Manager Installation and Administration

This document describes the installation and administration of the Manager in an On-Premises environment.

About Manager

The Manager collects information from Sensor appliances, processes the data, and presents it to the user. The Manager receives artifacts (such as executables and documents) that are downloaded or otherwise acquired by users and passes them to Analyst for immediate analysis. The results of the analysis are collected and presented to the user via a web portal using an incident-centered approach, in which evidence from run-time analysis, network monitoring, and anomaly detection are correlated to provide prioritized and actionable threat intelligence.

The Manager is also responsible for acquiring the latest network behavior models that are associated with malware activity. These are automatically downloaded from the VMware backend.

The Manager provides a dashboard, the User Portal, from which you manage the other VMware NSX Network Detection and Response appliances in your network.

Important:

The Manager is offered to customers with stringent privacy and policy constraints as part of an On-Premises deployment configuration. In this configuration, the Manager stores all the information regarding the detection of infected hosts and the analysis of software artifacts locally within your data center.

If you do not have such strict privacy requirements, we recommend you use the Manager component that is hosted in the NSX Cloud.

Supported Hardware

Refer to Hardware Specifications for details about the hardware certified for use with VMware NSX Network Detection and Response appliances.

Network Connectivity

The installation and update services need to connect to external servers for downloading software and data bundles (such as sandbox images). All hosts that are contacted for such downloads are listed in this section.

To increase the availability and reduce download times, the system can be configured to download large files from content distribution network (CDN) servers. As such hosts are geographically distributed, the contacted hosts may vary from system to system, and hosts outside the documented list may be contacted for downloads.

The use of CDNs is enabled by default. You can also explicitly enable or disable this feature with the lastline_register command (see Register the Manager, 8).

If you explicitly enable the use of CDNs or choose to accept the default, ensure that you adjust your firewall rules to allow access to the CDN servers.

Domain Names

The server hosting the Manager needs to be able to connect to:

user.lastline.com (for EMEA customers user.emea.lastline.com) on TCP port 443.
log.lastline.com (for EMEA customers log.emea.lastline.com) on TCP port 443.
update.lastline.com (for EMEA customers update.emea.lastline.com) on TCP port 443 .
ntp.lastline.com on UDP port 123 for time synchronization. It can be replaced with a local NTP server.
The Manager must be able to communicate with every Data Node on TCP port 9200 to support an Elasticsearch cluster.
anonvpn.lastline.com on UDP port 1194. This is not mandatory, but highly recommended, as the lack of this connection can negatively impact the performance of the analysis engine. For further details, see Configure Analysis Traffic Routing.

You can add FQDNs such as the CDN domain for Google. For further details and information about VMware NSX Network Detection and Response CDN operation, see VMware Knowledge Base article NSX Lastline CDN Usage (900006).

Expected IP Addresses

The domain names above may resolve to any IP addresses within the following ranges:

38.95.226.0/24
38.142.33.16/28
199.91.71.80/28
46.244.5.64/28
66.170.109.0/24

Note:

All connections can be optionally routed through an HTTP/HTTPS proxy (see "Registration and Configuration", 4). Proxy authentication is not supported.

Acquire the Manager ISO

To install the Manager, you must download the ISO from VMware.

Refer to your VMware welcome message

Using the information in the VMware welcome email message, point your browser to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) and then login. For your initial login, use the Forgot your password? link and follow the subsequent instructions.

The licenses you need to run Manager are included in the welcome message. The registration process displays these licenses. Compare the licenses it displays with the provided licenses.
Download the ISO

Click the icon to access the drop-down help menu. Selected Downloads from the expanded menu. On the iso-downloads page, select the correct ISO and download it to your staging server.

Download the corresponding MD5 file for the ISO. Validate that the md5sum of the ISO matches the value in the MD5 file.
Prepare the ISO for installation

There are various ways to prepare the ISO. You can burn it to a DVD, create a bootable USB stick, or, if you are using Dell hardware and the iDRAC interface is available on your server, you can use that.

The ISO should be placed on a file share or otherwise made available for a VMware ESXi installation.

DNS Setup

As part of the license registration, the system must be associated with a fully qualified domain name and corresponding certificate.

Assuming that the FQDN lastline.example.com was set for the Manager, you must ensure that the following names all correspond to the same IP address to allow the Sensor nodes to download updates and upload alerts as well as to allow access to the User Portal running on the system:

user.lastline.example.com
update.lastline.example.com
log.lastline.example.com

Note:

Determine the IP address of the server by running the ifconfig command on the console.

The installation domain name must always specify a top-level (root) domain, such as .com, .edu, or .gov.

For an Active-Standby installation, to allow access to the standby Manager, you must ensure that the IP address of the server hosting that Manager is correctly mapped to the domain name, user.standby.lastline.example.com in your DNS resolver. We recommend that you use a virtual IP address to allow for seamless fail-over.

SSL/TLS Certificate

All services on the Manager are accessible through HTTPS only. The Manager generates and uses a self-signed SSL certificate. This requires all managed appliances to store and trust this certificate during the registration phase.

If required, you can replace the SSL/TLS certificate on the Manager.

Install Manager

The installation process for the Manager consists of three steps. In the first step, the base system is installed. In the second step, basic configuration information is collected and the configuration is applied to the system. In the final step, required data is retrieved from the VMware backend servers.

Enable SSH access

Installation of the Manager will take 3 or 4 hours for most environments and may take longer in environments with restrictive proxy settings. Because of this initial install duration, it may be more convenient to enable SSH access to the appliance before you launch the lastline_register command. By default, the Manager is configured to allow key-based authentication. To use this feature, you must add your public SSH key to the lastline user account to enable future SSH access.

Generate a key pair

On your local system, use the ssh-keygen command to generate an RSA key pair.

admin@host:~$ ssh-keygen -f ~/.ssh/llkey
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/llkey):
Enter passphrase (empty for no passphrase):ENTER
Enter same passphrase again:ENTER
Your identification has been saved in /home/admin/.ssh/llkey.
Your public key has been saved in /home/admin/.ssh/llkey.pub.
The key fingerprint is:
SHA256:pKhfuP8h9xlJKza7Z0R3Hq0LCrkYMGEv1A4JYOxFM admin@example.com
The key's randomart image is:
+---[RSA 2048]----+
| . .E.           |
|  + o .          |
| . o *  .        |
|  . +.=o   . .   |
|   +...+S . o o  |
|   ...= o. o = . |
|  . ..o*+ + + +  |
|   . o o+B.= =   |
|    o...++B.o    |
+----[SHA256]-----+

The above example shows generating the key pair without a passphrase. For high security installations, a passphrase may be required.

Note:

On Windows systems, use PuTTYgen to generate the key pair.

Install the public key on the appliance
On your local system, use the ssh-copy-id command to append your public key to the .ssh/authorized_keys file in the lastline user's home directory on the VMware NSX Network Detection and Response appliance.
```
admin@host:~$ ssh-copy-id -i  ~/.ssh/llkey.pub lastline@manager.example.com
```
Note:
Once the lastline_register command has run to completion, you cannot use ssh-copy-id to transfer your public key to the appliance. Instead you need to physically copy the key over and then append it to the lastline user's .ssh/authorized_keys file.

SSH to the appliance

From your local system, use the ssh command to access the VMware NSX Network Detection and Response appliance.

admin@host:~$ ssh -i ~/.ssh/llkey lastline@manager.example.com
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-171-generic x86_64)

Last login: Tue Apr 14 17:00:50 2020 on console
lastline@lastline-manager:~$

Base System Installation

The Manager uses Ubuntu Server 18.04 (Bionic distribution) as its underlying operating system. Therefore, many of the steps of the installation are similar to the ones required to install Ubuntu Server. Refer to the Ubuntu guide, Installing Ubuntu 18.04.

Note:

Many of the steps involved in a standard Ubuntu installation have been automated and hidden from the Manager Installer.

If you are running an existing installation with appliances based on an earlier Ubuntu release, you should upgrade to a version based on Bionic. To upgrade to Bionic from Xenial, you must first update the Manager to the last version that supports Xenial (see the release notes for your specific version, and then follow the instructions on the linked support article).

Before starting the installation of the Manager software, the RAID controller must be configured in RAID10 and supports write-caching. You must ensure your RAID controller is configured appropriately.

Boot the server from the ISO image

Use the DVD or bootable USB stick you created (or for Dell hardware, the Dell iDRAC interface) to boot the ISO image.

Note:
To install the Manager on VMware ESXi, see Install on VMware ESXi.
Select the Manager from the boot loader splash screen

Press Enter to continue.
Select keyboard options

The installer needs to localize your keyboard layout and language settings. Select the "Country of origin for the keyboard" and press Enter. The installer then displays a listing of appropriate keyboard layouts for the selected country. Select the desired "Keyboard layout" and press Enter.
Wait for the system to install and reboot

After the base system is installed successfully, the system will automatically reboot. A login prompt is displayed at the end of the boot process.

Install on VMware ESXi

Before you install the Manager on VMware ESXi, you must ensure the VM meets the minimum hardware specifications for the class of appliance. See Hardware Specifications for details. Ensure that the base hardware runs on an Intel CPU.

Using the VMware ESXi vSphere client 7.0 update 3, create a new virtual machine and configure it to meet the requirements of the Manager.

Access the Manager ISO

Navigate to Configuration→Storage. Right-click on the relevant datastore and select Browse Datastore from the drop-down menu. Select the Manager ISO and click the Upload icon.
Create a new virtual machine
Navigate to File→New→Virtual Machine. In the Create New Virtual Machine pop-up, perform the following:
- Create a Custom VM and specify its Name.
- Select the destination Storage for the VM.
- If supported, select the correct Virtual Machine Version.
- Set the Guest Operating System to Linux then select Ubuntu Linux (64 bit).
- Configure the Manager with 1 socket × 12 cores (unless required otherwise by your VMware ESXi license).
- Set the VM Memory to 64 GB.
- At least one Network NIC is used for the management IP address.
- Define the SCSI Controller.
- Create a new disk and set its size to 2 TB. The Manager requires 3 more similar sized disks.
You can add more hardware to the VM after the initial configuration. Select the check-box for Edit the virtual machine settings before completion. Use this feature to add more storage to the VM.

Set the New CD/DVD to point at the Manager ISO (1). Ensure it is set to Connect at power on.
Expose CPU virtualization to the guest operating system

Right-click on the virtual machine and select Edit Settings. Expand the CPU category and select Expose hardware assisted virtualization to the guest OS. Click OK.
Start the VM

VMware ESXi boots the ISO image.

The boot process then proceeds as in Base System Installation, 2 through 4.

Registration and Configuration

To register and apply the software configuration to the Manager, you must login to the server console.

Register the Manager

Login to the server console

Login to the console using the username lastline and its current password.

Important:
The default user is lastline and its password is lastline. For your security and protection, you should change the default password. Your password selection must meet the requirements specified on the passwd command man page.
Start the configuration and registration process
Execute the lastline_register command, which will start the guided configuration and registration process.
```
lastline@lastline-manager:~$ lastline_register
```
If you are prompted for the sudo password, use the password for the default lastline user account.
The lastline_register command first validates the server. If its hardware is not sufficient to run the Manager, the command terminates with an error message. Should this occur, contact VMware Support for further guidance.
Select the primary network interface and network address

The registration process prompts you to select the "Primary network interface". It presents a list of interfaces discovered during the validation process. Select the interface that is used by the server to communicate with the other hosts on the network.

Then you are prompted to select how the server will obtain its network address. Your choice is "Obtain via DHCP" or "Enter static address".

If you select "Enter static address", you are prompted to provide an IP address to assign to the interface, its netmask, gateway IP address, and domain name server IP address.

To continue, select <Ok> or press Enter.
Optional: Configure an HTTP proxy

Configure an HTTP proxy if it is required to access the Internet via HTTPS. Enter the address of the proxy server. This address can be a FQDN or an IP address. Specify the port for the proxy server. Examples of valid proxy configurations:

proxy.example.com:3128

192.168.0.1:8080

Otherwise if no proxy configuration is required, leave this field empty.

To continue, select <Ok> or press Enter.
Provide the domain name

Enter the FQDN of the Manager. The registration process will provide a suggested FQDN from the network settings. You can change this value.

To continue, select <Ok> or press Enter.
Configure an NTP server

The Network Time Protocol (NTP) is used to set the correct time for the Manager. Enter the address of the NTP server. This address can be a FQDN or an IP address.

Note:
The selected NTP server must be reachable over UDP port 123. Unless you must use a specific NTP server, use the default value, ntp.lastline.com.

To continue, select <Ok> or press Enter.

The network configuration is tested to check for connectivity to the VMware backend; to either the NSX Cloud or, for an On-Premises installation, the local VMware NSX Network Detection and Response appliances. This test may take a while.
Provide a network for local communication

The Manager employs a number of Docker containers to provide its services. These containers require an internal network to use for communication. By default, this network uses 169.254.64.0/20, a portion of the IPv4 link-local address space. This network does not need to be reachable from outside services or hosts. It also must not overlap with any of your existing network address ranges.

For most installations you should accept the default and continue. However, if you are already using the 169.254.0.0/16 address space, you must provide a valid IPv4/20 (or larger) network that can be used for local communication. This network must be in the format A.B.C.0/X, for example, 169.254.64.0/20, 240.0.0.0/16, 10.0.0.0/12, or 192.168.0.0/16.

To continue, select <Ok> or press Enter.
Define the CDN rules
The registration process prompts you to define the CDN rules for your installation. Select one of the following:
- Explicitly enable the CDN servers. This is the default behavior.
- Explicitly disable the CDN servers.
To continue, select <Ok> or press Enter.
Select an additional language
The Manager analyzes detected malicious content in a sandbox that simulates an entire host and its operating environment. By default, it performs this analysis using the English (en-US) version of the guest operating system. With this option, you can specify a second language version for the guest operating system.

Important:
Enabling an additional language increases the load on the hardware provided for analysis as every sample will be sent to both the default English guest operating system as well as the guest operating system running with the selected second language. Each additional operating system is estimated to place another 50% load on the hardware. However, the amount of extra load depends directly on type of files observed in your environment. In some cases, the load might be up to 100%. It is most likely you will need additional hardware to support the extra load.

The VMware NSX Network Detection and Response analysis sandbox supports Windows 10 and Windows 7 as guest operating systems running an additional language.

The registration process prompts you to select an additional language. Select one of the following:
- None
- Chinese (zh-CN)
- French (fr-FR)
- German (de-DE)
- Italian (it-IT)
- Japanese (ja-JP)
- Spanish (es-ES)
To continue, select <Ok> or press Enter.

If you select None, the registration process continues to the next step. Otherwise, the registration process prompts you to select a guest operating system to run with the selected language. Select at least one of the following:
- windows 7
- windows 10
Note:
You must select at least one guest operating system.

After the registration process completes, you must use the lastline_download_engine_data command to download the sandbox images for the additional language to the Manager. See Acquire Sandbox Images for details.

You must also run the lastline_download_engine_data command on the Engine to transfer the sandbox images from the Manager.

To continue, select <Ok> or press Enter.
Select the sandbox images

The registration process prompts you for the sandbox images to download. Select the default images.

Note:
This step configures the selection for the sandbox images. To actually download the images, use the lastline_download_engine_data command. See Acquire Sandbox Images for details.

To continue, select <Ok> or press Enter.
Enter your VMware username and password

As the first stage to applying your license to the Manager you are prompted for your VMware username. Enter your username and then select <Ok> or press Enter.

Note:
This is your User Portal username. It is not the same username used in 1.

For this step to succeed, you must have login access to the User Portal (see Acquire the Manager ISO, 1).

Enter your VMware password and then select <Ok> or press Enter.
Select the correct license

If the credentials you provided are valid, the registration process displays a list of the available license keys. Use the UP and DOWN keys to select the correct license.

Note:
If there are no valid licenses associated with your credentials or your list of license keys is not retrieved correctly, contact VMware Support. Provide the error message the registration process displayed in your request.

To continue, select <Ok> or press Enter.

The registration process displays a prompt: "Registration completed successfully".

To continue, select <Ok> or press Enter.

The registration process runs some tests to check hardware compatibility. The configuration is then applied to the machine. This process may take a while (20-40 minutes) depending on your network connectivity and system characteristics.

After the completed prompt is displayed, select <Ok> or press Enter to exit from the registration process.

Acquire Sandbox Images

Manager must download the images used by the malware analysis sandbox component from the VMware backend servers. The image files consist of approximately 30 GB of compressed data. This step might take several hours, depending on the available network bandwidth.

Download the sandbox images
Run the lastline_download_engine_data command.
```
lastline@lastline-manager:~$ lastline_download_engine_data
```
Confirm the download
Use the -f option to the lastline_download_engine_data command to confirm that you successfully acquired all the sandbox images.
```
lastline@lastline-manager:~$ lastline_download_engine_data -f
```

Sideload Sandbox Images

If you had previously downloaded the sandbox images, you may want to sideload them onto the new Manager rather than downloading them again from the VMware backend.

Copy the sandbox images from another appliance

Copy the directory /data/llama-images and all of its subdirectories from a previously installed Manager to the same location on the new Manager.

Ensure that the permissions are kept intact. For example, if you use rsync to perform the copy, use its -avz options.
Confirm the download
Use the -f option to the lastline_download_engine_data command to confirm that you successfully acquired all the sandbox images.
```
lastline@lastline-manager:~$ lastline_download_engine_data -f
```

Deploy a New Certificate

You can optionally replace the SSL/TLS certificate on the Manager. Assuming the Manager has a FQDN of lastline.example.com, the certificate needs to be valid for:

user.lastline.example.com
log.lastline.example.com
update.lastline.example.com
user.standby.lastline.example.com

We recommend using user.lastline.example.com as the commonName for the certificate. You should then specify the domain names above as Subject Alternative Name (SAN). This way user.lastline.example.com will work even for clients that do not support SAN. The certificate needs to be in x509 format. Intermediate CA certificates need to be appended to the server certificate file.

To create a private certificate using the openssl command and then deploy it on the Manager, perform the following steps:

Create a configuration file

Create an OpenSSL configuration file. For example, create the following file naming it example.com.cnf:

[ req ]
prompt = no
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_req

[ req_distinguished_name ]
commonName = user.lastline.example.com

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = log.lastline.example.com
DNS.2 = update.lastline.example.com
DNS.3 = user.standby.lastline.example.com

Generate the certificate
Generate the certificate using the openssl command. For example:
```
lastline@lastline-manager:~$ openssl req -x509 -newkey rsa:4096 \
-keyout usr.lastline.example.com.key -out usr.lastline.example.com.pem \
-days 365 -nodes -config example.com.cnf
```
The certificate must be trusted by all the appliances (that is, signed by a CA trusted by the operating system or manually added to the trusted set of certificates. See Trust the New Certificate.

Warning:
For an Active-Standby environment, the active and standby Manager must share the same valid certificate. You must ensure that the same certificate used for the active is also valid for the standby. Its domain must be included in the certificate Subject Alternative Name (as in the example above by ensuring that user.standby.lastline.example.com is also included). Having the same valid certificate makes the takeover process seamless, without needing to generate and install new certificates.

Store the certificate

Copy the certificate to /etc/puppet/files/ssl-cert/.

lastline@lastline-manager:~$ cp usr.lastline.example.com.pem /etc/puppet/files/ssl-cert/

Store the private key

Copy the private key to /etc/puppet/private/ssl-priv-key/.

lastline@lastline-manager:~$ cp usr.lastline.example.com.key /etc/puppet/private/ssl-priv-key/

Integrate the certificate
Run the lastline_apply_config command. This step will also restart the nginx web server.
```
lastline@lastline-manager:~$ lastline_apply_config
```

Trust the New Certificate

To add an SSL/TLS certificate to the set of certificates trusted by Manager, perform the following steps.

Note:

The following steps must be completed on all appliances (including the Manager).

Add the certificate to the trusted set

Copy the certificate into the /usr/local/share/ca-certificates/ directory. Ensure its extension is .crt.

lastline@lastline-manager:~$ cp /etc/puppet/files/ssl-cert/usr.lastline.example.com.pem \
/usr/local/share/ca-certificates/usr.lastline.example.com.crt

Update the certificates
Run the update-ca-certificates command.
```
lastline@lastline-manager:~$ sudo update-ca-certificates
```

Reinstall the Manager

If the Manager needs to be replaced or reinstalled, you must contact VMware Support to have your license re-enabled. You should specifically request that VMware Support "re-initialize the license" for your installation.

Administer the Manager

The Manager was developed to require as little maintenance and administration as possible.

The following topics describe how to customize and configure some of the advanced features of the Manager.

Configuration Tool

Use the VMware NSX Network Detection and Response configuration tool, lastline_setup, to administer and manage the Manager.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.

Run the help option

To view all the supported options, type help.

-> help
Documented commands (type help <topic>):
========================================
EOF                                    email_relay_port
analysis_max_upload_filesize_mb        email_relay_username
analysis_queue_backlog                 email_sender_address
anonvpn_dns_server_ip                  exit
anonvpn_mode                           failover_multicast_address
anonvpn_upstream_gateway_ip            failover_multicast_port
anonvpn_upstream_ifname                failover_virtual_ip
appliance_state                        fqdn
appliance_uuid                         ha_active_priority
cloud_analysis                         ha_password
cloud_analysis_push_download_metadata  heartbeats
cloud_analysis_push_download_source    help
cloud_analysis_query_url_reputation    https_proxy
data_retention_code                    image_brand_replacement
data_retention_generated_files         license_api_token
data_retention_memory_dumps            license_key
data_retention_process_dumps           llama_images_server_override
data_retention_screenshots             monitoring_user_password
data_retention_traffic_captures        network
data_retention_uploads                 new_monitoring_user_password
data_retention_webpages                ntp_server
disable_report_commenting              ntp_servers
disable_support_channel                offline_mode
edit                                   save
email_relay_host                       show
email_relay_password                   text_brand_replacement

Tip:

For any option, type the first few unique characters of its name then type Tab. The lastline_setup command will auto-complete the name for you.

View help details

To view a detailed description of individual options, type help topic, where topic is the name of a specific option.

-> help network
 network <variable> [<new-value>]
        Get/set network settings.
            network interface <iface>: interface used for network access
            network method dhcp|static: use DHCP or static IP address
                configuration for network access
        When static configuration is used, these values must also be set:
            network address <address>: IPv4 address of the interface
            network netmask <netmask>: dotted-quad netmask for the address
            network gateway <gateway>: default gateway for network access; if
                specified value is -, set gateway to None
            network dns_nameservers <nameserver> ...: space-separated list of
                DNS nameservers, if specified value is -, set dns_nameservers to
                None

Exit the configuration tool
To quit from the configuration tool without saving your changes, type exit.
```
-> exit
lastline@lastline-manager:~$
```

Important:

If you encounter an error running any of the lastline_setup command options, make a note of the error message returned and contact VMware Support.

Network Configuration

You can easily change the network configuration of the Manager. This may be needed if its assigned IP address changes (for example, upon a reconfiguration of the network).

Reconfigure for DHCP

To enable a network configuration using DHCP, use the network option of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.

Check the network settings

To check the current network settings, type network.

-> network
network dns_nameservers = 8.8.8.8 8.8.4.4
network gateway = 10.0.2.2
network netmask = 255.255.255.0
network address = 10.0.2.15
network interface = eth0
network method = static

Enable DHCP configuration for network access
To enable DHCP addressing, type network method dhcp.
```
-> network method dhcp
network method = dhcp  # changed; original value: static
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Reconfigure for Static Addressing

To enable a network configuration using a static IP, you must provide values for the address, netmask, gateway, and dns_nameservers parameters. Use the network options of the lastline_setup command to make these changes.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Check the network settings
To check the current network settings, type network.
```
-> network
network interface = eth0
network method = dhcp
```
Enable static configuration for network access
To enable a static IP address, type network method static.
```
-> network method static
network method = static  # changed; original value: dhcp
```
Set the network address
To set the IP address, type network address ip_address. Use an IPv4 address of four octets.
```
-> network address 10.0.2.15
network address = 10.0.2.15  # changed; original value:
```
Set the netmask
To set the netmask, type network netmask netmask. Use an IPv4 netmask of four octets.
```
-> network netmask 255.255.255.0
network netmask = 255.255.255.0  # changed; original value:
```
Set the gateway address
To set the gateway IP address, type network gateway ip_address. Use an IPv4 address of four octets.
```
-> network gateway 10.0.2.2
network gateway = 10.0.2.2  # changed; original value:
```
Set the DNS server address(es)
To set the DNS server IP address, type network dns_nameservers ip_address [ip_address]. Use an IPv4 address of four octets for each address.
```
-> network dns_nameservers 10.2.1.1 10.2.2.1
network dns_nameservers = 10.2.1.1 10.2.2.1  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Reconfiguration After Network Update

After a new network address has been assigned to Manager (for example, after changing the static network address), the new configuration must be applied to all software on the host.

Login to the console

Login to the console using the username lastline and its current password.
Run the reconfiguration command
Execute the lastline_apply_config command, which will apply the new network address.
```
lastline@lastline-manager:~$ lastline_apply_config
```
Note:
If you are prompted for the sudo password, use the password for the default lastline user account.

SMTP Configuration

Manager can be configured to send notifications or reset account passwords via email. To configure the way emails are sent, use the email options of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Specify the SMTP relay host
To specify an SMTP relay host for delivering email messages, type email_relay_host fqdn.
```
-> email_relay_host smtprelay.example.com
email_relay_host = smtprelay.example.com  # changed; original value:
```
Specify the SMTP relay port
To specify the port the SMTP relay host is listening on, type email_relay_port portnumber.
```
-> email_relay_port 25025
email_relay_port = 25025  # changed; original value:
```
Specify the SMTP user
To specify the username to use when authenticating to the SMTP relay host (if required), type email_relay_username username.
```
-> email_relay_username admin
email_relay_username = admin  # changed; original value:
```
Specify the SMTP password
To specify the password to use when authenticating to the SMTP relay host (if required), type email_relay_password password.
```
-> email_relay_password adminpassword
email_relay_password = adminpassword  # changed; original value:
```

Specify the SMTP address

To specify the address from which to send emails, type email_sender_address emailaddress.

-> email_sender_address admin@example.com
email_sender_address = admin@example.com  # changed; original value:

Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure Analysis Traffic Routing

The Manager is configured by default so that traffic generated inside the VMware NSX Network Detection and Response analysis sandbox is routed to the Internet via a secure tunnel. This tunnel enables anonymizing the public IP of client connections, hence the component name, AnonVPN (Anonymization VPN). In addition to anonymizing the public IP, AnonVPN periodically rotates the IP with which connections to the Internet are made to avoid getting marked as malicious and blocked by third-party software when connecting to malware command-and-control infrastructure. The tunnel also prevents malware running inside the sandbox from accessing services in the local network. By routing traffic to outside the local network, only services reachable via public IPs are accessible to programs running inside the sandbox.

If you do not want to make use of the AnonVPN feature, the lastline_setup configuration utility allows you to specify a custom method for routing network connections with its anonvpn_mode option. The following three values are supported:

lastline — Analysis traffic is routed via a secure tunnel using the default configuration.
honeypot — Analysis traffic is not routed to the Internet. Instead any connections established inside the sandbox are redirected to a honeypot on the appliance.
custom — Analysis traffic is routed via a dedicated interface that you have configured.

Configure Default AnonVPN

Manager uses a VPN to route traffic originating in the analysis sandbox. The VPN only routes outgoing connections and response packets. Thus, the VPN blocks any in-bound connections.

Note:

The AnonVPN configuration routes analysis traffic from Engine appliance to the Internet via Manager. Thus, AnonVPN only needs to be configured centrally on Manager.

The lastline option is the default and only needs to be configured if you had previously chosen one of the other options.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Specify the default VPN connection
To enable AnonVPN in lastline mode, type anonvpn_mode.
```
-> anonvpn_mode lastline
anonvpn_mode = lastline  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure Honeypot AnonVPN

The system supports the analysis of artifacts in a completely isolated network, without any outgoing connectivity. Because programs often require access to certain services on the Internet to function, the system emulates a set of services that use well-known protocols, such as (but not limited to) DNS, FTP, HTTP, HTTPS, and SMTP.

Any outgoing traffic using an unknown protocol is blocked to avoid accessing services in the local network.

Note:

In honeypot mode, the analysis of URLs in the sandbox will fail. Since no traffic is allowed on the Internet, when the analysis engine attempts to access a URL that was submitted for analysis, it is unable to open the connection to the URL, and reports an error. As a consequence, the URL analysis fails and no report is generated.

When running a honeypot without connectivity to the VMware backend, you should disable the cloud analysis component to avoid waiting for analysis metadata. See Configure Cloud Analysis for further details.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.

Specify the honeypot VPN connection

To enable AnonVPN in honeypot mode, type anonvpn_mode.

-> anonvpn_mode honeypot
anonvpn_mode = honeypot  # changed; original value: lastline

Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure Custom AnonVPN

To customize routing of analysis traffic, you must configure a dedicated network interface on Manager using the /etc/network/interfaces configuration file. This configuration file is documented in the Ubuntu man-pages.

This interface can be a physical interface (such as eth3) or a virtual interface (such as an OpenVPN tunnel interface tun0). This interface has the following requirements:

The configuration must happen via /etc/network/interfaces.
The interface must use IPv4.
The interface either uses a static IP or must be configured to invoke /etc/anonvpn/routing_interface_up.sh command when the interface is assigned an IP address. This command is needed to trigger setup of packet routing. For OpenVPN connections this command can be invoked using the --up parameter.
The interface must not be called llanonvpn0 or llanonvpn1 as these interface names are reserved for connecting Engine appliances to the local system or for interfaces in AnonVPN lastline mode.

In addition to the interface configuration, you must provide the following information to enable custom routing:

DNS server IP address — The IPv4 address of the DNS server which will be used for resolving domains inside the analysis sandbox. The DNS server must be reachable over the provided interface. DNS requests from the analysis engine will be routed over the same link as other analysis traffic.
Gateway IP address — The IPv4 address of the gateway for routing packets on the custom interface. The gateway address must not be configured via /etc/network/interfaces to avoid routing non-analysis traffic via this interface.

Note:
The gateway is optional for point-to-point connections, such as connections established through OpenVPN.

Manager uses custom VPN connection to route traffic originating in the analysis sandbox. The VPN only routes outgoing connections and response packets. Thus, the VPN blocks any in-bound connections.

To switch AnonVPN to using the custom network interface, ensure that the interface is up (use ifup <interface-name>, for example, ifup tun0) and then use the anonvpn options of the lastline_setup command.

Important:

It is possible to route analysis traffic via the primary network interface on Manager. This configuration is highly discouraged as it gives a sample under analysis full access to the local network. It is your responsibility to block any potentially malicious connections routed this way. The routing of analysis traffic via a custom network interface does not use a proxy even if one is configured.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.

Specify a custom VPN connection

To enable AnonVPN in custom mode, type anonvpn_mode.

-> anonvpn_mode custom
anonvpn_mode = custom  # changed; original value: honeypot

Specify the interface for the VPN connection
To select the interface to use for the custom VPN connection, type anonvpn_upstream_ifname interface-name.

When using a virtual interface, for example OpenVPN:
```
-> anonvpn_upstream_ifname tun0
anonvpn_upstream_ifname = tun0  # changed; original value:
```
When using a physical interface:
```
-> anonvpn_upstream_ifname eth3
anonvpn_upstream_ifname = eth3  # changed; original value: tun0
```
Specify the DNS server for the VPN connection
To select the DNS server to use for the custom VPN connection, type anonvpn_dns_server_ip ip_address. Use an IPv4 address of four octets. For example, 8.8.4.4 for the public Google DNS servers.
```
-> anonvpn_dns_server_ip 8.8.4.4
anonvpn_dns_server_ip = 8.8.4.4  # changed; original value:
```
Specify the gateway for the VPN connection
You must specify a gateway when you use a physical interface for the custom VPN connection. It is optional for virtual interfaces. To select the gateway, type anonvpn_upstream_gateway_ip ip_address. Use an IPv4 address of four octets.
```
-> anonvpn_upstream_gateway_ip 10.0.0.1
anonvpn_upstream_gateway_ip = 10.0.0.1  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Update Fully Qualified Domain Name

You can update the FQDN of the Manager. This also creates a new self-signed certificate associated with the FQDN.

Note:

For a high-availability configuration, you must copy the certificate and private keys to the Standby Manager (see Update Active Manager FQDN for detailed instructions), and then set the corresponding FQDN on the Standby Manager.

Important:

After you complete the following steps, you must update all the VMware NSX Network Detection and Response appliances managed by Manager to use the new FQDN. Refer to Update On-Premises Manager FQDN in the respective appliance installation guides.

Login to the console

Login to the console using the username lastline and its current password.
Run the registration process with the change FQDN option
Execute the lastline_register command, providing the new local FQDN for the Manager in its arguments. This updates the original FQDN as shown in Register the Manager, 5.
```
lastline@lastline-manager:~$ lastline_register --change-local-fqdn new_manager.lastline.example.com
```
Note:
If you are prompted for the sudo password, use the password for the default lastline user account.
The command generates a new self-signed certificate. If needed, you can replace the certificate.

Configure the Analysis Upload-Size Limit

By default, the VMware NSX Network Detection and Response rejects uploads of files for analysis that are larger than 10 MB. This value provides a reasonable compromise between the ability to analyze the vast majority of malicious artifacts and having to store overly large files. If required, you can modify this limit up to 200 MB.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Modify the size limit for uploads
To modify the size limit for files that can be uploaded, type analysis_max_upload_filesize_mb size. Specify the size which can be from 10 through 200.
```
-> analysis_max_upload_filesize_mb 200
analysis_max_upload_filesize_mb = 200  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure Data Retention

The VMware NSX Network Detection and Response tracks all of the stored files on the appliance and issues a notification through the User Portal interface when usage of the local file-system disk exceeds certain thresholds.

Periodically, large analysis artifacts (such as the metadata that an analysis generates), are deleted according to data-retention policies that can be updated using the lastline_setup command. The following is a full list of data-retention options:

data_retention_uploads — Files uploaded for analysis.
data_retention_screenshots — Screenshots taken during the dynamic analysis of a file submitted for analysis.
data_retention_traffic_captures — Network traffic captured during the dynamic analysis of a file submitted for analysis.
data_retention_generated_files — Files generated by a program during the dynamic analysis of a file submitted for analysis.
data_retention_memory_dumps — Memory allocation by a program during the dynamic analysis of a file submitted for analysis.
data_retention_process_dumps — Full-process snapshot of a program during the dynamic analysis of a file submitted for analysis.
data_retention_webpages — Web-page content captured during the analysis of a URL submitted for analysis.
data_retention_code — Web-code captured during the analysis of a URL submitted for analysis.

To avoid specific file-types from being affected by the data-retention policies, you can use the value unlimited (or 0).

The following steps show how to define your configuration to discard files generated during an analysis run after 90 days, but to keep files uploaded for analysis indefinitely:

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Modify the retention for generated files
To retain generated files to 90 days, type data_retention_generated_files 90.
```
-> data_retention_generated_files 90
data_retention_generated_files = 90 days  # changed; original value:
```
Modify the retention for uploaded files
To retain uploaded files indefinitely, type data_retention_uploads unlimited.
```
-> data_retention_uploads unlimited
data_retention_uploads = unlimited  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure Cloud Analysis

The VMware NSX Network Detection and Response cloud analysis component extends analysis results generated in the local On-Premises installation by querying and sharing data with the VMware backend.

This component allows an individual installation to contribute to and benefit from the global intelligence collected by VMware, Inc.. As a consequence, the analysis results generated when cloud analysis is enabled may be more accurate and may contain additional pieces of information (such as, file origin information, threat classification, more up-to-date analysis results). At the same time, sharing data with VMware, Inc. may not be desirable or even allowed in certain situations. Therefore, the cloud analysis component offers a number of configuration options to let you decide exactly what information gets shared.

cloud_analysis — When this option is enabled, your installation shares the hashes (MD5, SHA1, and SHA256) of the analyzed artifacts with the VMware backend. For file artifacts, the actual content is not uploaded to the VMware backend.
cloud_analysis_push_download_source — When this option is enabled, your installation shares the IP address and hostname of the server where the artifact was downloaded from with the VMware backend.
cloud_analysis_push_download_metadata — When this option is enabled, your installation shares the URL where the artifact was downloaded from (HTTP, FTP, and SMB downloads) with the VMware backend. In the case of HTTP downloads, the referrer information is also shared, if available.
cloud_analysis_query_url_reputation — When this option is enabled, your installation queries the VMware backend for metadata that can be included in the URL classification. Note that the full URL is shared with the VMware backend.

When the analysis system detects a malicious file or URL, it is possible to notify the VMware backend about the detection by uploading the artifact content. Sharing this information helps us and the security community by increasing the global intelligence, while limiting your sharing to malicious files minimizes the risk of exposing sensitive files.

To configure the sharing of malicious files, review the Data sharing tab of the Appliances → Configuration pages provided by the User Portal running on your Manager.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Disable sharing hashes
The sharing of hashes with the VMware backend can be disabled by typing cloud_analysis off.
```
-> cloud_analysis off
cloud_analysis = off  # changed; original value: on
```
Disable sharing download details
The sharing of artifact source details with the VMware backend can be disabled by typing cloud_analysis_push_download_source off.
```
-> cloud_analysis_push_download_source off
cloud_analysis_push_download_source = off  # changed; original value: on (value not set)
```
Disable sharing artifact origin details
The sharing of artifact origin details with the VMware backend can be disabled by typing cloud_analysis_push_download_metadata off.
```
-> cloud_analysis_push_download_metadata off
cloud_analysis_push_download_metadata = off  # changed; original value: on (value not set)
```
Enable querying URL metadata
Querying the VMware backend for URL metadata can be enabled by typing cloud_analysis_query_url_reputation on. By default, this option is off.
```
-> cloud_analysis_query_url_reputation on
cloud_analysis_query_url_reputation = on # changed; original value: off (value not set)
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure the Analysis Queue

In certain situations, it can be convenient to automatically drop tasks scheduled for analysis from the queue. This way even systems with limited resources can guarantee analyzing submitted artifacts in a timely manner, even when temporarily overloaded with a large number of submission.

The VMware NSX Network Detection and Response allows this by a configuration option that automatically deletes tasks from the analysis queue that have been pending for more than the specified number of days.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Specify the number of days of the analysis queue backlog
To specify the number of days tasks may remain in the analysis queue backlog, type analysis_queue_backlog days.
```
-> analysis_queue_backlog 12
analysis_queue_backlog = 12 days  # changed; original value: unlimited
```
The default is unlimited. Typing this option without an argument displays its current value.
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Configure Remote Assistance

By default, VMware NSX Network Detection and Response provides a mechanism to allow the VMware Support team to perform remote administration assistance on your Manager, when requested. You can disable this access with the lastline_setup command.

Note:

Should you need to contact VMware Support, the VMware, Inc. technician will probably request that you temporarily re-enable the support channel.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Disable VMware Support remote access
To disable VMware Support access to your appliances, type disable_support_channel true.
```
-> disable_support_channel true
disable_support_channel = true  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Enable the monitoring user

The Manager has a monitoring user who can access the system using console or via SSH (password only without using the SSH key). To enable the monitoring user, use the monitoring_user_password option of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Enable the monitoring user
To enable the monitoring user, type monitoring_user_password password.
```
-> monitoring_user_password s3cretP4ssw0rd
```
Your password selection must meet the requirements specified on the passwd command man page.
If you type the monitoring_user_password option without an argument, the status of the monitoring user is displayed.
```
-> monitoring_user_password
monitoring_user_password: enabled; pending password change
```
To subsequently disable the monitoring user account, use the dash (-) argument:
```
-> monitoring_user_password -
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Once the monitoring user is enabled, you can SSH to the Manager using that account:

server# ssh monitoring@ip_appliance
monitoring@ip_appliance's password: 

...

monitoring@lastline-manager:~$

Enable Password-Based SSH Authentication

The Manager supports specifying users who can access the system using console or via SSH (password only without using the SSH key). To enable existing users to authenticate with password-based SSH use the enable_additional_password_auth_ssh_usernames option of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Enable password-based SSH authentication for one or many users
To enable password-based SSH authentication, type enable_additional_password_auth_ssh_usernames username.
```
-> enable_additional_password_auth_ssh_usernames ghopper
          
```
Multiple users can be specified as a comma-separated list, such as: enable_additional_password_auth_ssh_usernames ghopper,aturing.

Note: The users need to exist before enabling password-based SSH authentication.

Your password selection must meet the requirements specified on the passwd command man page.
If you type the enable_additional_password_auth_ssh_usernames option without an argument, the list of users who can use password-based SSH authentication is displayed.
```
-> enable_additional_password_auth_ssh_usernames
enable_additional_password_auth_ssh_usernames = ghopper
```
To remove all users (with the exception of the monitoring user, if enabled), use the dash (-) argument:
```
-> enable_additional_password_auth_ssh_usernames -
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Once the user has been added, you can SSH to the Manager using that account:

server# ssh ghopper@ip_appliance
ghopperg@ip_appliance's password:

...

ghopper@lastline-manager:~$

Manage Engine Appliances

In certain deployment scenarios it can be useful to disable a subset of Engine appliances from processing analysis tasks. For this purpose, the system provides a utility for marking individual Engine appliances as inactive, meaning that they will not be assigned any work.

Use the lastline_configure_engine_availability command to obtain a list of Engine appliances, to mark specific appliances as inactive, and to re-enable appliances that have been previously disabled.

Obtain a list of appliances
To obtain a list of Engine appliances, type the lastline_configure_engine_availability command.
```
lastline@lastline-manager:~$ sudo lastline_configure_engine_availability list
[sudo] password for lastline: 

...
```
Select Engine appliance to reconfigure
Select the Engine appliance from the list. Use the set inactive option to disable it.
```
lastline@lastline-manager:~$ sudo lastline_configure_engine_availability set inactive engine1
[sudo] password for lastline: 

...
```
Note:
You can select more than one appliance with this option. For example, set inactive engine1 engine2 [...]

To re-enable processing of analysis tasks, specify the appliance using the set inactive option.

Note:
An appliance marked as inactive continues to receive software, security, and sandbox image updates if it is so configured.

Configure VMware ESXi HA for Virtualized Manager

Note:

You can configure high availability (HA) using either vSphere HA settings or the Active-Standby settings in the VMware NSX Network Detection and Response. Both settings cannot be configured simultaneously.

Install the Manager on VMware VMware ESXi. You must ensure the VM meets the minimum hardware specifications for the class of appliance. See Hardware Specifications for details.

Create a virtual machine and configure vSphere HA settings.

Create a new virtual machine

Using the VMware ESXi vSphere client 7.0 update 3, create a virtual machine and configure it to meet the requirements of the Manager. Follow the steps as described in the Install on VMware ESXi section.
Configure vSphere HA settings

For details, see vSphere HA documentation https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-5432CA24-14F1-44E3-87FB-61D937831CF6.html.

Enable Active-Standby

To support an active-standby configuration, the VMware NSX Network Detection and Response system can deploy two Manager appliances operating in parallel. One Manager, referred to as the active Manager is the primary appliance handling user requests and communication with Sensor and Engine appliances. The secondary Manager, referred to as the standby Manager, synchronizes all data from the active Manager to allow it to seamlessly take over operation of the active Manager in case of critical software or hardware failures.

Active-Standby Prerequisites

Before you can configure Manager for an active-standby environment, you must ensure the following requirements are met:

Define a fail-over virtual IP address. A virtual IP address allows the standby Manager to seamlessly take over from the active Manager.
If you do not use a virtual IP address, you should modify your DNS setup to respond quickly to name record changes to the IP address of Manager. This can be achieved, for example, by using short DNS TTL (time-to-live) values.
Ensure you have console access to both the active and standby Manager appliances.
The name of the default network interface on both the active and standby Manager appliances must be at most 10 characters. The kernel limits IP address labels to 15 characters, and a 5-character suffix will be added to identify the virtual IP address.

Configure a Fail-over Virtual IP Address

VMware strongly recommends that you configure a shared virtual IP address for the active and standby Manager. This IP address does not correspond to a physical address and can switch from one manager to the other. Initially associated with the active Manager, the virtual IP is automatically moved to the standby Manager on takeover so that requests to the virtual IP address can be seamlessly served first by the former active Manager, then by the new active Manager as soon as the takeover process is completed.

To function correctly, the virtual IP address has to be in a subnet range common to both the active and standby Manager, must be configured on both appliances, and must be the same on both appliances.


Important: To enable seamless fail-over, you must ensure that all the VMware NSX Network Detection and Response appliances that are managed by the active and standby Manager are reconfigured to use the virtual IP address you define.

Note:

If an Engine appliance is not registered to the Manager Virtual IP configured in lastlinesetup-> failover_virtual_ip, the Engine will report _Error: Traffic Routing Check Upstream: Running check on interface llanonvpn0 reported error, repair failed: Failed to resolve interface address. To change the FQDN or IP use step 4 listed in Update Active Manager FQDN.

Important:

The use of DHCP to assign network addresses to the Manager can interfere with the internal mechanism that is used to manage the shared virtual IP address. Therefore, we highly recommend you use a static address configuration when deploying an active-standby environment. You can reconfigure Manager to use static IP addresses.

Warning:

The tools used for managing the shared virtual IP use multicast UDP packets for communication between active and standby Manager appliances. The IP multicast datagrams are sent with a TTL of 1 to restrict communication to nodes in the same subnet. You can configure the multicast address and port used for this purpose using the failover_multicast_address and failover_multicast_address options of the lastline_setup command.

If not explicitly set, the default multicast socket 226.94.1.1:5405 will be used.

Check that this configuration is the same on both active and standby Manager by using the show option of the lastline_setup command.

It is also very important to avoid having the same multicast address/port configuration on more than one active-standby pair in the same subnet, as it will lead to conflicts. This is because when using the same multicast configuration, active-standby pairs will receive multicast packets from other active-standby pairs in the same subnet and interfere with each other.

If you configure the multicast address and port differently for each pair, you can have multiple active-standby pairs in the same subnet.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-manager:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Define the virtual IP address
To define the fail-over virtual IP address, type failover_virtual_ip ip_address. Provide an IP address in a common subnet range.
```
-> failover_virtual_ip 10.0.2.42
failover_virtual_ip = 10.0.2.42  # changed; original value:
```
Note:
When you are setting up DNS, instead of using the IP address of the active Manager, ensure the resolver uses the configured virtual IP address.

Priority and password

User Portal implements the keepalived daemon to manage its active/standby capability. The Virtual Router Redundancy Protocol (VRRP) underpins failover. It consists of a finite state machine providing low-level, high-speed interactions.

In most cases, the active/standby processes are managed transparently. However, there are a couple of toggles that you need to be aware of:

Priority
Password

Priority

The system automatically elects the primary active Manager. This process determines the ownership of the shared virtual IP (VIP) address in the active/standby configuration.

After 48 takeovers, the active Manager will have the maximum supported priority for the purposes of electing which host owns the VIP address. This can create a problem when setting up a new standby Manager. In this scenario, you should use the ha_active_priority option of the lastline_setup command to set a lower value (at least 2; the initial default is 4) before you replicate the active Manager.

When manually changing ha_active_priority for an existing active/standby pair, you should take care to ensure that the same value is set for both systems. In order to maintain continuous service, modifications should be performed in the following order:

Increase ha_active_priority on the active Manager first, then on the standby Manager.
Decrease ha_active_priority on the standby Manager first, then on the active Manager.

The syntax of the ha_active_priority option is as follows:

ha_active_priority [= priority | -]

With no argument, display the current value of ha_active_priority. If an argument is provided, set ha_active_priority to the specified value. If the argument is - (dash), clear (unset) ha_active_priority.

Password

A password for the VRRP instance is automatically generated on the active Manager and propagated to the standby Manager (assuming failover_virtual_ip was set before you replicated the active Manager). Typically you do not need to alter this password.

However if you desire a different password, use the ha_password option of the lastline_setup command. You must run this on both the active and standby Manager. The syntax of the ha_password option is as follows:

ha_password [= password | -]

With no argument, display the current ha_password (displayed as ***). If an argument is provided, set ha_password to the specified value. If the argument is - (dash), clear ha_password (set to empty value).

Reconfigure the Existing Manager

Reconfigure your existing Manager to prepare it to become the active Manager in an active-standby environment. The following steps need to be performed on the original Manager before setting up the standby Manager:

Backup Manager

Configure a full backup or essentials-only backup on Manager and ensure it has completed at least once prior to installing the standby Manager. This backup is used during the initial installation of the standby Manager.

Note:
Refer to the Backup guide (see the online help on the User Portal: Admin pages→Backup page) for instructions on how to configure and perform a backup of the Manager.

Note:
You can speed the backup process by choosing an essentials-only backup. With an essentials-only backup, only files from the backend database are backed up. PCAP and analysis files are not backed up.

You can perform an essentials-only backup by going to the Admin pages→Backup page→Configure backups tab and then enabling the Essential files only toggle.

If during the backup process, you have a problem with the active Manager experiencing high load and delayed processing events, performing an essentials-only backup may help resolve the problem.

Obtain the restore passphrase

Execute the lastline_restore_point_create command.

lastline@lastline-manager:~$ lastline_restore_point_create
[sudo] password for lastline:

Restore point passphrase: passphrase

Please keep this passphrase secure. You will need to provide it
when initializing an appliance for appliance stand-by or forensic
mode.

Make a note of the passphrase produced by the command. This passphrase is required during the installation of the standby Manager.

Install Standby Manager

To install and configure the standby Manager, perform the following steps:

Install the base system

Follow the steps in Base System Installation. Wait for the system to install and reboot.
Login to the server console

Login to the console using the username lastline and its current password.

Important:
The default user is lastline and its password is lastline. For your security and protection, you should change the default password. Your password selection must meet the requirements specified on the passwd command man page.
Start the registration process in expert mode
To start and registration process for the standby Manager, run the lastline_register command in expert-mode. If you are prompted for the sudo password, use the password for the default lastline user account.
```
lastline@lastline-manager:~$ lastline_register --expert-mode
```
Select the standby Manager

The registration process prompts you to select the "Manager Appliance Mode". Your choice is "High-Availability: Active Manager" or "High-Availability: Standby Manager".

Select "High-Availability: Standby Manager". Then select <Ok> or press Enter.
Configure an NTP server

Enter the FQDN or IP address of the NTP server used by active Manager.

To continue, select <Ok> or press Enter.
Define active Manager

The registration process prompts you to provide the "On-Premises Manager Address". Enter either the fully qualified domain name or IP address of the active Manager. Then select <Ok> or press Enter.
Accept active Manager SSL certificate

The registration process attempts to verify the SSL certificate for active Manager. Because VMware NSX Network Detection and Response appliances use self-signed SSL certificates, the verification check fails. The certificate is displayed and you are prompted to trust it. Select <Yes> to continue the registration.
Enter your VMware username and password

You are prompted for your VMware username. Enter it and then select <Ok> or press Enter. At the next prompt, enter your password and then select <Ok> or press Enter.
Enter the restore point passphrase

The registration process prompts you to provide the "Lastline Manager Restore Point Passphrase". Enter the passphrase you saved from the lastline_restore_point_create command (see "Reconfigure the Existing Manager", 2).

At this point the registration process prepares the system to support an active-standby pair.

Replicate Active Manager

To synchronize the active-standby pair, you must replicate a backup from the active Manager onto the new standby Manager. Use the lastline_restore_point_load command the perform this operation.

Start the restore process
To start the restore process onto the standby Manager, run the lastline_restore_point_load command.
```
lastline@lastline-manager:~$ lastline_restore_point_load
```
Note:
Running the lastline_restore_point_load command on the standby Manager is a lengthy and critical operation. If it should be interrupted, it can leave the appliance in an inconsistent state.

For this reason, we suggest you run the lastline_restore_point_load command inside a tmux or screen session.

For example, start a tmux session on the standby Manager, then run the lastline_restore_point_load command.
```
lastline@lastline-manager:~$ tmux
```
In addition, use a separate terminal to monitor the session to a log file:
```
lastline@lastline-manager:~$ tmux pipe-pane -o -t session_id "cat > filename.log"
```
Use the tmux ls command to acquire the session_id of the first session.

For the screen command, use its -L option to log the current session.
```
lastline@lastline-manager:~$ screen -L
```
Select the storage to use
The restore process displays a list of available storage. Select the appropriate storage.
```
Please enter the number of storage to use: 1
```
Select the host number to use
The restore process displays a list of hosts with data in that storage. Select the appropriate host number.
```
Please enter the number of the hostname to use: 1
```
Select which backup to use
The restore process displays a list of available backups. Select the appropriate backup number.
```
Please enter the number of the backup to use: 1
```

When the restore process completes, all of the data from the active Manager is synchronized onto the standby Manager.

Update Active Manager FQDN

If the FQDN of the active Manager changes, you must propagate this configuration onto the standby Manager.

Copy the new certificate

Copy the new certificates from /etc/puppet/files/ssl-cert/ on the active Manager to the same directory on the standby Manager. Ensure you copy both new-ssl-cert.pem and the new-ssl-cert.csr.
Copy the private key

Copy the private keys from /etc/puppet/private/ssl-priv-key/ on the active Manager to the same directory on the standby Manager. Ensure you copy both new-ssl-cert.key and the new-ssl-cert-pf.key.
Login to the console

On the standby Manager, login to the console using the username lastline and its current password.
Run the registration process
Execute the lastline_register command with the change-active-manager-fqdn option, providing the new FQDN for Manager as its argument.
```
lastline@lastline-manager:~$ lastline_register --change-active-manager-fqdn new_manager.lastline.example.com
```
Note:
If you are prompted for the sudo password, use the password for the default lastline user account.

Trigger Fail-over

In case of failure of the active Manager, the standby Manager will take over and become the new active Manager. Trigger this process with the following steps:

Shutdown active Manager

Ensure that active Manager has been shut down.

Activate the fail-over process

On standby Manager, run the lastline_takeover command.

lastline@lastline-manager:~$ lastline_takeover
> Are you sure you want to switch this Manager from standby to mode 'active'?

This operation cannot be undone! [y]|n: y
> Manager takeover done.
Logging to /var/log/lastline/lastline_apply_config-2018-05-30.14:30:42.log
Applying new configuration...
Applying configuration finished successfully.
lastline@lastline-manager:~$

Fail-over Using the UI

As an alternative, you can trigger the fail-over from your browser. Access the User Portal running on the standby Manager. Connect using its FQDN (for example, user.standby.lastline.example.com) or IP address. You must login with an account having administrative privileges (for example, the default lastline user account. The browser displays a Standby Manager page. Trigger the fail-over by clicking the Trigger Takeover button.

Click the Confirm Takeover button to start the fail-over process. If successful, a confirmation message is displayed.

Fail-over Process

If a shared virtual IP addressed had been previously configured on both active and standby Manager appliances, standby Manager will start serving requests on that address.

Otherwise, you must change the DNS setup such that the fully qualified domain name record of active Manager now points to the IP address of standby Manager.

Once the changes in the DNS system have been pushed out, Sensor and Engine nodes will contact Manager, which is now active.

Important:

After a fail-over has occurred and standby Manager has become the new active Manager, the full backup performed in "Reconfigure the Existing Manager", 1 can no longer be reused to setup the new standby Manager. Before you can setup the new standby Manager, a full backup of active Manager must first be performed.

If you plan to add additional Engine appliances to the new active Manager, you must download and install the malware analysis sandbox images. See Acquire Sandbox Images.

Test the Manager

Check the state of the Manager with the lastline_test_appliance command.

Start the test appliance tool
Execute the lastline_test_appliance command.
```
lastline@lastline-manager:~$ lastline_test_appliance
[sudo] password for lastline: 
> Lastline appliance check and fix utility.
> 
> Version 2.0
> 
> :Copyright:
>     Copyright 2014 Lastline, Inc.  All Rights Reserved.
...
```
The lastline_test_appliance command takes for a few minutes to perform its analysis of the Manager. When it is done, it provides a summary of the conditions it uncovered, if any.
Optional: Fix any reported configuration errors

The test appliance tool checks for signs of common configuration errors and can help you with fixing them.

Note:
Contact VMware Support if the test appliance tool displays an error that you cannot fix. Provide the error message that was displayed.

Disable Automatic Updates

VMware periodically releases appliance updates or hotfixes. By default, automatic updates are enabled on newly installed appliances. As long as the appliance has automatic updates enabled, these updates and fixes will transparently be applied to the system.

If you prefer to manually update the Manager, follow these steps to disable automatic updates.

Login to the Web UI

Using your Web browser, login to the Manager Web UI.
Access the Appliances page

From the Main navigation menu, click Admin. On the Admin page, select Admin from left sidebar menu. For most users, the Appliances page is displayed by default.
View the appliance configuration

On the Appliances page, click Configuration tab.
Optional: Select an appliance

If no appliance is currently selected, click the Appliance: None Selected link. From the Select Appliance pop-up tick the box for the appliance you want to use, then click Select Appliance.
Access the System tab

Click the System tab.
Disable automatic updates

Toggle the Auto Update button to Disabled.

The appliance will no longer automatically apply updates and hotfixes when released by VMware. You must apply those manually.

Manual Updates

If you have disabled automatic updates for your appliances you must apply updates and hotfixes manually.

Follow these steps to manually update an appliance.

Login to the Web UI

Using your Web browser, login to the Manager Web UI.
Access the Appliances page

From the Main navigation menu, click Admin. On the Admin page, select Admin from left sidebar menu. For most users, the Appliances page is displayed by default.
View the appliance status

On the Appliances page, click the Status tab.
Optional: Select an appliance

If no appliance is currently selected, click the Appliance: None Selected link. From the Select Appliance pop-up tick the box for the appliance you want to use, then click Select Appliance.
Update the selected appliance

To update an appliance, click the button and select Upgrade from the drop-down menu.

About Hardening

During the development process, steps were taken to lock down the Manager by default to help reduce any attack surfaces. These include:

Default Applications — All unnecessary applications included in the base Ubuntu server build have been removed from the system. What remains are the libraries and applications necessary for the normal functioning, routine maintenance, and troubleshooting of the Manager.
Default Firewall — The Manager image comes with Uncomplicated FIrewall (UFW) installed and configured to restrict inbound access to the system.
Security Patches — The system will install daily OS security updates by default. You can disable automatic updates.
Least privilege — VMware has taken care to ensure a paradigm of least privilege regarding the permissions of services and file system access.
Secure SSH — SSH is configured to use certificate-based authentication by default.
TLS encryption — Communications between the appliances are TLS encrypted.

Harden the Manager

We recommend the following guidelines for hardening the Manager after installation. These steps are not required, but they will allow you to further restrict access to your VMware NSX Network Detection and Response appliances.

Change the default user password

The default user is lastline. Your password selection must meet the requirements specified on the passwd command man page.
Use sudo for elevated privileges

Enabling the root user is strongly discouraged. Instead you should use the sudo command when you need elevated privileges. This ensures proper logging and auditing of activity on the appliance.

If you wish to further refine which commands a specific user can run, refer to the following pages on ubuntu.com to learn how to configure and use the sudo command: RootSudo, Sudoers, and sudo manpage.
Configure the support channel

VMware Support leverages the support channel to ensure your systems are functioning as intended. Should you wish to disable this, we recommend you re-enable it prior to submitting a support ticket. This will allow VMware Support to investigate issues and respond with a resolution more rapidly.

To disable/enable the support channel, see Configure Remote Assistance.
Configure the monitoring user

By default, the monitoring user is disabled. You enable the monitoring user using the monitoring_user_password option of the lastline_setup command. For logging and auditing purposes, we recommend that you do not share the monitoring user with multiple users.

Refer to Enable the monitoring user for further information about enabling the monitoring user.
Use per-user key-based SSH authentication

By default, the Manager is configured to utilize key-based authentication. We recommend that individual user accounts are configured on the appliance for anyone needing to carry out administrative tasks. Refer to this article on SSH.com for further information about key-based authentication.
Change iDRAQ password

If you have installed the Manager on one of the recommended Dell systems, these systems include an iDRAQ interface for remote management. The iDRAQ interface is configured with a default password. This password must be changed to prevent unauthorized access to the system console.

Hardware Specifications

The hardware certified for use with VMware NSX Network Detection and Response appliances is listed below:

Dell Hardware

Supported Dell Hardware


Manager
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores SSSE3 must be supported and enabled
CPU Quantity	1 CPU
Minimum RAM	96 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 10 Note: If the Dell website does not allow RAID 10 configuration from factory, purchase the server with RAID unconfigured and then manually create a RAID 10 virtual volume before software installation.
Persistent Storage	Recommended: 4 × 4 TB HDDs
Additional Network Card	None
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Data Node
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores
CPU Quantity	1 CPU
Minimum RAM	96 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 10 Note: If the Dell website does not allow RAID 10 configuration from factory, purchase the server with RAID unconfigured and then manually create a RAID 10 virtual volume before software installation.
Persistent Storage	Recommended: 4 × 2 TB 10k RPM HDDs
Additional Network Card	None
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Engine
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores, with Intel Virtualization Technology (VT-x) and Intel VT-x with Extended Page Tables (EPT)
CPU Quantity	1 CPU
Minimum RAM	128 GB Recommended: 4 GB per CPU virtual core
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 1
Persistent Storage	Minimum: 2 × 1 TB HDDs
Additional Network Card	None
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Sensor — 1G Networks
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores SSSE3 must be supported and enabled To achieve best performance from the appliance, IOMMU support must be enabled
CPU Quantity	1 CPU
Minimum RAM	64 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 1
Persistent Storage	Minimum: 2 × 1 TB HDDs
Additional Network Card	Intel i350 Quad Port 1GbE
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Sensor — 10G Networks
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores SSSE3 must be supported and enabled To achieve best performance from the appliance, IOMMU support must be enabled
CPU Quantity	2 CPUs
Minimum RAM	128 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 1
Persistent Storage	Minimum: 2 × 1 TB HDDs
Additional Network Card	Intel X710 Dual Port 10GbE
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation

Previously Supported Dell Hardware

The following Dell hardware are no longer supported.


Manager
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 12 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	64 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	4 × 2 TB 7.2K RPM SATA 6Gbps 3.5in
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Data Node
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 24 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	64 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA HDD
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Engine
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	96 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA HDD
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Sensor — 1G Networks
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	32 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA (7.2K RPM) HDD
Power Supply	Dual Hot-plug Power — Optional
Network Card	Intel Ethernet I350 Quad-Port 1Gb Server Adapter
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Sensor — 10G Networks
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	2 CPUs
Minimum RAM	128 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA (7.2K RPM) HDD
Power Supply	Dual Hot-plug Power — Optional
Network Card	Intel Ethernet X710-DA2 10Gbps network card
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


All-In-One
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	2 CPUs
Minimum RAM	128 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	4 × 2 TB 7.2K RPM SATA 6Gbps 3.5in
Power Supply	Dual Hot-plug Power — Optional
Network Card	Intel Ethernet X710-DA2 10Gbps network card
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Analyst
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 12 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	96 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	4 × 2 TB 7.2K RPM SATA 6Gbps 3.5in
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional

HPE Hardware

Manager

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
64 GB RAM
4 × 2 TB in RAID 10 (6 Gbps SATA)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Data Node

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
64 GB RAM
4 × 2 TB in RAID 10 (SAS 10K RPM)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Engine

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
96 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Sensor — 1G Networks

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
32 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
Intel I350 Quad port (or HPE 366T)
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Sensor — 10G Networks

HPE ProLiant DL360 Gen10:

2 × Intel® Xeon® Silver 4114 2.2GHZ
128 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
Intel X710-DA2
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Analyst

HPE ProLiant DL360 Gen10:

2 × Intel® Xeon® Silver 4114 2.2GHZ
128 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Appendix

Setup command options

The lastline_setup command provides a number of configuration options that are used to administer and manage the VMware NSX Network Detection and Response appliances.

Command line arguments
Configuration options
Exit options

Command line arguments

The lastline_setup command supports the following command line arguments:

Help

-h, --help

Print the help message and exit.

Acquire lock

--lock-timeout TIME

The lastline_setup command has a configuration lock to prevent more than one user from accessing its database at the same time. Set the amount of TIME (in seconds) to allow for acquiring the lock. The default is 0 (zero) seconds.

Configuration options

The available options varies depending on the type of appliance. The Manager has an extensive set whereas the Sensor has fewer options. To view all the supported options for the current appliance, use the help option.

To view a detailed description of individual options, type help topic, where topic is the name of a specific option.

The lastline_setup command supports the following configuration options:

Maximum file upload size

analysis_max_upload_filesize_mb [= size]

Display or set the maximum file size (in MB) the system will accept for analysis. With no argument, display the current maximum file size allowance. If an argument is provided, set maximum file size allowance to the specified value. The argument size must be numeric.

Length of analysis queue

analysis_queue_backlog [= days | unlimited]

Display or set the number of days to keep unprocessed tasks in the analysis queue. With no argument, display the current number of days. The default is unlimited. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

AnonVPN DNS server

anonvpn_dns_server_ip [= IPaddr | -]

You can configure a DNS server specifically for AnonVPN to assist with anonymizing client connections.

Display or set the IP address for the DNS server for AnonVPN. With no argument, display the current IP address of the AnonVPN DNS server. If an argument is provided and is an IP address, set the DNS server to the specified value. You must provide a valid IPv4 address for the DNS service. This address must be reachable via the AnonVPN interface. If the argument is - (dash), clear (unset) the DNS server address.

AnonVPN mode

anonvpn_mode [= lastline | honeypot | custom | -]

Display or set the AnonVPN mode. With no argument, display the current setting. If an argument is provided and is one of lastline, honeypot, or custom, set the mode to the specified value.

If the value is - (dash), clear the mode (set to an empty value). This argument should not be used.

AnonVPN gateway

anonvpn_upstream_gateway_ip [= IPaddr | -]

Display or set the AnonVPN upstream gateway address. With no argument, display the current IP address of the gateway. If an argument is provided and is an IP address, set the gateway to the specified value. Any valid IPv4 address can be used for the gateway. This address must be in the same subnet as the IP address assigned to the AnonVPN interface. If the provided argument is - (dash), clear (unset) the gateway address.

This setting is not required for point-to-point tunnel connections (for example, OpenVPN).

AnonVPN interface

anonvpn_upstream_ifname [= interface | -]

Display or set the AnonVPN upstream interface. With no argument, display the current interface name. If an argument is provided, set the interface name to the specified value. You can specify any valid interface name other than llanonvpn0 or llanonvpn1. If the argument is - (dash), clear the interface name (set to an empty value).

Appliance state

appliance_state

Display the appliance state. For example, active, error, offline, etc.

Appliance UUID

appliance_uuid

Display the appliance UUID. For example, 0123456789abcdef0123456789abcdef.

Cloud analysis

cloud_analysis [= on | off]

Display or set analysis support. With no argument, display the current status. If an argument is provided, set cloud analysis support to the specified value. Possible values are on or off. When enabled, hashes (MD5, SHA1, and SHA256) of the analyzed artifacts are shared with the NSX Cloud.

Download metadata for cloud analysis

cloud_analysis_push_download_metadata [= on | off]

Display or set support to allow sending artifact metadata (download origin, filename, type, etc.) to the NSX Cloud. With no argument, display the current status. If an argument is provided, set the download support to the specified value. Possible values are on or off. When enabled, the URL the artifact was downloaded from (HTTP, FTP, and SMB downloads) is sent to the VMware backend.

Download URL for cloud analysis

cloud_analysis_push_download_source [= on | off]

Display or set support to allow sending artifact download origin to the NSX Cloud. With no argument, display the current status. If an argument is provided, set the download support to the specified value. Possible values are on or off. When enabled, the IP address and host name of the server the artifact was downloaded from are sent to the VMware backend.

Query URL reputation from cloud analysis

cloud_analysis_query_url_reputation [= on | off]

Display or set support to allow requesting URL reputation data from the NSX Cloud. With no argument, display the current status. If an argument is provided, set the URL classification support to the specified value. Possible values are on or off. When enabled, the VMware backend is queried for reputation metadata that can be used to classify a URL. The full URL is shared with the VMware backend.

Data retention for code

data_retention_code [= days | unlimited]

Display or set the number of days to retain Web-code captured during an analysis run of a submitted URL. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for generated files

data_retention_generated_files [= days | unlimited]

Display or set the number of days to retain files generated by a program during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for memory dumps

data_retention_memory_dumps [= days | unlimited]

Display or set the number of days to retain memory buffers allocated by a program during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for process dumps

data_retention_process_dumps [= days | unlimited]

Display or set the number of days to retain full-process snapshots of a program during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for screenshots

data_retention_screenshots [= days | unlimited]

Display or set the number of days to retain screenshots taken during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for traffic captures

data_retention_traffic_captures [= days | unlimited]

Display or set the number of days to retain network traffic captured during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for uploads

data_retention_uploads [= days | unlimited]

Display or set the number of days to retain files uploaded for analysis. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Data retention for webpages

data_retention_webpages [= days | unlimited]

Display or set the number of days to retain Web page content captured during a dynamic analysis run. With no argument, display the current number of days. If an argument is provided, set the number of days to the specified value. The argument days can numeric or unlimited (or 0).

Comment on analysis reports

disable_report_commenting [= true | false | -]

Display or set the ability to comment on analysis reports. With no argument, display the current status. If an argument is provided, set the ability to comment to the specified value. Possible values are true or false. If the argument is - (dash), clear the field (this is the same as setting the value to false).

Disable the support channel

disable_support_channel [= true | false | -]

Display or set the support channel. With no argument, display the current status. If an argument is provided, set the support channel to the specified value. Possible values are true or false. The default (false) allows VMware Support to perform remote administration assistance at your request. If the argument is - (dash), clear the field (this is the same as setting the value to false).

Edit variables

edit [variable]

Edit the value stored for the entered variable. A prompt for entering a new value for the variable is displayed. If the variable being edited is a password variable, your input will not be displayed.

To view a list of the variables available for editing, run the edit option with no argument.

Email relay host

email_relay_host [= IPaddr | hostname | -]

Display or set the host name or IP address for the SMTP relay host. With no argument, display the current host. If an argument is provided, set the host to the specified value. If the argument is - (dash), clear (unset) the host. In this case, the VMware backend is used.

Email relay password

email_relay_password [= password | -]

Display or set the authentication password for the SMTP relay host. With no argument, display the current password. If an argument is provided, set the password to the specified value. If the argument is - (dash), clear (unset) the password.

Email relay port

email_relay_port [= port | -]

Display or set the port number for the SMTP relay host. With no argument, display the current port. If an argument is provided, set the port to the specified value. If the argument is - (dash), clear (unset) the port.

Email relay username

email_relay_username [= username | -]

Display or set the username for the SMTP relay host. With no argument, display the current username. If an argument is provided, set the username to the specified value. If the argument is - (dash), clear (unset) the username.

Email sender address

email_sender_address [= address | -]

Display or set the email address to be used for delivering email. With no argument, display the current email sender address. If an argument is provided, set the sender address to the specified value. If the argument is - (dash), clear (unset) the sender address.

Failover multicast address

failover_multicast_address [= address | -]

Display or set the multicast address needed by the tools used for managing the shared virtual IP between active and standby Manager in an active/standby configuration. With no argument, display the current value of the failover multicast address. If an argument is provided, set the address to the specified value. If the argument is - (dash), clear (unset) the failover multicast address.

Failover multicast port

failover_multicast_port [= address | -]

Display or set the multicast port needed by the tools used for managing the shared virtual IP between active and standby Manager in an active/standby configuration. With no argument, display the current value of the failover multicast port. If an argument is provided, set the port number to the specified value. If the argument is - (dash), clear (unset) the failover multicast port.

There is no standard multicast port number. VMware NSX Network Detection and Response uses 5405 as its default.

Failover virtual IP address

failover_virtual_ip [= address | -]

Display or set the virtual IP address shared between active and standby Manager in an active/standby configuration. With no argument, display the current value of the virtual IP address. If an argument is provided, set the virtual IP address to the specified value. If the argument is - (dash), clear (unset) the virtual IP address.

Fully qualified domain name

fqdn

Display the fully qualified domain name of the appliance.

Active manager priority

ha_active_priority [= priority | -]

Display or set the priority of the active Manager for the purposes of determining ownership of the shared virtual IP address in an active/standby configuration. Select a value higher than the highest priority recently used for this virtual IP address.

With no argument, display the current value of the active manager priority. If an argument is provided, set the priority to the specified value. If the argument is - (dash), clear (unset) the active manager priority.

Active manager password

ha_password [= password | -]

Display or set the password for managing the virtual IP address shared between active and standby Manager in an active/standby configuration. With no argument, display the current active/standby password (displayed as ***). If an argument is provided, set the password to the specified value. If the argument is - (dash), clear the active/standby password (set to empty value).

HTTPS proxy

https_proxy [= proxy_address:port | -]

Display or set the HTTPS proxy. With no argument, display the current proxy. If an argument is provided, set the proxy to the specified value. The HTTPS proxy must be in the format proxy_address:port (for example, proxy.example.com:8080 or 192.168.0.1:443). If the argument is - (dash), clear (unset) the proxy.

Replace branding images

image_brand_replacement [= on | off]

This feature is provided for partners who wish to replace the VMware logo and other assets with their own.

Display or set the status of brand images replacement policy. With no argument, display the current status. If an argument is provided, set the policy to the specified value. Possible values are on or off. When enabled, the Manager will display the replacement visual assets in its hosted User Portal. These files must be located in the /home/lastline/brand_replacement_files/ directory.

Inject interface

inject_interface [= interface | -]

Display or set the interface used for injecting blocking packets according to the configured modes, for example, TCP RST packet, DNS NXDOMAIN response, HTTP 302 redirect, etc. With no argument, display the current interface name. If an argument is provided, set the interface name to the specified value. You can specify any valid interface name, for example eth1. If the argument is - (dash), clear the interface name (set to an empty value).

Inline interfaces

inline_interfaces [= interface-interface, interface-interface, ... | -]

Display or set the list of interface pairs used for inline mode. With no argument, display the current interface pairs. If an argument is provided, set the interfaces to the specified value. Specify a comma-separated list of interface pairs, for example eth1-eth2, eth3-eth4. If the argument is - (dash), clear the interface pairs (set to an empty value).

License API token

license_api_token

Display the On-Premises license API token.

License key

license_key

Display the On-Premises license key.

Update server override

llama_images_server_override [= IPaddr | hostname | -]

Display or set the host name or IP address for the server from which to download LLAMA images. With no argument, display the current host. If an argument is provided, set the server to the specified value. If the argument is - (dash), clear (unset) the server.

This option is provided for installations that must substitute another server for the default update.lastline.com.

Manager domain name

manager [= domain name | -]

Display or set the domain name of the Manager. With no argument, display the current value for manager. If an argument is provided, set manager to the specified value. If the argument is - (dash), clear (unset) the server.

In most instances, you should leave this field to its default value of lastline.com or for an On-Premises installation, the fqdn of the local Manager. If you must change this entry, enter the domain name of the Manager you want to connect to. If you use lastline.example.com, for example, update.lastline.example.com and log.lastline.example.com should be additional aliases for the same IP address in your default DNS server.

Monitoring user

monitoring_user_password [= password | -]

Enable or disable the monitoring user. With no argument, display the current state. If an argument is provided, set the monitoring user password to the specified value. If the argument is - (dash), disable password-based authentication.

Network parameters

network [= variable value]

Display or set the network parameters of the appliance. There are two network methods: DHCP or static. With no argument, display the current network settings. For example:

DHCP settings

network interface = eth0
network method = dhcp

Static settings

network dns_nameservers = 8.8.8.8 8.8.4.4
network gateway = 10.0.2.2
network netmask = 255.255.255.0
network address = 10.0.2.15
network interface = eth0
network method = static

The network option has a number of variables:

network interface — Set the interface used for network access.
```
network interface interface
```
network method — Set the network method. For dhcp, the appliance gets its address and other network information from a DHCP server. For static, you define all the network parameters.
```
network method dhcp | static
```
network address — For a static configuration, set the IPv4 address of the interface.
```
network address IPaddr
```
network netmask — For a static configuration, set the dotted-quad netmask of the interface.
```
network netmask netmask
```
network gateway — For a static configuration, set the IP address of the default gateway for network access. If the argument is - (dash), set the gateway address to None.
```
network gateway [IPaddr | -
```
network dns_nameservers — For a static configuration, enter a list of space separated IP addresses for the DNS servers. If the argument is - (dash), set the DNS servers to None.
```
network dns_nameservers [IPaddr IPaddr ... | -
```

Monitoring user

new_monitoring_user_password [= password | -]

Enable or disable access to the appliance for the monitoring user. With no argument, display the current monitoring user password (displayed as ***). If an argument is provided, set the monitoring user password to the specified value. If the argument is - (dash), clear the monitoring user password (set to empty value).

NTP servers

ntp_servers [= IPaddr,IPaddr,... | -

Display or set the NTP servers list. With no argument, display the current value for the NTP servers list. If an argument is provided, set the NTP servers list to the specified value. The NTP server addresses must be comma separated. If the argument is - (dash), clear (unset) the NTP servers list.

Offline mode

offline_mode

Display offline mode. This allows the appliance to work without an Internet connection.

Save

save [skip_apply] [skip_network_restart]

Save your changes, apply the new configuration, and exit.

If skip-restart-network is specified, the network will not be restarted and therefore any changed network settings will be saved but not applied.

If skip_apply is specified, the new configuration will be saved but not applied. You can later run the lastline_apply_config command to make the new configuration effective.

Sensor subkey

sensor_subkey

Display the Sensor subkey. To change this value, the Sensor must be deregistered, and then re-registered using the lastline_register command.

Show configuration

show

Display the current configuration. For example, the configuration of a Sensor:

-> show
anonymization_password = ***
appliance_state = active
appliance_uuid = 046cf54cb3d46eab0c3263724cd56b6a
disable_support_channel =
https_proxy =
inject_interface = eth2
inline_interfaces =
license_key = 0Z6LLNOU4ZP12BWBTOJ0
manager = manager.lastline.example.com
monitoring_user_password: enabled
network interface = eth0
network method = dhcp
new_monitoring_user_password = ***
ntp_server = update.lastline.com
ntp_servers = update.lastline.com
sensor_subkey = sensor01
sniffing_interfaces = eth2

Sniffing interface

sniffing_interface [= interface, interface, ... | -]

Display or set the list of interfaces the Sensor should monitor. With no argument, display the current interfaces. If an argument is provided, set the interfaces to the specified value. Specify a comma-separated list of interface names, for example eth1, eth2. If the argument is - (dash), clear the sniffing interfaces (set to an empty value).

Replace branding images

text_brand_replacement [= JSON]

This feature is provided for partners who wish to replace the VMware logo and other assets with their own.

Display or set the brand text replacement using JSON. With no argument, display the current JSON. If an argument is provided, set the brand text to the specified value.

Your JSON content should technically be a single line. For example:

text_brand_replacement = {"company_short_name_ascii":"llPartner","company_short_name_utf8":"エロパタナ"}

Exit options

To quit from the lastline_setup command without saving your changes, type exit.

If you made changes that you want applied, you must use the save option to update the appliance database and configuration. It then quits the lastline_setup command.

VMware NSX Network Detection and Response
Home
Legal
Support

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304