Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033735 - Configure Bluecoat SGOS with FTPS including Passive FTP for Netwitness Suite10.x

Document created by RSA Customer Support

on Aug 10, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033735
Applies To	RSA Product Set: RSA Netwitness Suite RSA Product/Service Type: Netwitness Log Collector RSA Version/Condition: 10.x
Issue	After configuring Bluecoat SGOS for Log Collection as per sadocs. no logs are being transferred. Certificate used by vsftpd is self signed by the log collector and not the CA "Certificate Authority" puppetmaster.local, which is not trusted by Bluecoat. Bluecoat "the client" sometimes initiates PASV FTP connections to the Log Collector on random ports, not defined in the vsftpd.conf. hence either the IPtables, or any other firewall in between will most likely block the connection.
Cause	Newer versions of Bluecoat SGOS do not trust self signed certificates, signed and generated by Log Collector. A request of PASV FTP from client, while being opened in the vsftpd.conf, it is not limited to a certain port range. hence, a random port number is being chosen, which in most of the cases will be blocked by either the IPtables or a firewall in between.
Resolution	To resolve the two issues, you need first to sign the CSR "Certificate Sign Request" by no machine other than the Local CA "certificate authority", which is the puppetmaster.local , ie. the SA server. Secondly, you need to either open all ports between bluecoat and log collector, or define the port ranges allowed for PASV FTP in the vsftpd.conf file. Afterwards, with the above two changes, you can continue normally with the sadocs guide for Bluecoat SGOS. First: Sign the CSR using the SA puppetmaster.local SSH to the SA server, and create the CSR for the vsftpd, then sign it using the local CA, then copy the vsftpd and the CA certificates to the log collector. [root@sa ~]# cd /root [root@sa ~]# openssl req -nodes -new -sha256 -keyout vsftpd.key.pem -out vsftpd.csr.pem -days 1825 [root@sa ~]# openssl x509 -req -out vsftpd.crt.pem -in vsftpd.csr.pem -CA /var/lib/puppet/ssl/ca/ca_crt.pem -CAkey /var/lib/puppet/ssl/ca/ca_key.pem -CAcreateserial -days 1825 [root@sa ~]# scp vsftpd..pem <logcollector-IP-address>:/etc/netwitness/ng/ [root@sa ~]# scp /var/lib/puppet/ssl/certs/ca.pem <logcollector-IP-address>:/etc/netwitness/ng/truststore/puppet-ca.pem Make sure to download the ca.pem locally to your machine, to add it to the Bluecoat trusted root certificate store later on. Second: Configure PASV FTP on the Log Collector vsftpd.conf file* On the Log Collector, the /etc/vsftpd/vsftpd.conf file, the default option "pasv_enable=Yes". If you change it to "No", Bluecoat connections will fail. Solution is to limit the ports used by PASV, edit the /etc/vsftpd/vsftpd.conf and append the below 2 lines. pasv_max_port=14001 pasv_min_port=14004 Now, we need to add these 4 ports on the IPtables INPUT chain on the Log Collector. [root@logcollector ~]# service iptables stop [root@logcollector ~]# vi /etc/sysconfig/iptables Add the Following Line above the -j REJECT line within the file -A INPUT -p tcp -m multiport --dports 14001:14004 -m comment --comment "Ports allowed for PASV FTP" -j ACCEPT [root@logcollector ~]# service iptables restart [root@logcollector ~]# iptables -L Look for the Line below ACCEPT tcp -- anywhere anywhere multiport ports 4001:4004 /* Ports allowed for PASV FTP */ Finally, you need to allow these 4 ports on the firewall in between, if present. like Checkpoint for instance.
Notes	If you are unsure of the steps above, please contact RSA support and reference this article.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Comment on 'Log Collector FTPS Passive Configuration'