring... done.

Installation log written to /tmp/CounterACT-install.log

The Operating System will now reboot in order to complete the CounterACT restore process.

44

CChhaapptteerr 44:: IInnssttaalllliinngg tthhee EEnntteerrpprriissee MMaannaaggeerr


About the Installation

Setting Up the Enterprise Manager

Installing the Enterprise Manager

Post-Installation Procedures

Gradual Upgrade

Restoring System Settings

Chapter 4 Installing the Enterprise Manager

45

About the Installation This section details the Enterprise Manager setup and configuration procedures. Numerous configuration definitions set here can later be updated through the CounterACT Console. Refer to the CounterACT Console User Manual for more information. If you are implementing a multiple CounterACT solution, setup and configure CounterACT on each Appliance and install and configure the Enterprise Manager on another Appliance.

Setting Up the Enterprise Manager 1. Remove the following items from the shipping container:

Enterprise Manager

Power cord

2. Connect the power cord to the power connector on the rear panel of the Enterprise Manager. See Connect the Enterprise Manager to the Network.

3. Connect the other end of the power cord to a grounded AC outlet. 4. Set up the keyboard, mouse and monitor to the Appliance or set up the Enterprise

Manager for serial connection. See Serial Port Setup. 5. Power on the Enterprise Manager from the front panel.


46

Installing the Enterprise Manager 1. Power on the Enterprise Manager.

The FIPS option lets you configure CounterACT to meet updated FIPS 140-2 (Federal Information Processing Standard) requirements. This option is only recommended for CounterACT deployments in the US Federal government, where FIPS is required.

After this is complete, the following menu opens:

Options:

1) Configure X.X.X 2) Restore saved X.X.X configuration 3) Identify network interfaces 4) Configure keyboard layout 5) High Availability Setup 6) Enable FIPS 7) Turn machine off 8) Reboot the machine Choice (1-8) : 1



>>>>>> CounterACT Initial Setup <<<<<<

You are about to setup CounterACT. During the initial setup process you will be prompted for basic parameters used to connect this machine to the network.

When this phase is complete, you will be instructed to continue the setup from the CounterACT Console.

Continue (yes/no)? [yes]:

3. Press Enter. The following menu opens: >>>>>> CounterACT Component Selection <<<<<<

Choose component to set up:

1. CounterACT Appliance 2. CounterACT Enterprise Manager

Choice: 2


The setup is initialized. This may take a few moments. The following menu opens:


47

>>>>>> Setting Host Name <<<<<<

Enter the Enterprise Manager host name. It is recommended to choose a unique host name.

Host name:

5. Type a name that can be used when logging into the Console. This name also opens at the Console to help you to identify the Enterprise Manager with which you are working.


>>>>>> Enterprise Manager Administrator Password <<<<<<

This password is used to login as 'root' to the Enterprise Manager Operating System and as 'admin' to the CounterACT Console. The password should be between 6 and 15 characters long and should contain at least one non-alphabetic character.

Enterprise Manager Administrator Password:

Verify password:

6. Type the password to use when logging into the Appliance and Console. 7. Retype the password. If you forget the password after completing the setup, you can

create a new one from the Console. Refer to the Console Online Help.

Log into the Appliance as root and log into the Console as admin.


Saving password... done.

>>>>>> Network Settings <<<<<<

Management interface (one of: eth0, eth1, eth2, eth3, eth4, eth5, eth6, eth7, eth8): eth0 Enterprise Manager IP address: Network mask [255.255.255.0]: Default gateway : DNS domain name: DNS server addresses:

8. Enter each parameter and press Enter. The management interface is the interface through which CounterACT components communicate. Add a VLAN ID for the interface option only if the interface used to communicate between CounterACT components is plugged into a tagged port. This DNS resolves internal IP addresses. While most internal DNS servers may resolve external addresses as well, some may not. It may be necessary to include an externally-resolving DNS server at the end of the list. Nearly all DNS queries performed by the Appliance will be for internal addresses, so the internal servers must be listed first.

After you enter the last parameter, the following menu opens:


48

>>>>>> Configuration Summary <<<<<<

Host name: q4blade Interface: eth0 IP address: 10.0.4.197 Network mask: 255.255.255.0 Default gateway: 10.0.4.253 DNS server: 10.0.0.3 10.0.0.4 Domain name: qa.def.dom

(T)est,(R)econfigure,(D)one : T

9. Type T and press Enter. You are prompted to perform general connectivity tests, to reconfigure settings, or to complete the setup. If any of the tests failed, you will be asked to reconfigure your network parameters. Checking eth0...OK. (100Mb/s Full duplex)

Checking default gateway...OK.

Checking DNS resolution...OK.

Press ENTER to review configuration summary

10. Press Enter to review the configuration summary and type D.


Finalizing setup -: Done.

Starting CounterACT Enterprise Manager: Done.

>>>>>> CounterACT Initial Setup is Complete <<<<<<

CounterACT Console will guide you through the rest of the Enterprise Manager setup.

Use the following URL to install the CounterACT Console:

http://10.0.4.228/guisetup.html Press ENTER to clear the screen

11. Press Enter to start working using the evaluation license, which is valid for 30 days. You must install a permanent license before this period expires. You will be contacted via e-mail regarding the expiration date. Refer to the CounterACT Console User Manual located on the CounterACT CD in the /docs folder for information about installing the license.

Post-Installation Procedures After installing the Enterprise Manager, perform the following tasks:

Connect the Enterprise Manager to the Network

Integrate with an Remote Management Module 2 (RMM2)

Upgrade to the New Version

http://10.0.4.228/guisetup.html�


49

Connect the Enterprise Manager to the Network During the Enterprise Manager configuration, you are asked to specify the network interface. Once this parameter is determined, connect the interface cable to the associated Ethernet port on the rear panel of the Appliance.

Integrate with an Remote Management Module 2 (RMM2) CounterACT supports Intel Remote Management Module 2 (RMM2) integration with CT1000/2000/4000 components. The Intel RMM2 is an integrated server system solution that gives you location–independent/ OS-independent remote access over the LAN or Internet to CounterACT Appliances/Enterprise Managers. The RMM2 module is used to carry out KVM access, power on/off/reset and perform troubleshooting and maintenance tasks. See Integrate the Appliance with Remote Management Module 2 (RMM2) for details.

Upgrade to the New Version The Installer program automatically identifies any earlier CounterACT versions on your system.

Review the CounterACT Release Notes for important upgrade information. The Release Notes are located on your CounterACT CD ROM under the /docs folder and on the ForeScout web site.

Upgrade options allow you to either maintain the configuration parameters from the previous version or define new configuration parameters.

Upgrading with the CD 1. Insert the CounterACT Installation CD ROM into its drive. 2. Login as root. 3. Mount the CD ROM with the following command:

mount /mnt/cdrom

4. At the prompt, run the following commands: cd /mnt/cdrom

./ca_setup

A prompt indicates that you are about to upgrade the software. These procedures are detailed in Installing an Appliance. You can maintain previous values, which appear as the default, or define new values.

Upgrading from the Console You can also perform the software upgrade from the Console. If you upgrade from the Console, you cannot update the installation parameters. For complete procedures, refer to the Console User Guide.

Gradual Upgrade The steps described below can be used to gradually upgrade a CounterACT deployment. A temporary Enterprise Manager (EM) is used to facilitate the gradual upgrade. During the transition period, two EMs are simultaneously active. The permanent EM will manage the appliances running the new version, while the temporary EM manages the appliances running the old version.


50

This may be required for large deployments where simultaneous upgrade is not desired or not allowed by the corporate IT policy.

To perform a gradual upgrade: 1. Ensure that the temporary Enterprise Manager can access the appliances by adding its

IP address in: Options -> Access -> Console

2. Backup the permanent Enterprise Manager. 3. Install from CDROM the current version of CounterACT on the temporary Enterprise

Manager. Do not configure it. 4. Restore the backup on the temporary Enterprise Manager. The temporary Enterprise

Manager now has the same IP address and host-name as the permanent Enterprise Manager.

5. When booting the temporary Enterprise Manager for the first time after the restore, stop the boot process at the red boot screen and type: CounterACT_S ((Note: there is a space between CounterACT and the S) then allow it to boot. The boot process should stop at some point prompting for commands.

6. Change the temporary Enterprise Manager IP address by using: fstool netconfig 7. Change the temporary Enterprise Manager name using: fstool netconfig -h some-

temporary-name 8. Allow the boot process to complete by typing: exit 9. Connect to the temporary Enterprise Manager with the Console. You should see the

appliances connected to both Enterprise Managers. Do not make any configuration changes on any of the Enterprise Managers until the next step is completed.

10. Upgrade the permanent Enterprise Manager to the new version. 11. The appliances should show at the permanent Enterprise Manager with "version

mismatch". 12. Select an appliance from the temporary Enterprise Manager and upgrade it to the new

version. The upgraded appliance should show OK at the permanent Enterprise Manager Console, and with "version mismatch" at the temporary Enterprise Manager, Console.

13. Verify the new version works to your satisfaction. 14. Repeat the appliance upgrade step until all appliances are upgraded and show in the

temporary Enterprise Manager with “version mismatch”. 15. Shutdown the temporary Enterprise Manager.

Restoring System Settings Back up and restore tools allow you to save your system settings and later restore them to an Appliance. Use this feature for CounterACT Appliance hard drive failures or when data on an Appliance is lost for another reason. Refer to the CounterACT Console User Manual for more information.

To restore: 1. Power on the Enterprise Manager.


51

When this is complete, the following menu opens:

CounterACT boot is complete.

Press Enter to continue.

2. Press Enter.


1 – Configure CounterACT-X.X.X 2 – Restore saved CounterACT X.X.X configuration 3 – Identify network interfaces 4 – Configure keyboard layout 5 – High Availability Setup 6 – Enable FIPS 7 – Turn machine off 8 – Reboot the machine

Choice 1-8: 2



Restore options:

1) Restore from USB storage device 2) Restore from CD-ROM 3) Restore from floppy diskette 4) Get shell prompt 5) Cancel

Choice (1-5) :

4. Select a restore option and press Enter.


The restore process will now search for backup files in the selected media. Note that backup file names must have a ".fsb" extension. Insert the media where the backup file resides and press ENTER to continue.

5. Insert the media where the backup file resides and press Enter.

The following prompt displays all .fsb files found on the media:

Searching for backup files in USB storage device(s)...

Choose backup file:

1) qcc-V4.0.3-2004_12_22_15_27.fsb

2) Cancel

Choice (1-2) :

6. Select an option and press Enter.



52

Verifying /tmp/usbmnt/qcc-V4.0.3-2004_12_22_15_27.fsb... ------------------------- Backup Volume Information -------------------------

Product : CounterACT

Host-name : qcc Address : X.x.x.x Backup date : Wed Dec 22 15:27:43 IST 2004 Restore? (yes/no) :



************** CounterACT version 6.X Restore **************

>>> Installing Packages <<<

…Checking stored Packages...... done.

>>> Configuring the System <<<

>>> Installing Database <<<

Creating database... done.…

Restoring... done.

Installation log written to /tmp/CounterACT-install.log

The Operating System will now reboot in order to complete the CounterACT restore process.

53

CChhaapptteerr 55:: IInnssttaalllliinngg tthhee CCoouunntteerrAACCTT CCoonnssoollee


About CounterACT Console Installation

Logging In

Using the Initial Setup Wizard at the Console

Uninstalling Previous Versions

Chapter 5 Installing the Console

54

About CounterACT Console Installation The CounterACT Wizard assists you in quickly installing the CounterACT Console software for both the Appliance and Enterprise Manager. When logging in, enter either the Appliance or Enterprise Manager login credentials you defined during these installations. The login detects whether to connect to the Appliance or the Enterprise Manager, based on these credentials.

Two options are available for installing the software:

Installation CD

Installation software built into your Appliance to install the Console

Installing from the Installation CD

To install: 1. Insert the Installation CD into the CD ROM of the PC that will run the Console

software. 2. Locate and open the ManagementSetup.htm file.

The CounterACT Initial Installation dialog box opens:

3. elect the download link required. The download process initiates and the Choose Install Folder dialog box opens:


55

4. Accept the default location or define a new location to install the Console and select

Next.

The Choose Shortcut Folder dialog box opens:

5. Choose a location to create the shortcut icon and select Next.

The Pre-Installation Summary dialog box opens:


56

6. Review the settings you chose and select Install.

The Installing CounterACT dialog box opens and the Console installation begins:

After installation is complete, the Install Complete dialog box opens:


57

7. Select Done.

Installing from a Browser at your Appliance This option is not available when upgrading.

To use the installation software built into your Appliance to install the Console: 1. Open a browser window from the PC that will run the Console. 2. Run the following command from your browser address line:

http://IP address/install

(where IP address is the address of your Appliance, for example http://10.0.0.95/install.)

The browser displays the CounterACT software installation window.

3. Follow the on-screen instructions.

Logging In After completing the installation, you can log into the CounterACT Console from the shortcut location you created during the installation.

1. Select the CounterACT icon from the shortcut you created.

The Login dialog box opens.


58

2. In the IP/Name field, type the IP address or host name of an Appliance or Enterprise

Manager. 3. In the User Name field, type your user name (default - Admin). 4. In the Password field, type your password. 5. Select Login to open the Console.

The system comes with a predefined “Admin” user. The user password and CounterACT address are set during CounterACT installation. You can update the password using a command line utility or via the Console. Refer to the CounterACT Console User Manual for more information regarding the utility and about post login.

Using the Initial Setup Wizard at the Console After login, the Initial Setup Wizard opens. The Wizard guides you through essential configuration steps to ensure that CounterACT is up and running quickly and efficiently.

Before selecting Next to proceed, gather the information listed below and enter it in the Value column for easy access.


59

Information Required by Wizard Value

NTP server address used by your organization (optional)

Internal mail relay IP address to allow delivery of e-mail alerts if SMTP traffic is not allowed from the Appliance (optional)

CounterACT administrator e-mail address

Monitor and response interfaces

For segments/VLANs with no DHCP, the network segment/VLANs to which the response interface is directly connected and a permanent IP address to be used by CounterACT at each such VLAN

IP address range that this Appliance will monitor (all the internal addresses, including unused addresses)

LDAP user account information and the LDAP server IP address

Domain credentials, including domain administrative account name and password

Authentication servers so CounterACT can analyze which network hosts have successfully been authenticated

Switch IP Address, Vendor and SNMP Parameters

Uninstalling Previous Versions To uninstall a previous Console version: 1. Use the Windows uninstall tools to perform the uninstall procedure. 2. Alternatively, choose the Uninstall CounterACT Console icon from the ForeScout

program group on the Start menu.

60

CChhaapptteerr 66:: HHiigghh AAvvaaiillaabbiilliittyy SSyysstteemmss


About High Availability

License Setup Requirements

Pre-Installation Requirements

Failover

Connecting to the Network

High Availability Software Installation

High Availability Indicators on the Console

Upgrading 6.0 High Availability Systems to the Latest Version

Upgrading to High Availability from CounterACT Versions 4.x and 5.x

Uninstalling High Availability Mode

Restoring a Configuration

Converting a Single Enterprise Manager/Appliance to High Availability

Chapter 6 High Availability Systems

61

About High Availability CounterACT High Availability provides you with standby support in the event of system malfunction or failure. It is implemented in clusters with two Appliances or two Enterprise Manager nodes. Redundancy is achieved by assigning an Active node to manage activities required for effective Network Access Control (NAC), and a Standby node to take over in case of Active node failure. The two nodes are synchronized by a redundant pair of interconnecting cables.

License Setup Requirements An evaluation license is valid for your High Availability system for 30 days. You must install a permanent license before this period expires. You will be contacted via e-mail regarding the


62

expiration date. It is recommended to use the IP address of the High Availability cluster when issuing a High Availability license. If a license is only issued to the Primary node in a High Availability cluster, the system may not operate after failover to the Secondary node.

An additional remote recovery system is also available. This tool provides a comprehensive recovery system for Enterprise Managers that have, for example, failed as a result of a natural disaster or crisis. This tool provides complete and continued management of remote Appliances after the crisis. Refer to the CounterACT Console User Manual for more information.

Pre-Installation Requirements For pre-installation requirements, see Network Access Requirements.

Optional Switch Connectivity Below are examples of High Availability cluster-switch connections.


63

Failover The Active and Standby nodes ping each other every second for operational updates. By default, failover from the Active node to the Standby node occurs 30 seconds after the Standby node detects that the Active node is down.

Between 2 to 10 minutes after Active node failure, the Standby node becomes active.

Criteria Full High Availability mode requires that:

Both the Active and the Standby nodes are operating

The Standby node is synchronized with the Active node and is fully up-to-date

When full High Availability mode is in effect, the following criteria cause the Standby node to become active:

System failure Active node outage

System failure Hardware raid array breakdown; i.e., all disks are not functioning

System maintenance

Active node powered off or cold boot occurred

Management A management interface hardware failure on the Active node


64

interface failure

Node Status The status of the Active and Standby nodes is affected by restart as follows:

Restart Active node – In case the Active node fails, the Standby node becomes the Active node (swapping roles). After restart, the switchover remains in effect; i.e., the Active node that originally failed remains the Standby node, and the newly appointed Active node continues with that role.

Restart Standby node - After restarting the Standby node, the Active/Standby roles do not change.

Both nodes are restarted - Depending on which node restarts first, the nodes can remain as originally designated or assume reverse roles.

Connecting to the Network This section shows sample wiring setups for a single switch.

Dual cross cables must be connected for redundancy.

CT-Remote is not supported in High Availability clusters.

CT-1000 Appliance Rear Panel


65

CT1000 - Sample Connections

Interface Cable Interface Cable

eth0 Management-1 eth4* Monitoring-2*

eth2 Monitoring-1 eth5* Response-2*

eth3 Response-1 eth7 Sync-2

eth1 Sync-1

*Only for redundant switch configuration.

It is recommended to use two sync cables whenever possible. In addition, you can attach the sync>management cables to sockets on different NICs to improve handling of NIC failure with all attached sockets.

High Availability Software Installation During the installation procedure, the nodes are referred to as First (Primary) and Secondary. These same nodes are referred to as Active (Primary) and Standby (Secondary) after installation and during operation, according to their current status.

The installation/configuration procedure is performed in three main stages:

1. Set up High Availability for the Primary node. 2. Configure the Primary node. 3. Set up High Availability for the Secondary node. There is no need to configure it.

Reboot may occur during these stages. This does not indicate any type of failure or problem.

Identify Ethernet Ports If you do not know the Ethernet port layout of either the Primary or Secondary node rear panel, follow this procedure.

To identify Ethernet ports: 1. Power on the Appliance. The following menu opens:


66

Options:

1) Configure CounterACT-X.X.X

2) Restore saved CounterACT-X.X.X configuration

3) Identify network interfaces

4) Configure keyboard layout

5) High Availability Setup

6) Enable FIPS

7) Turn machine off

8) Reboot the machine

Choice (1-8): 3

2. Type 3 and press Enter. 3. Respond to the prompts and record the layout.

Primary Appliance Setup

To perform Primary Appliance setup for High Availability: 1. Complete the identification of the interfaces or complete power on. The following

menu opens: Options:






6) Enable FIPS

7) Turn machine off


Choice (1-8): 5

2. Type 5 and press Enter. The following menu opens: Is this the FIRST node of the High Availability cluster? (yes/no): yes



67


Enter the cluster hostname:

Define IP information required for communication with the cluster

When you enter a cluster hostname, for example High Availability_cluster, the system will automatically assign High Availability _cluster_1 to the Primary node, and High Availability _cluster_2 to the Secondary. You can add these in the DNS server.

4. Enter the name to represent the cluster on the network. Enter the cluster hostname:

Suggestion: When upgrading, use the previous hostname.

5. Select an Ethernet interface (port) for cluster management.

Suggestion: When upgrading, use the previous Ethernet interface (port), otherwise you may lose connections in the Control screen.

Select the Ethernet interface for the cluster management (one of: eth0, eth1, eth2, eth3)[eth0]:

6. Enter the IP address shared by both Appliances in the cluster. Communication with sources external to the cluster is via this address.

Suggestion: When upgrading, use the previous IP address of the cluster.

Enter the IP address of the cluster:

7. Enter the IP address of the Primary node (not to be confused with the cluster IP address). Enter IP address of this node:

8. Enter the IP address of the Secondary node. Enter the IP address of the other node:

9. Enter the IP address of the default gateway. Enter the IP address of the default gateway:

10. Enter the netmask size of the cluster IP address used by both Appliances. Enter the netmask size of the cluster IP address [24]:

Assign an Out-of-Band IP Management Interface 1. Type yes to optionally assign an Out-of-Band IP address to the device.

This might be necessary if the interface you selected above does not have access to the segment containing the hosts to be managed. The additional interface is similar to the Out-of-Band interface sometimes created for non-High Availability devices (see Creating an Out-of-Band IP Management Interface). Assign an Out-of-Band management IP address (yes/no) [no]: yes

2. Select the Ethernet interface.


68

Select the Ethernet interface for the Out-of-Band management IP address (one of: eth0, eth1, eth2, eth3)[eth1]:

3. Enter the relevant Out-of-Band management IP addresses of the cluster and both nodes. Enter the Out-of-Band management IP address of the cluster:

4. Enter the Out-of-Band management IP address of this node:

5. Enter the Out-of-Band management IP address of the other node:

6. Enter the netmask size of the Out-of-Band management cluster IP address. Enter the netmask size of the Out-of-Band management cluster IP address:

Define cluster access 7. Enter the addresses to be used for access to the cluster by external testing of the

reliability of specific nodes within the cluster. Enter space separated IP address(es) for network keepalive (ping) tests (or ‘none’):

8. Enter the password to access the cluster and confirm it by typing it again. Enter the root password for the cluster: To verify, please enter the password again:

Define IP information for intra-cluster communication 9. Select the primary Ethernet interface for intra-cluster communication. Verify that this

is not a segment used in your network. Select the primary Ethernet interface for the intra-cluster communication (one of: eth2, eth3) [eth3]:

10. Select an Ethernet port other than the one you selected for external communication. This port will be the default port for communication between the Primary and Secondary node. Select the secondary Ethernet interface for the intra-cluster communication (one of: eth2, none) [eth2]:

11. Enter the private network to be used for communication between nodes within the cluster. The same setting should be used for the Secondary node.


69

Enter a private 24-bit subnet to be used by the High Availability cluster [172.17.2.0]

Define additional services 12. Enter the DNS domain name and address; you can enter multiple addresses separated

by spaces. The DNS information is needed to map the host name to an IP address so the NTP server (defined in the next step) can be used to synchronize system clocks. Enter the DNS domain name:

Enter the DNS server addresses:

13. Enter the name of the NTP server. If you don’t have an NTP server, type none. Enter the NTP server name or 'none' [ntp.forescout.net]:

Define the operator e-mail 14. Enter the e-mail address to which to send reports, alerts and other CounterACT

notifications. Enter the operator's email address:

15. Enter the mail relay address. This is an internal mail relay IP address to allow delivery of e-mail alerts if SMTP traffic is not allowed from CounterACT to the Internet. Enter the mail relay address or 'none':

16. Press Enter. Press Enter to continue

Configuring the CounterACT Appliance After completing the preceding steps, the following menu opens:

Options:

1) Configure CounterACT-X.X.X Appliance





6) Enable FIPS

7) Turn machine off


Choice (1-8): 1

1. Type 1 and press Enter. 2. Proceed as described in Installing an Appliance.


70

Secondary Appliance Setup You will be required to specify the IP address and password of the Primary Appliance in order for the Secondary Appliance to be able to access the first. Before you begin setting up the Secondary Appliance, verify that the Primary Appliance is powered on, set up, and successfully configured. There is no need to configure the Secondary Appliance.

When setting up the Secondary Appliance, use the same Ethernet interfaces and netmask settings used in the Primary Appliance.

Identify Ethernet Ports If you do not know the Ethernet port layout of an Appliance rear panel, follow this procedure to identify Ethernet ports.

1. After powering on the Appliance, the following menu opens: Options:






6) Enable FIPS

7) Turn machine off


Choice (1-8): 3

2. Type 3 and press Enter. 3. Respond to the prompts and record the layout. 4. After completing the identification of the interfaces or after power on, the following

menu opens: Options:






6) Enable FIPS

7) Turn machine off


Choice (1-8): 5

5. Type 5 and press Enter. 6. Type no and press Enter to specify Secondary node.


71

Is this the FIRST node of the High Availability cluster? (yes/no): no

7. Enter the private network to be used for communication between nodes within the cluster. Use the same setting you chose for the Primary node. Enter a private 24-bit subnet to be used by the High Availability cluster

[172.17.2.0]:

8. The default for the Ethernet port is the port defined on the Primary node for intra-cluster communication. Use this setting. Select the primary Ethernet interface for communication between nodes

(one of: eth0, eth1, eth2, eth3, eth4, eth5, eth6, eth7) [eth7]:

9. Use the password you defined during the Primary node setup above. This is used by the Secondary node to access the Primary node. Enter the root password of the Primary node:

* Setting up the Built-in Firewall *

* Attempting to retrieve the parameters from 172.17.2.171 *

Changing password for user root

passwd: all authentication tokens updated successfully

A series of menus opens. One of them will be similar to the following example:

Completed: 99.8%, Estimated time to finish: 0:03 minutes

The estimated time is used to copy relevant data from the Primary to the Secondary node. This procedure takes approximately 90 minutes for a 6GB disk.

The following menu indicates that you have successfully completed the installation/configuration procedure for both nodes.

High Availability setup completed for this node.

Press ENTER to continue

10. Press Enter.

Moving the Network Location of a High Availability Cluster To move the location of a High Availability cluster from one network to another: 1. Shut down the Secondary node. 2. Shut down the Primary node. 3. Relocate both Appliances and connect them as described in Connecting to the

Network.


72

4. Restart the Primary node. 5. Run hatool ha_setup on the Primary node, making sure to use the new network

settings. 6. Restart the Secondary node. 7. Run hatool ha_setup on the Secondary node. It is recommended to do this from

the Linux Console since the management IP address will probably be different. 8. If the new DNS settings are different, run hatool dns_setup <new DNS> on

both machines and reconfigure them. 9. If the new NTP settings are different, run hatool ntp_setup <new NTP> on

both machines and reconfigure them. 10. Verify that the cluster is up and running.

Backup and Restore The backup and restore procedure for High Availability differs from the standard backup and restore procedure. If one of the nodes crashes, the other node takes over. Follow the already known procedure of installing a new node as a Standby node (additional).

To protect your system from a situation where both nodes crash or for some other reason you need first to backup while the High Availability cluster is operational, use the Backup and Restore feature.

You will require an external storage device to restore the configuration file.

Backup as follows: 1. Connect the two Appliances with redundant cross cables. 2. Perform a backup of the system settings and copy the configuration backup files to an

external storage media.

Restore as follows: 1. Uninstall CounterACT in order to go back to the base Operating System. Or,

alternately, format the disk on the first Appliance and perform a clean install of the new version (V6.1.0 and higher).

2. Restore the backup configuration files from the external storage media to the Primary node.

3. Set up High Availability on the Primary node. The original High Availability values were saved along with the backup and are presented as default values, which should be accepted.

4. Set up High Availability on the Secondary node. Perform the disk format and “clean install” if required.

5. Connect the Appliance(s) with the switches after the configuration determines the layout of the Ethernet interfaces (ports) on the rear panel.

If you have performed the restore procedure after attempting to upgrade the two Appliances, continue the upgrade: 1. Log into the Primary node. 2. Run: hatool upgrade


73

High Availability Indicators on the Console Your Console indicates the status of your High Availability cluster. These icons appear on the status bar of the Console:

Status of High Availability Appliances connected to the Enterprise Manager

Status of the High Availability Enterprise Manager cluster

In addition, the CounterACT Appliance panel in the Console provides information on the High Availability status of each Appliance in the enterprise. The following categories of information are available.

N/A – No High Availability system is installed.

Up - High Availability is installed and running. Both nodes are up and synchronized.

High Availability not supported – The currently installed CounterACT software version does not support High Availability.

Degraded – A hardware or software failure has occurred to degrade the status of High Availability; check the tooltip for details.

Upgrade – CounterACT is in the process of upgrading.

Setup – CounterACT is in the process of configuring.


74

Upgrading 6.0 High Availability Systems to the Latest Version

You can upgrade the Appliance and Enterprise Manager version from the Console. To see the procedure, refer to Upgrading Appliance Software in the CounterACT Console User Manual.

If you run into difficulties when initially attempting to perform an upgrade, see Backup and Restore for details on how to proceed.

Upgrading to High Availability from CounterACT Versions 4.x and 5.x

This section details upgrading a pair of Appliances (or Enterprise Manager) to a High Availability cluster under CounterACT Version 6.x.

The following procedure demonstrates the upgrade procedure of a High Availability cluster consisting of two Appliances:

1. An existing Appliance/Enterprise Manager installed with CounterACT Versions 4.x to 5.x, using pre-V6.x file partitioning.

2. A new Appliance/Enterprise Manager installed with CounterACT Versions 6.x and with new file partitioning.

CounterACT Versions 6.0.0 and higher, introduced a new file partitioning structure on the hard disk. This requires an additional step in the procedure to convert older file partitioning structures to the new structure.

Even if the existing Appliance/Enterprise Manager is running Version 6.x, it may have been upgraded from 5.x, without performing a ‘Clean Install’, meaning the file partitioning on the hard disk is of a version earlier than that of CounterACT Version 6.0.0.

Terminology This section explains the terms and procedures used in the upgrade:


75

File Partitioning – Versions 4.x – 5.x use a different file partitioning structure than Versions 6.x. Although the CounterACT application software is updated when performing an upgrade to Version 6.x, the Version 6.x file partitioning system on the hard disk is not upgraded until you perform a ‘Clean Install’ of Version 6.x.

Configuration Backup – a basic backup of the configuration file does not backup lists of connected hosts and open services currently learned by the Appliance. To also backup these hosts and services, perform an rSite backup. Because the Appliance continuously learns and maintains the rSite, it is recommended to perform this backup, although this is not mandatory.

Note that the rSite backup must be restored to the same CounterACT version. For information on the procedure, refer to the CounterACT Console User Manual.

Backup – Use portable media, such as a USB storage device, to backup configuration and other data files.

Restore – for instructions on how to restore, see Restoring a Configuration.

Complete Install – to install the operating system and CounterACT from the Installation CD including the formatting of the hard disk. This procedure is detailed in the document “Installation Guide-CounterACT-V6.x-non-app” that comes on the CounterACT Installation CD.

Procedure

Optional: Before proceeding with the upgrade, backup the pre-upgrade configuration in order to return to the prior status in case of failure. You can backup both the configuration file and the rSite.

1. Connect the two Appliances/Enterprise Manager with synchronization cables to prepare them for High Availability installation.


76

2. Upgrade to CounterACT V6.x The Appliance remains with pre-V6.x file partitioning.

3. Backup new V6.x configuration Backup new V6.x configuration (Backup and Restore) and optional backup of rSite, in order to restore after “Clean Install” (next step).

4. Perform Complete Install V6.x This is in order to install V6.x file partitioning Status: Fully upgraded to V6.x with V6.x file partitioning, but lacking configuration.

5. Configure as High Availability Primary Node For the procedure, see High Availability Software Installation .

6. Restore the configuration and rSite from previous backup (in Step 3). For the procedure, see Restoring a Configuration. Status: Upgraded V6.x Appliance now as High Availability Primary node with previous configuration.

7. Install new V6.x Appliance as V6.x Status: Both Appliances are now with V6.x and with V6.x file partitioning.

8. Define as High Availability Secondary Node The Secondary node will be automatically configured according to the Primary node. See: High Availability Software Installation .

Both Appliances are now configured with CounterACT V6.x and as a High Availability cluster.

To configure as a High Availability node, see Primary Appliance Setup and Secondary Appliance Setup.


77

Proceed with the configuration of High Availability on the Secondary node only after the Primary node is configured for High Availability and is up and running.

You can configure the new V6.x Appliance as the Primary node instead of the V4.x-5.x Appliance. Doing this can save you time because you will be restoring the configuration backup you saved in Step 3 to the new V6.x Appliance after it is installed and defined as a Primary node, while clean-installing the V4.x-5.x Appliance.

Uninstalling High Availability Mode Use this procedure to remove the High Availability mode from a node.

Up until the last step, you can re-activate the Primary node in order to continue using High Availability mode.

Step On Both Nodes 1 Backup the Primary configuration.

If necessary, perform an rSite backup as well. 2 “Clean Install” the Secondary node. 3 Disconnect the High Availability cables.

This effectively removes the High Availability function from the Appliances. 4 Shut down the Primary node (it can be reactivated later if necessary). 5 Restore configuration, and rSite data if previously performed, to the

Secondary node. 6 Verify that the Secondary node is configured in Single mode (not High

Availability) and is operating. At this stage the Secondary node is a standalone Appliance.

7 Perform a “Clean Install” on the Primary node and reactivate if necessary

Restoring a Configuration This section details how to restore an Enterprise Manager/Appliance configuration.

Installing Software and Restoring Configuration on the Primary Node

On the Primary node, install from the CounterACT CD or as follows: 1. Power on the first Appliance. The following menu opens:


78

Options:






6) Enable FIPS

7) Turn machine off


Choice (1-8): 5

2. Type 2 and press Enter. 3. Insert the backup external media into the USB slot. 4. Type 1 to select Restore from USB, and select the correct backup configuration file. 5. After the Appliance is up, type the command: hatool ha_setup. 6. Respond with yes to the question: Is this the FIRST node of the High Availability

cluster? (yes/no): 7. Configure the Primary node as High Availability. See Primary Appliance Setup for

more information. 8. Connect the redundant (dual) physical cables to the management, monitor and

response ports between the Appliance and the switches.

Configuring the Secondary Node 1. Power on the second Appliance. The following menu opens:

Options:






6) Enable FIPS

7) Turn machine off


2. Configure the High Availability settings, as in Secondary Appliance Setup.

Converting a Single Enterprise Manager/Appliance to High Availability

This section details converting a 6.2.0 or higher Enterprise Manager/Appliances to a High Availability system. The conversion will make the Enterprise Manager/Appliances suitable for use as Primary and Secondary nodes in a High Availability cluster.


79

Convert the First Enterprise Manager/Appliance 1. After powering on the first Enterprise Manager/Appliance, type the command:

hatool ha_setup 2. Proceed with High Availability configuration of the Enterprise Manager/Appliance as

detailed in: Identify Ethernet Ports and Primary Appliance Setup.

Convert the Secondary Enterprise Manager/Appliance 1. For an Appliance: Connect the redundant (dual) physical cables to the management,

monitor and response ports between the Appliance and the switches. For Enterprise Manager: Connect the redundant (dual) physical cables to the management port between the Enterprise Manager and the switches.

2. Make sure the second Enterprise Manager/Appliance is installed with Version 6.2.0 or higher.

3. Configure the High Availability settings, as in Secondary Appliance Setup.

80

AAppppeennddiixx AA -- SSiittee PPrreeppaarraattiioonn FFoorrmm

This appendix lists the CounterACT site parameter requirements. Verify that you have the information required and that your site is set up appropriately. Enter your information in the Value column.

Subject Item Value

CounterACT IP address

Subnet Mask

Default Gateway

Mail-relay server address

DNS server host name and address

E-mail address(es) used for sending alerts regarding worm attack attempts

Communication Information

VLAN ID on which the CounterACT, router and Console are located (Only required if these components must be located on a VLAN and are connected to a tagged port.)

Internal Network Address range(s) of protected

network (It is recommended to use your enterprise’s entire internal IP range)

Operating system on PC running CounterACT Console or CounterACT Enterprise Manager

Allowed addresses for CounterACT Console or CounterACT Enterprise Manager connectivity

Management

Addresses of hosts allowed to control the CounterACT through SSH

Appendix A Site Preparation Form

81

Communication Equipment

Communication equipment to which the CounterACT is connected:

Switch with mirroring port – supports traffic response Switch with mirroring port – does not support traffic response Vendor and model:

19” Rack

Available space: How near/far is rack/shelf space from a network connection and power connection (i.e. specify cable requirements) Shelf Space

Available space

Standard power socket + cable

Logistics

Socket and cable availability

Network socket + cable

Managed Switch SNMP Information

Switch IP Address and Brand

Identify the IP address and brand of the switches to monitor.

SNMP Community String Version and Type

Discuss ReadOnly and ReadWrite abilities.

Copper or Fiber Connectivity:

10/100/1000 BaseT Copper or Fiber can be used

Contact Details Name

Phone number

E-mail address

82

Legal

© Copyright ForeScout Technologies, 2000-2009. All rights reserved.

The copyright and proprietary rights in the guide belong to ForeScout Technologies. It is strictly forbidden to copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior consent of ForeScout Technologies.

This product is based on software developed by ForeScout Technologies. The products described in this document are protected by U.S. patent # 6,363,489 issued March 2002 and may be protected by other U.S. Patents and foreign patents.

Redistribution and use in source and binary forms are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials and other materials related to such distribution and use, acknowledge that the software was developed by ForeScout Technologies.

THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

All other trademarks used in this document are the property of their respective owners. 8/9/10

Please send comments on documentation to: [email protected]

mailto:[email protected]�

Counteract 6 3 4 0 Installation Guide

Documents

Transcript of Counteract 6 3 4 0 Installation Guide