|Applies To||RSA Product Set: RSA Netwitness Suite|
RSA Product/Service Type: Netwitness Log Collector
RSA Version/Condition: 10.x
- After configuring Bluecoat SGOS for Log Collection as per sadocs. no logs are being transferred.
- Certificate used by vsftpd is self signed by the log collector and not the CA "Certificate Authority" puppetmaster.local, which is not trusted by Bluecoat.
- Bluecoat "the client" sometimes initiates PASV FTP connections to the Log Collector on random ports, not defined in the vsftpd.conf. hence either the IPtables, or any other firewall in between will most likely block the connection.
- Newer versions of Bluecoat SGOS do not trust self signed certificates, signed and generated by Log Collector.
- A request of PASV FTP from client, while being opened in the vsftpd.conf, it is not limited to a certain port range. hence, a random port number is being chosen, which in most of the cases will be blocked by either the IPtables or a firewall in between.
|Resolution||To resolve the two issues, you need first to sign the CSR "Certificate Sign Request" by no machine other than the Local CA "certificate authority", which is the puppetmaster.local , ie. the SA server.|
Secondly, you need to either open all ports between bluecoat and log collector, or define the port ranges allowed for PASV FTP in the vsftpd.conf file.
Afterwards, with the above two changes, you can continue normally with the sadocs guide for Bluecoat SGOS.
First: Sign the CSR using the SA puppetmaster.local
Second: Configure PASV FTP on the Log Collector vsftpd.conf file
- On the Log Collector, the /etc/vsftpd/vsftpd.conf file, the default option "pasv_enable=Yes".
- If you change it to "No", Bluecoat connections will fail.
- Solution is to limit the ports used by PASV, edit the /etc/vsftpd/vsftpd.conf and append the below 2 lines.
- Now, we need to add these 4 ports on the IPtables INPUT chain on the Log Collector.
[root@logcollector ~]# service iptables stop
[root@logcollector ~]# vi /etc/sysconfig/iptables
Add the Following Line above the -j REJECT line within the file
-A INPUT -p tcp -m multiport --dports 14001:14004 -m comment --comment "Ports allowed for PASV FTP" -j ACCEPT
[root@logcollector ~]# service iptables restart
[root@logcollector ~]# iptables -L
Look for the Line below
ACCEPT tcp -- anywhere anywhere multiport ports 4001:4004 /* Ports allowed for PASV FTP */
- Finally, you need to allow these 4 ports on the firewall in between, if present. like Checkpoint for instance.
|Notes||If you are unsure of the steps above, please contact RSA support and reference this article.|