Sensor Installation and Administration

This document describes the installation and administration of the Sensor in a Hosted or an On-Premises environment.

About the Sensor

The Sensor examines your network traffic in order to identify a variety of network events that can be of interest to the VMware NSX Network Detection and Response. This ranges from file transfers (for example, executables, documents, or email messages) to suspicious network interactions, to metadata on network activities observed in the environment (for example, netflow, pdns, or webrequests). All this information is extracted by the Sensor and streamed to the VMware backend that processes and presents the data to the user.

The Sensor is available as a software ISO that you install on your own hardware or in a VMware ESXi VM, as an Amazon Machine Image (AMI), or as an Azure VM.

Supported Hardware

Refer to Hardware Specifications for details about the hardware certified for use with VMware NSX Network Detection and Response appliances.

Network Connectivity

The installation and update services need to connect to external servers for downloading software and data bundles (such as sandbox images). All hosts that are contacted for such downloads are listed in this section.

To increase the availability and reduce download times, the system can be configured to download large files from content distribution network (CDN) servers. As such hosts are geographically distributed, the contacted hosts may vary from system to system, and hosts outside the documented list may be contacted for downloads.

The use of CDNs is enabled by default. You can also explicitly enable or disable this feature with the lastline_register command (see Register the Sensor, 11).

If you explicitly enable the use of CDNs or choose to accept the default, ensure that you adjust your firewall rules to allow access to the CDN servers.

Domain Names

For a hosted installation using the NSX Cloud, the server hosting the Sensor needs to be able to connect to:

management.lastline.com (for EMEA customers management.emea.lastline.com) on TCP port 443.
user.lastline.com (for EMEA customers user.emea.lastline.com) on TCP port 443.
log.lastline.com (for EMEA customers log.emea.lastline.com) on TCP port 443.
update.lastline.com (for EMEA customers update.emea.lastline.com) on TCP port 443 .
ntp.lastline.com on UDP port 123 for time synchronization. It can be replaced with a local NTP server.

You can add FQDNs such as the CDN domain for Google. For further details and information about VMware NSX Network Detection and Response CDN operation, see VMware Knowledge Base article NSX Lastline CDN Usage (900006).

For an On-Premises installation, and assuming that lastline.example.com is the FQDN for your local Manager, the server hosting the Sensor needs to be able to connect to the Manager as well as to log.lastline.example.com, update.lastline.example.com, and user.lastline.example.com. These FQDN/hostnames should all be aliases for the Manager.

Expected IP Addresses

The domain names above may resolve to any IP addresses within the following ranges:

38.95.226.0/24
38.142.33.16/28
199.91.71.80/28
46.244.5.64/28
66.170.109.0/24

Note:

All connections can be optionally routed through an HTTP/HTTPS proxy (see "Registration and Configuration", 5). Proxy authentication is not supported.

Acquire the Sensor ISO

To install the Sensor, you must download the ISO from VMware.

Refer to your VMware welcome message

Using the information in the VMware welcome email message, point your browser to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) and then login. For your initial login, use the Forgot your password? link and follow the subsequent instructions.

The licenses you need to run Sensor are included in the welcome message. The registration process displays these licenses. Compare the licenses it displays with the provided licenses.
Download the ISO

Click the icon to access the drop-down help menu. Selected Downloads from the expanded menu. On the iso-downloads page, select the correct ISO and download it to your staging server.

Download the corresponding MD5 file for the ISO. Validate that the md5sum of the ISO matches the value in the MD5 file.
Prepare the ISO for installation

There are various ways to prepare the ISO. You can burn it to a DVD, create a bootable USB stick, or, if you are using Dell hardware and the iDRAC interface is available on your server, you can use that.

The ISO should be placed on a file share or otherwise made available for a VMware ESXi installation.

Install Sensor

The installation process for the Sensor consists of three steps. In the first step, the base system is installed. In the second step, basic configuration information is collected and the configuration is applied to the system. In the final step, required data is retrieved from the VMware backend servers.

Base System Installation

The Sensor uses Ubuntu Server 18.04 (Bionic distribution) as its underlying operating system. Therefore, many of the steps of the installation are similar to the ones required to install Ubuntu Server. Refer to the Ubuntu guide, Installing Ubuntu 18.04.

Note:

Many of the steps involved in a standard Ubuntu installation have been automated and hidden from the Sensor Installer.

If you are running an existing installation with appliances based on an earlier Ubuntu release, you should upgrade to a version based on Bionic. To upgrade to Bionic from Xenial, you must first update the Sensor to the last version that supports Xenial (see the release notes for your specific version, and then follow the instructions on the linked support article).

Boot the server from the ISO image

Use the DVD or bootable USB stick you created (or for Dell hardware, the Dell iDRAC interface) to boot the ISO image.

Note:
To install the Sensor on VMware ESXi, see Install on VMware ESXi.
Select the Sensor from the boot loader splash screen

Press Enter to continue.
Select keyboard options

The installer needs to localize your keyboard layout and language settings. Select the "Country of origin for the keyboard" and press Enter. The installer then displays a listing of appropriate keyboard layouts for the selected country. Select the desired "Keyboard layout" and press Enter.
Wait for the system to install and reboot

After the base system is installed successfully, the system will automatically reboot. A login prompt is displayed at the end of the boot process.

Install on VMware ESXi

Before you install the Sensor on VMware ESXi, you must ensure the VM meets the minimum hardware specifications for the class of appliance. See Hardware Specifications for details. Ensure that the base hardware runs on an Intel CPU.

For full performance, the Sensor must have DirectPath I/O access to the Intel I350 for 1G networks or Intel X710-DA2 for 10G networks NICs.

Using the VMware ESXi vSphere client, navigate to Configuration→Advanced Settings→Configure Passthrough. Select all Intel I350 or Intel X710-DA2 interfaces, and click OK. Then restart VMware ESXi.

Using the VMware ESXi vSphere client 7.0 update 3, create a new virtual machine and configure it to meet the requirements of the Sensor.

Access the Sensor ISO

Navigate to Configuration→Storage. Right-click on the relevant datastore and select Browse Datastore from the drop-down menu. Select the Sensor ISO and click the Upload icon.
Create a new virtual machine
Navigate to File→New→Virtual Machine. In the Create New Virtual Machine pop-up, perform the following:
- Create a Custom VM and specify its Name.
- Select the destination Storage for the VM.
- If supported, select the correct Virtual Machine Version.
- Set the Guest Operating System to Linux then select Ubuntu Linux (64 bit).
- Configure the Sensor with 1 socket × 20 cores (unless required otherwise by your VMware ESXi license).
- Set the VM Memory to 128 GB.
- At least one Network NIC is used for the management IP address. For packet injection and packet sniffing, define multiple NICs.
- Define the SCSI Controller.
- Create a new disk and set its size to 1 TB. The Sensor requires a second similar sized disk.
You can add more hardware to the VM after the initial configuration. Select the check-box for Edit the virtual machine settings before completion. Use this feature to add the DirectPath I/O enabled Intel I350 or Intel X710-DA2 interfaces and to add more storage to the VM.

Note:
If the host lacks the Intel I350 or Intel X710-DA2 interfaces, you can use a virtual network adapter to do sniffing. Ensure you enable promiscuous mode in the virtual switch. The sniffing performance is significantly reduced in this case and the Sensor might suffer excessive packet loss.

Set the New CD/DVD to point at the Sensor ISO (1). Ensure it is set to Connect at power on.
Expose CPU virtualization to the guest operating system

Right-click on the virtual machine and select Edit Settings. Expand the CPU category and select Expose hardware assisted virtualization to the guest OS. Click OK.
Start the VM

VMware ESXi boots the ISO image.

The boot process then proceeds as in Base System Installation, 2 through 4.

Registration and Configuration

Before you can configure Sensor for an On-Premises installation, you must have previously installed and configured the Manager. The Manager must be on-line and reachable.

For a hosted installation using the NSX Cloud, the User Portal must be accessible at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/).

To register and apply the software configuration to the Sensor, you must login to the server console.

Register the Sensor

Login to the server console

Login to the console using the username lastline and its current password.

Important:
The default user is lastline and its password is lastline. For your security and protection, you should change the default password. Your password selection must meet the requirements specified on the passwd command man page.
Start the configuration and registration process
Execute the lastline_register command, which will start the guided configuration and registration process.
```
lastline@lastline-sensor:~$ lastline_register
```
If you are prompted for the sudo password, use the password for the default lastline user account.
The lastline_register command first validates the server. If its hardware is not sufficient to run the Sensor, the command terminates with an error message. Should this occur, contact VMware Support for further guidance.
Select the VMware backend

The registration process prompts you to select the "Manager Backend". Your choice is "Use Lastline cloud" or "Use On-Premises Manager".

Unless this installation is part of an On-Premises deployment, select "Use Lastline cloud". Then select <Ok> or press Enter.
Select the primary network interface and network address

The registration process prompts you to select the "Primary network interface". It presents a list of interfaces discovered during the validation process. Select the interface that is used by the server to communicate with the other hosts on the network.

Then you are prompted to select how the server will obtain its network address. Your choice is "Obtain via DHCP" or "Enter static address".

If you select "Enter static address", you are prompted to provide an IP address to assign to the interface, its netmask, gateway IP address, and domain name server IP address.

To continue, select <Ok> or press Enter.
Optional: Configure an HTTP proxy

The newly installed Sensor must have access to the NSX Cloud servers or the local Manager.

Configure an HTTP proxy if it is required to access the Internet via HTTPS. Enter the address of the proxy server. This address can be a FQDN or an IP address. Specify the port for the proxy server. Examples of valid proxy configurations:

proxy.example.com:3128

192.168.0.1:8080

Otherwise if no proxy configuration is required, leave this field empty.

To continue, select <Ok> or press Enter.
Select the traffic capture interface

The Sensor requires at least one interface to use to monitor network traffic for malicious activity. Select an interface connected to the span/mirror port of the network switch. The registration process will show a list of the available interfaces.

Note:
The span/mirror interface will not be assigned an IP address.

To continue, select <Ok> or press Enter.
Select the reset interface

Select a network interface to be used for injection of network reset packets. This interface must be able to communicate with the other hosts of the monitored network.

To continue, select <Ok> or press Enter.

The network configuration is applied to the Sensor.
Specify the hosted Manager location

If you selected "Use Lastline cloud" when choosing the VMware backend (see 3), then you must specify the hosted manager location. Select from "EMEA" (Eurasia) or "US" (Americas).

If you selected "Use On-Premises Manager", then you must specify the address of the Manager. This address can be a FQDN or an IP address. For example, manager.lastline.example.com or 192.20.24.42.

To continue, select <Ok> or press Enter.
Configure an NTP server

The Network Time Protocol (NTP) is used to set the correct time for the Sensor. Enter the address of the NTP server. This address can be a FQDN or an IP address.

Note:
The selected NTP server must be reachable over UDP port 123. Unless you must use a specific NTP server, use the default value, ntp.lastline.com.

To continue, select <Ok> or press Enter.

The network configuration is tested to check for connectivity to the VMware backend; to either the NSX Cloud or, for an On-Premises installation, Manager. This test may take a while.
Provide a network for local communication

The Sensor employs a number of Docker containers to provide its services. These containers require an internal network to use for communication. By default, this network uses 169.254.64.0/20, a portion of the IPv4 link-local address space. This network does not need to be reachable from outside services or hosts. It also must not overlap with any of your existing network address ranges.

For most installations you should accept the default and continue. However, if you are already using the 169.254.0.0/16 address space, you must provide a valid IPv4/20 (or larger) network that can be used for local communication. This network must be in the format A.B.C.0/X, for example, 169.254.64.0/20, 240.0.0.0/16, 10.0.0.0/12, or 192.168.0.0/16.

To continue, select <Ok> or press Enter.
Define the CDN rules
The registration process prompts you to define the CDN rules for your installation. Select one of the following:
- Explicitly enable the CDN servers. This is the default behavior.
- Explicitly disable the CDN servers.
To continue, select <Ok> or press Enter.
Accept Manager SSL certificate

The registration process attempts to verify the SSL certificate for the Manager. Because the appliances use self-signed SSL certificates, the verification check fails. The certificate is displayed and you are prompted to trust it.

Select <Yes> to continue the registration.
Enter your VMware username and password

As the first stage to applying your license to the Sensor you are prompted for your VMware username. Enter your username and then select <Ok> or press Enter.

Note:
This is your User Portal username. It is not the same username used in 1.

For this step to succeed, you must have login access to the User Portal (see Acquire the Sensor ISO, 1).

Enter your VMware password and then select <Ok> or press Enter.
Select the correct license

If the credentials you provided are valid, the registration process displays a list of the available license keys. Use the UP and DOWN keys to select the correct license.

Note:
If there are no valid licenses associated with your credentials or your list of license keys is not retrieved correctly, contact VMware Support. Provide the error message the registration process displayed in your request.

The Sensor license consists of a Sensor key, which is a string you create, concatenated to your VMware generated customer License key (for example, ABCDEFGHIJ0123456789:sensor-1). This license structure allows the On-Premises Manager or the VMware backend to quickly and correctly identify the Sensor when it connects.

You need a Sensor license for each Sensor you deploy. The usual process to create another license is to use the User Portal (navigate to the Admin → Licensing page and select the Sensors tab).

Another option is to create a new Sensor license immediately at this step. Select Create a new sensor key:
1. Select customer license key
  
  If you have more than one License key, you are prompted to select the License key under which you want to create the Sensor license. Use the UP and DOWN keys to make your selection.
  
  To continue, select <Ok> or press Enter.
  
  Otherwise your customer License key is displayed and the registration process asks if you want to use it. Select <Yes> to use that license and continue.
  
  If you select <No>, you will have to provide another username.
2. Create a sensor key
  
  Enter a Sensor key. The sensor key is restricted to alpha-numeric characters, dot (.), and dash (-).
  
  To continue, select <Ok> or press Enter.
3. Optional: Provide a sensor name
  
  Enter a Sensor name. This user-friendly name is displayed on some of the screens of the User Portal.
  
  The name is restricted to alpha-numeric characters and the following special characters; (, ), [, ], -, :, ., ,, ;, _, @, ~, /, #, %, !, |, $, and ^. The name should be between 1 and 64 characters in length.
  
  To continue, select <Ok> or press Enter.
The registration process displays a prompt: "Registration completed successfully".

To continue, select <Ok> or press Enter.

The registration process runs some tests to check hardware compatibility. The configuration is then applied to the machine. This process may take a while (20-40 minutes) depending on your network connectivity and system characteristics.

After the completed prompt is displayed, select <Ok> or press Enter to exit from the registration process.

Re-registration

If the Sensor needs to be replaced or reinstalled, the existing appliance needs to be deregistered first before your new registration will succeed.

Login to the Web UI

Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.
Access the Appliances page

From the Main navigation menu, click Admin. On the Admin page, select Admin from left sidebar menu. For most users, the Appliances page is displayed by default.
View the appliance status

On the Appliances page, click the Status tab.
Optional: Select an appliance

If no appliance is currently selected, click the Appliance: None Selected link. From the Select Appliance pop-up tick the box for the appliance you want to use, then click Select Appliance.
Deregister the existing Sensor

To deregister a Sensor, click the button and select Deregister from the drop-down menu.
Register the reinstalled Sensor

To replace or reinstall a Sensor, you must run the lastline_register command again from the server console (see Register the Sensor).

Delete the Sensor

Before you can successfully delete the Sensor from the User Portal it must be offline. The easiest way to do this is to login to the appliance and shut it down.

To delete the Sensor, it needs to be offline and deregistered.

Shutdown the appliance
Login to the server console of the Sensor and shut down the operating system.
```
lastline@lastline-sensor:~$ shutdown now
```
Login to the Web UI

Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.
Access the Appliances page

From the Main navigation menu, click Admin. On the Admin page, select Admin from left sidebar menu. For most users, the Appliances page is displayed by default.
View the appliance status

On the Appliances page, click the Status tab.
Deregister the Sensor

Click the button and select Deregister from the drop-down menu.
Delete the appliance

Click the Overview tab to return to the initial view. In the appliances listing, the Status of the Sensor must be Deregistered.

In the Actions column, click the Quick links icon and select Delete. A confirmation pop-up is displayed. Click Delete appliance to dismiss the pop-up. The Sensor is permanently deleted.

Administer the Sensor

The Sensor was developed to require as little maintenance and administration as possible.

The following topics describe how to customize and configure some of the advanced features of the Sensor.

Configuration Tool

Use the VMware NSX Network Detection and Response configuration tool, lastline_setup, to administer and manage the Sensor.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.

Run the help option

To view all the supported options, type help.

-> help
Documented commands (type help <topic>):
========================================
EOF                      https_proxy                   ntp_server
anonymization_password   inject_interface              ntp_servers
appliance_state          inline_interfaces             save
appliance_uuid           license_key                   sensor_subkey
disable_support_channel  manager                       sentinel_subkey
edit                     monitoring_user_password      show
exit                     network                       sniffing_interfaces
help                     new_monitoring_user_password

Tip:

For any option, type the first few unique characters of its name then type Tab. The lastline_setup command will auto-complete the name for you.

View help details

To view a detailed description of individual options, type help topic, where topic is the name of a specific option.

-> help network
 network <variable> [<new-value>]
        Get/set network settings.
            network interface <iface>: interface used for network access
            network method dhcp|static: use DHCP or static IP address
                configuration for network access
        When static configuration is used, these values must also be set:
            network address <address>: IPv4 address of the interface
            network netmask <netmask>: dotted-quad netmask for the address
            network gateway <gateway>: default gateway for network access; if
                specified value is -, set gateway to None
            network dns_nameservers <nameserver> ...: space-separated list of
                DNS nameservers, if specified value is -, set dns_nameservers to
                None

Exit the configuration tool
To quit from the configuration tool without saving your changes, type exit.
```
-> exit
lastline@lastline-sensor:~$
```

Important:

If you encounter an error running any of the lastline_setup command options, make a note of the error message returned and contact VMware Support.

Network Configuration

You can easily change the network configuration of the Sensor. This may be needed if its assigned IP address changes (for example, upon a reconfiguration of the network).

Reconfigure for DHCP

To enable a network configuration using DHCP, use the network option of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.

Check the network settings

To check the current network settings, type network.

-> network
network dns_nameservers = 8.8.8.8 8.8.4.4
network gateway = 10.0.2.2
network netmask = 255.255.255.0
network address = 10.0.2.15
network interface = eth0
network method = static

Enable DHCP configuration for network access
To enable DHCP addressing, type network method dhcp.
```
-> network method dhcp
network method = dhcp  # changed; original value: static
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Reconfigure for Static Addressing

To enable a network configuration using a static IP, you must provide values for the address, netmask, gateway, and dns_nameservers parameters. Use the network options of the lastline_setup command to make these changes.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Check the network settings
To check the current network settings, type network.
```
-> network
network interface = eth0
network method = dhcp
```
Enable static configuration for network access
To enable a static IP address, type network method static.
```
-> network method static
network method = static  # changed; original value: dhcp
```
Set the network address
To set the IP address, type network address ip_address. Use an IPv4 address of four octets.
```
-> network address 10.0.2.15
network address = 10.0.2.15  # changed; original value:
```
Set the netmask
To set the netmask, type network netmask netmask. Use an IPv4 netmask of four octets.
```
-> network netmask 255.255.255.0
network netmask = 255.255.255.0  # changed; original value:
```
Set the gateway address
To set the gateway IP address, type network gateway ip_address. Use an IPv4 address of four octets.
```
-> network gateway 10.0.2.2
network gateway = 10.0.2.2  # changed; original value:
```
Set the DNS server address(es)
To set the DNS server IP address, type network dns_nameservers ip_address [ip_address]. Use an IPv4 address of four octets for each address.
```
-> network dns_nameservers 10.2.1.1 10.2.2.1
network dns_nameservers = 10.2.1.1 10.2.2.1  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Passive sniffing deployment

By default during registration, the Sensor is configured for passive sniffing by defining a sniffing interface (Register the Sensor, 6) as well as an injection interface (7). This makes it possible for the Sensor to examine traffic and then enforce blocking by injecting packets into the wire.

To update the sniffing interface, use the sniffing_interfaces option of the lastline_setup command.

To update the injection interface, use the inject_interface option. This interface must be able to communicate with the other hosts of the monitored network. It blocks traffic by injecting packets according to the configured modes, for example, TCP RST packet, DNS NXDOMAIN response, HTTP 302 redirect, etc.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
View the sniffing interfaces
To view the current sniffing interfaces, type sniffing_interfaces.
```
-> sniffing_interfaces
sniffing_interfaces = eth2
```
Update the sniffing interfaces
To update the sniffing interfaces (you can define more than one), type sniffing_interfaces interface, interface. Set the interfaces by specifying a comma-separated list of interface names.
```
-> sniffing_interfaces p1p1
sniffing_interfaces = p1p1  # changed; original value: eth2
```
Update the injection interface
To update the injection interfaces, type inject_interface interface.
```
-> inject_interfaces p1p2
inject_interface = p1p2  # changed; original value: eth2
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Inline sniffing deployment

Configure the Sensor to run in inline mode. In this mode, the Sensor acts as a bridge for the traffic on its network segment. All packets flow through the Sensor to be examined and potentially blocked.

To configure the sniffing interfaces for inline mode by connecting at least two sniffing interfaces together, use the sniffing_interfaces and inline_interfaces options of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Define the sniffing interfaces
To define multiple sniffing interfaces, type sniffing_interfaces interface, interface. Set the interfaces by specifying a comma-separated list of interface names, for example p1p1, p1p2.
```
-> sniffing_interfaces p1p1, p1p2
sniffing_interfaces = p1p1, p1p2  # changed; original value: eth2
```
Connect the interfaces
To connect pairs of sniffing interfaces, type inline_interfaces interface, interface. Select the interfaces by specifying a dash-separated combination of interface names, for example p1p3-p1p4.
```
-> inline_interfaces p1p3-p1p4
inline_interfaces = p1p3-p1p4  # changed; original value:
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Update Fully Qualified Domain Name

You can update the FQDN of the Sensor.

Login to the console

Login to the console using the username lastline and its current password.
Run the registration process with the change FQDN option
Execute the lastline_register command, providing the new local FQDN for the Sensor in its arguments.
```
lastline@lastline-sensor:~$ lastline_register --change-local-fqdn new_sensor.lastline.example.com
```
Note:
If you are prompted for the sudo password, use the password for the default lastline user account.

Update On-Premises Manager FQDN

If you had selected "Use On-Premises Manager" during the registration and configuration of the Sensor and the FQDN of the Manager changes, you must update the FQDN information to ensure your appliances can continue to successfully communicate.

Important:

This process does not allow you to move appliances from one Manager to another.

If the Manager is deployed in an active-standby configuration, you must use the configured virtual IP address, either taken from DNS or using the address directly.

Run the registration process

Execute the lastline_register command with the change-active-manager-fqdn option, providing the new FQDN for the Manager as its argument.

lastline@lastline-sensor:~$ lastline_register --change-active-manager-fqdn \
new_manager.lastline.example.com

Note:

If you are prompted for the sudo password, use the password for the default lastline user account.

If the Manager is using a self-signed SSL certificate, the appliance needs to be configured to trust the new SSL certificate to ensure all communication succeeds. Use the following commands instead:

lastline@lastline-sensor:~$ lastline_register -C --change-active-manager-fqdn \
new_manager.lastline.example.com
lastline@lastline-sensor:~$ lastline_test_appliance --auto-fix network:master_api_query
lastline@lastline-sensor:~$ lastline_apply_config -f

If the Active Manager IP address is assigned statically, the following command can be used to update /etc/hosts to point to its new address:

lastline@lastline-sensor:~$ lastline_register --change-active-manager-ip 192.20.24.42

You can combine both options into a single command:

lastline@lastline-sensor:~$ lastline_register --change-active-manager-fqdn \
new_manager.lastline.example.com --change-active-manager-ip 192.20.24.42
lastline@lastline-sensor:~$ lastline_test_appliance --auto-fix network:master_api_query
lastline@lastline-sensor:~$ lastline_apply_config -f

Enable the monitoring user

The Sensor has a monitoring user who can access the system using console or via SSH (password only without using the SSH key). To enable the monitoring user, use the monitoring_user_password option of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Enable the monitoring user
To enable the monitoring user, type monitoring_user_password password.
```
-> monitoring_user_password s3cretP4ssw0rd
```
Your password selection must meet the requirements specified on the passwd command man page.
If you type the monitoring_user_password option without an argument, the status of the monitoring user is displayed.
```
-> monitoring_user_password
monitoring_user_password: enabled; pending password change
```
To subsequently disable the monitoring user account, use the dash (-) argument:
```
-> monitoring_user_password -
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Once the monitoring user is enabled, you can SSH to the Sensor using that account:

server# ssh monitoring@ip_appliance
monitoring@ip_appliance's password: 

...

monitoring@lastline-manager:~$

Enable Password-Based SSH Authentication

The Sensor supports specifying users who can access the system using console or via SSH (password only without using the SSH key). To enable existing users to authenticate with password-based SSH use the enable_additional_password_auth_ssh_usernames option of the lastline_setup command.

Start the configuration tool
Execute the lastline_setup command.
```
lastline@lastline-sensor:~$ lastline_setup
```
If you are prompted for the sudo password, use the password for the default lastline user account.
Enable password-based SSH authentication for one or many users
To enable password-based SSH authentication, type enable_additional_password_auth_ssh_usernames username.
```
-> enable_additional_password_auth_ssh_usernames ghopper
          
```
Multiple users can be specified as a comma-separated list, such as: enable_additional_password_auth_ssh_usernames ghopper,aturing.

Note: The users need to exist before enabling password-based SSH authentication.

Your password selection must meet the requirements specified on the passwd command man page.
If you type the enable_additional_password_auth_ssh_usernames option without an argument, the list of users who can use password-based SSH authentication is displayed.
```
-> enable_additional_password_auth_ssh_usernames
enable_additional_password_auth_ssh_usernames = ghopper
```
To remove all users (with the exception of the monitoring user, if enabled), use the dash (-) argument:
```
-> enable_additional_password_auth_ssh_usernames -
```
Save the configuration
After you provide all the required parameters, save your configuration.
```
-> save
```

Once the user has been added, you can SSH to the Sensor using that account:

server# ssh ghopper@ip_appliance
ghopperg@ip_appliance's password:

...

ghopper@lastline-manager:~$

Test the Sensor

Check the state of the Sensor with the lastline_test_appliance command.

Start the test appliance tool
Execute the lastline_test_appliance command.
```
lastline@lastline-sensor:~$ lastline_test_appliance
[sudo] password for lastline: 
> Lastline appliance check and fix utility.
> 
> Version 2.0
> 
> :Copyright:
>     Copyright 2014 Lastline, Inc.  All Rights Reserved.
...
```
The lastline_test_appliance command takes for a few minutes to perform its analysis of the Sensor. When it is done, it provides a summary of the conditions it uncovered, if any.
Optional: Fix any reported configuration errors

The test appliance tool checks for signs of common configuration errors and can help you with fixing them.

Note:
Contact VMware Support if the test appliance tool displays an error that you cannot fix. Provide the error message that was displayed.

Disable Automatic Updates

VMware periodically releases appliance updates or hotfixes. By default, automatic updates are enabled on newly installed appliances. As long as the appliance has automatic updates enabled, these updates and fixes will transparently be applied to the system.

If you prefer to manually update the Sensor, follow these steps to disable automatic updates.

Login to the Web UI

Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.
Access the Appliances page

From the Main navigation menu, click Admin. On the Admin page, select Admin from left sidebar menu. For most users, the Appliances page is displayed by default.
View the appliance configuration

On the Appliances page, click Configuration tab.
Optional: Select an appliance

If no appliance is currently selected, click the Appliance: None Selected link. From the Select Appliance pop-up tick the box for the appliance you want to use, then click Select Appliance.
Access the System tab

Click the System tab.
Disable automatic updates

Toggle the Auto Update button to Disabled.

The appliance will no longer automatically apply updates and hotfixes when released by VMware. You must apply those manually.

Manual Updates

If you have disabled automatic updates for your appliances you must apply updates and hotfixes manually.

Follow these steps to manually update an appliance.

Login to the Web UI

Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.
Access the Appliances page

From the Main navigation menu, click Admin. On the Admin page, select Admin from left sidebar menu. For most users, the Appliances page is displayed by default.
View the appliance status

On the Appliances page, click the Status tab.
Optional: Select an appliance

If no appliance is currently selected, click the Appliance: None Selected link. From the Select Appliance pop-up tick the box for the appliance you want to use, then click Select Appliance.
Update the selected appliance

To update an appliance, click the button and select Upgrade from the drop-down menu.

About Hardening

During the development process, steps were taken to lock down the Sensor by default to help reduce any attack surfaces. These include:

Default Applications — All unnecessary applications included in the base Ubuntu server build have been removed from the system. What remains are the libraries and applications necessary for the normal functioning, routine maintenance, and troubleshooting of the Sensor.
Default Firewall — The Sensor image comes with Uncomplicated FIrewall (UFW) installed and configured to restrict inbound access to the system.
Security Patches — The system will install daily OS security updates by default. You can disable automatic updates.
Least privilege — VMware has taken care to ensure a paradigm of least privilege regarding the permissions of services and file system access.
Secure SSH — SSH is configured to use certificate-based authentication by default.
TLS encryption — Communications between the appliances are TLS encrypted.

Harden the Sensor

We recommend the following guidelines for hardening the Sensor after installation. These steps are not required, but they will allow you to further restrict access to your VMware NSX Network Detection and Response appliances.

Change the default user password

The default user is lastline. Your password selection must meet the requirements specified on the passwd command man page.
Use sudo for elevated privileges

Enabling the root user is strongly discouraged. Instead you should use the sudo command when you need elevated privileges. This ensures proper logging and auditing of activity on the appliance.

If you wish to further refine which commands a specific user can run, refer to the following pages on ubuntu.com to learn how to configure and use the sudo command: RootSudo, Sudoers, and sudo manpage.
Configure the support channel

VMware Support leverages the support channel to ensure your systems are functioning as intended. Should you wish to disable this, we recommend you re-enable it prior to submitting a support ticket. This will allow VMware Support to investigate issues and respond with a resolution more rapidly.

You disable/enable the support channel with the disable_support_channel option of the lastline_setup command.
Configure the monitoring user

By default, the monitoring user is disabled. You enable the monitoring user using the monitoring_user_password option of the lastline_setup command. For logging and auditing purposes, we recommend that you do not share the monitoring user with multiple users.

Refer to Enable the monitoring user for further information about enabling the monitoring user.
Use per-user key-based SSH authentication

By default, the Sensor is configured to utilize key-based authentication. We recommend that individual user accounts are configured on the appliance for anyone needing to carry out administrative tasks. Refer to this article on SSH.com for further information about key-based authentication.
Change iDRAQ password

If you have installed the Sensor on one of the recommended Dell systems, these systems include an iDRAQ interface for remote management. The iDRAQ interface is configured with a default password. This password must be changed to prevent unauthorized access to the system console.

Hardware Specifications

The hardware certified for use with VMware NSX Network Detection and Response appliances is listed below:

Dell Hardware

Supported Dell Hardware


Manager
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores SSSE3 must be supported and enabled
CPU Quantity	1 CPU
Minimum RAM	96 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 10 Note: If the Dell website does not allow RAID 10 configuration from factory, purchase the server with RAID unconfigured and then manually create a RAID 10 virtual volume before software installation.
Persistent Storage	Recommended: 4 × 4 TB HDDs
Additional Network Card	None
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Data Node
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores
CPU Quantity	1 CPU
Minimum RAM	96 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 10 Note: If the Dell website does not allow RAID 10 configuration from factory, purchase the server with RAID unconfigured and then manually create a RAID 10 virtual volume before software installation.
Persistent Storage	Recommended: 4 × 2 TB 10k RPM HDDs
Additional Network Card	None
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Engine
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores, with Intel Virtualization Technology (VT-x) and Intel VT-x with Extended Page Tables (EPT)
CPU Quantity	1 CPU
Minimum RAM	128 GB Recommended: 4 GB per CPU virtual core
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 1
Persistent Storage	Minimum: 2 × 1 TB HDDs
Additional Network Card	None
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Sensor — 1G Networks
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores SSSE3 must be supported and enabled To achieve best performance from the appliance, IOMMU support must be enabled
CPU Quantity	1 CPU
Minimum RAM	64 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 1
Persistent Storage	Minimum: 2 × 1 TB HDDs
Additional Network Card	Intel i350 Quad Port 1GbE
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation


Sensor — 10G Networks
Server Model	Dell PowerEdge R450
CPU Type	Recommended: Intel® Xeon® Silver 4314 Minimum: Intel® Xeon® Silver/Gold/Platinum 2.0 GHz, 16 cores SSSE3 must be supported and enabled To achieve best performance from the appliance, IOMMU support must be enabled
CPU Quantity	2 CPUs
Minimum RAM	128 GB
RAID Controller	Dell EMC PowerEdge RAID Controller (PERC) H745/H755 (with flash-backed cache)
RAID Configuration	RAID 1
Persistent Storage	Minimum: 2 × 1 TB HDDs
Additional Network Card	Intel X710 Dual Port 10GbE
Redundant Power Supply	Recommended for reliability
iDRAC9 Enterprise	Recommended for remote management and installation

Previously Supported Dell Hardware

The following Dell hardware are no longer supported.


Manager
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 12 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	64 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	4 × 2 TB 7.2K RPM SATA 6Gbps 3.5in
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Data Node
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 24 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	64 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA HDD
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Engine
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	96 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA HDD
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Sensor — 1G Networks
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	32 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA (7.2K RPM) HDD
Power Supply	Dual Hot-plug Power — Optional
Network Card	Intel Ethernet I350 Quad-Port 1Gb Server Adapter
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Sensor — 10G Networks
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	2 CPUs
Minimum RAM	128 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	2 × 1 TB SATA (7.2K RPM) HDD
Power Supply	Dual Hot-plug Power — Optional
Network Card	Intel Ethernet X710-DA2 10Gbps network card
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


All-In-One
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 20 threads/cores)
CPU Quantity	2 CPUs
Minimum RAM	128 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	4 × 2 TB 7.2K RPM SATA 6Gbps 3.5in
Power Supply	Dual Hot-plug Power — Optional
Network Card	Intel Ethernet X710-DA2 10Gbps network card
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional


Analyst
Server Model	Dell PowerEdge R440
Chassis Type	Chassis with Hot-plug Hard Drives
CPU Type	Intel® Xeon® Silver 4114 — or better (minimum 12 threads/cores)
CPU Quantity	1 CPU
Minimum RAM	96 GB ECC RAM
RAID Controller	HW RAID10
RAID Configuration	PERC H730P+ RAID Controller PERC H740P RAID Controller PERC H750 RAID Controller
Minimum Persistent Storage	4 × 2 TB 7.2K RPM SATA 6Gbps 3.5in
Power Supply	Dual Hot-plug Power — Optional
iDRAC9 Enterprise	Optional
ProSupport Service Plan	Optional

HPE Hardware

Manager

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
64 GB RAM
4 × 2 TB in RAID 10 (6 Gbps SATA)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Data Node

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
64 GB RAM
4 × 2 TB in RAID 10 (SAS 10K RPM)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Engine

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
96 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Sensor — 1G Networks

HPE ProLiant DL360 Gen10:

Intel® Xeon® Silver 4114 2.2GHZ
32 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
Intel I350 Quad port (or HPE 366T)
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Sensor — 10G Networks

HPE ProLiant DL360 Gen10:

2 × Intel® Xeon® Silver 4114 2.2GHZ
128 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
Intel X710-DA2
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

Analyst

HPE ProLiant DL360 Gen10:

2 × Intel® Xeon® Silver 4114 2.2GHZ
128 GB RAM
2 × 2 TB HDDs in RAID 1 (6 Gbps SATA)
On-board NIC
HPE Smart Array P408i-p SR Gen10 storage controller
iLO advanced license

VMware NSX Network Detection and Response
Home
Legal
Support

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304