000038975 - Configuring host to work with NAT address in RSA NetWitness Platform 11.x

Document created by RSA Customer Support Employee on Jun 8, 2020Last modified by RSA Customer Support Employee on Jun 25, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038975
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Admin Server, NetWitness UI, Virtual Log Collector (VLC)
RSA Version/Condition: 11.x
IssueHost status that is deployed outside of a private network in NAT shows red stopped or yet to start processing in Health&Wellness page.

host status stopped
TasksThe following steps describe how to establish communication between the NetWitness Admin Server and the Virtual Log Collector (VLC) deployed outside of a private network in a Network Address Translation (NAT) environment. 
Resolution
  1. Configure iptables on the NW Admin Server and the VLC.
    1. Update netwitness.json file with customer firewall line in order to propagate forward on all future updates.
        https://community.rsa.com/docs/DOC-93651
         
    2. Save current iptables to disk (so it ends up with /etc/sysconfig/iptables and /etc/sysconfig/iptables.save where .save is backup)
        # service iptables save
         
    3. Copy iptables as file with date (Optional, if want to retain multiple backups)
        # cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")
         
    4. Stop iptables
        # service iptables stop
         
    5. Edit /etc/hosts and /etc/sysconfig/iptables as follows.
       
      1. On NW Admin Server
          
        1. Add VLC entry with NAT IP.
             

          # vi /etc/hosts
          <VLC_NAT_IP>   vlchostname

             
        2. Add the following rules in gray under nat in green in iptables.
             

          # cd /etc/sysconfig
          # vi iptables

          *nat   
          :PREROUTING ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <VLC_NAT_IP>:5671
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination <VLC_NAT_IP>:56001
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 56006 -j DNAT --to-destination <VLC_NAT_IP>:56006
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50001 -j DNAT --to-destination <VLC_NAT_IP>:50001
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50101 -j DNAT --to-destination <VLC_NAT_IP>:50101
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50006 -j DNAT --to-destination <VLC_NAT_IP>:50006
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50106 -j DNAT --to-destination <VLC_NAT_IP>:50106
          -A OUTPUT -d <VLC_Real_IP>/32 -p udp -m udp --dport 123 -j DNAT --to-destination <VLC_Real_IP>:123

          COMMIT

             
        3. Save iptables by wq! and start iptables.
             

          # service iptables start   

             
          
      2. On VLC
           Perform the above steps from 1) to 4).
          
        1. Add NW Admin Server entry with NAT IP in /etc/hosts.
             

          # vi /etc/hosts
          <NW_Server_NAT_IP>    nw-node-zero   UUID-of-NW-server

             
        2. Add the following rules in gray under nat in green in iptables.
             

          # cd /etc/sysconfig
          # vi iptables 

          *nat   
          :PREROUTING ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination <NW_Server_NAT_IP>:80
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination <NW_Server_NAT_IP>:443
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <NW_Server_NAT_IP>:5671
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 15671 -j DNAT --to-destination <NW_Server_NAT_IP>:15671
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 27017 -j DNAT --to-destination <NW_Server_NAT_IP>:27017
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 4505 -j DNAT --to-destination <NW_Server_NAT_IP>:4505
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 4506 -j DNAT --to-destination <NW_Server_NAT_IP>:4506
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination <NW_Server_NAT_IP>:53
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p udp -m udp --dport 53 -j DNAT --to-destination <NW_Server_NAT_IP>:53
          -A OUTPUT -d <NW_Server_Real_IP>/32 -p udp -m udp --dport 123 -j DNAT --to-destination <NW_Server_NAT_IP>:123
          -A OUTPUT -d <LogDecoder_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <LogDecoder_NAT_IP>:5671

          COMMIT

             
        3. Start iptables.
             

          # service iptables start

             
          
      3. On LogDecoder where the VLC is sending logs to:
           Perform the above steps from 1) to 4).
            
          
        1. Add VLC entry with NAT IP in /etc/hosts.
             

          # vi /etc/hosts
          <VLC_NAT_IP>   vlchostname

             
        2. Add the following rules in gray under nat in green in iptables.
             

          # cd /etc/sysconfig
          # vi iptables

          *nat  
          :PREROUTING ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <VLC_NAT_IP>:5671

             
        3. Start iptables
             

          # service iptables start

             
          
       
  2. Check the custom rules using the command:
    # iptables -L -nv -t nat
     
  3. Test connection. For example,
    On VLC:
    # curl -v <NW_Server_Real_IP>:443

    On NW Admin Server:
    # curl -v <VLC_Real_IP>:443

     
NotesReference: Deployment Guide: Network Architecture and Ports
https://community.rsa.com/docs/DOC-83050

Attachments

    Outcomes