Skip to content
  • There are no suggestions because the search field is empty.

Configure Bluecoat SGOS with FTPS including Passive FTP for Netwitness Suite

Issue

  • After configuring Bluecoat SGOS for Log Collection as per sadocs. no logs are being transferred.
  • Certificate used by vsftpd is self signed by the log collector and not the CA "Certificate Authority" puppetmaster.local, which is not trusted by Bluecoat.
  • Bluecoat "the client" sometimes initiates PASV FTP connections to the Log Collector on random ports, not defined in the vsftpd.conf. hence either the IPtables, or any other firewall in between will most likely block the connection.

Cause

  • Newer versions of Bluecoat SGOS do not trust self signed certificates, signed and generated by Log Collector.
  • A request of PASV FTP from client, while being opened in the vsftpd.conf, it is not limited to a certain port range. hence, a random port number is being chosen, which in most of the cases will be blocked by either the IPtables or a firewall in between.

Resolution

To resolve the two issues, you need first to sign the CSR "Certificate Sign Request" by no machine other than the Local CA "certificate authority", which is the puppetmaster.local , ie. the SA server.

Secondly, you need to either open all ports between bluecoat and log collector, or define the port ranges allowed for PASV FTP in the vsftpd.conf file.

Afterwards, with the above two changes, you can continue normally with the sadocs guide for Bluecoat SGOS.


First: Sign the CSR using the SA puppetmaster.local
  • SSH to the SA server, and create the CSR for the vsftpd, then sign it using the local CA, then copy the vsftpd and the CA certificates to the log collector.
  • [root@sa ~]# cd /root
    [root@sa ~]# openssl req -nodes -new -sha256 -keyout vsftpd.key.pem -out vsftpd.csr.pem -days 1825
    [root@sa ~]# openssl x509 -req -out vsftpd.crt.pem -in vsftpd.csr.pem -CA /var/lib/puppet/ssl/ca/ca_crt.pem -CAkey /var/lib/puppet/ssl/ca/ca_key.pem -CAcreateserial -days 1825
    [root@sa ~]# scp vsftpd.*.pem <logcollector-IP-address>:/etc/netwitness/ng/
    [root@sa ~]# scp /var/lib/puppet/ssl/certs/ca.pem <logcollector-IP-address>:/etc/netwitness/ng/truststore/puppet-ca.pem
  • Make sure to download the ca.pem locally to your machine, to add it to the Bluecoat trusted root certificate store later on.

Second: Configure PASV FTP on the Log Collector vsftpd.conf file
  • On the Log Collector, the /etc/vsftpd/vsftpd.conf file, the default option "pasv_enable=Yes".
  • If you change it to "No", Bluecoat connections will fail.
  • Solution is to limit the ports used by PASV, edit the /etc/vsftpd/vsftpd.conf and append the below 2 lines.
  • pasv_max_port=14001
    pasv_min_port=14004
  • Now, we need to add these 4 ports on the IPtables INPUT chain on the Log Collector.
  • [root@logcollector ~]# service iptables stop
    [root@logcollector ~]# vi /etc/sysconfig/iptables

    Add the Following Line above the -j REJECT line within the file

    -A INPUT -p tcp -m multiport --dports 14001:14004 -m comment --comment "Ports allowed for PASV FTP" -j ACCEPT

    [root@logcollector ~]# service iptables restart
    [root@logcollector ~]# iptables -L

    Look for the Line below

    ACCEPT tcp -- anywhere anywhere multiport ports 4001:4004 /* Ports allowed for PASV FTP */
  • Finally, you need to allow these 4 ports on the firewall in between, if present. like Checkpoint for instance.

Notes

If you are unsure of the steps above, please contact RSA support and reference this article.


Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma linux

Approval Reviewer Queue

Technical approval queue