Configuring host to work with NAT address in RSA NetWitness Platform 11.x

Issue

Host status that is deployed outside of a private network in NAT shows red stopped or yet to start processing in Health&Wellness page.

Tasks

The following steps describe how to establish communication between the NetWitness Admin Server and the Virtual Log Collector (VLC) deployed outside of a private network in a Network Address Translation (NAT) environment.

Resolution

1. Configure iptables on the NW Admin Server and the VLC.
   1. Update netwitness.json file with customer firewall line in order to propagate forward on all future updates.
      Access How To Doc Here
       
   2. Save current iptables to disk (so it ends up with /etc/sysconfig/iptables and /etc/sysconfig/iptables.save where .save is backup)
      # service iptables save
       
   3. Copy iptables as file with date (Optional, if want to retain multiple backups)
      # cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")
       
   4. Stop iptables
      # service iptables stop
       
   5. Edit /etc/hosts and /etc/sysconfig/iptables as follows.
      1. On NW Admin Server
         1. Add VLC entry with NAT IP.
            # vi /etc/hosts
            <VLC_NAT_IP>   vlchostname
         2. Add the following rules in gray under nat in green in iptables.
            # cd /etc/sysconfig
            # vi iptables
            
            *nat   
            :PREROUTING ACCEPT [0:0]
            :POSTROUTING ACCEPT [0:0]
            :OUTPUT ACCEPT [0:0]
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <VLC_NAT_IP>:5671
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination <VLC_NAT_IP>:56001
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 56006 -j DNAT --to-destination <VLC_NAT_IP>:56006
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50001 -j DNAT --to-destination <VLC_NAT_IP>:50001
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50101 -j DNAT --to-destination <VLC_NAT_IP>:50101
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50006 -j DNAT --to-destination <VLC_NAT_IP>:50006
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 50106 -j DNAT --to-destination <VLC_NAT_IP>:50106
            -A OUTPUT -d <VLC_Real_IP>/32 -p udp -m udp --dport 123 -j DNAT --to-destination <VLC_Real_IP>:123
            COMMIT
         3. Save iptables by wq! and start iptables.
            # service iptables start   
      2. On VLC
         Perform the above steps from 1) to 4).
         1. Add NW Admin Server entry with NAT IP in /etc/hosts.
            # vi /etc/hosts
            <NW_Server_NAT_IP>    nw-node-zero   UUID-of-NW-server
         2. Add the following rules in gray under nat in green in iptables.
            # cd /etc/sysconfig
            # vi iptables 
            
            *nat   
            :PREROUTING ACCEPT [0:0]
            :POSTROUTING ACCEPT [0:0]
            :OUTPUT ACCEPT [0:0]
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination <NW_Server_NAT_IP>:80
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination <NW_Server_NAT_IP>:443
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <NW_Server_NAT_IP>:5671
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 15671 -j DNAT --to-destination <NW_Server_NAT_IP>:15671
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 27017 -j DNAT --to-destination <NW_Server_NAT_IP>:27017
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 4505 -j DNAT --to-destination <NW_Server_NAT_IP>:4505
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 4506 -j DNAT --to-destination <NW_Server_NAT_IP>:4506
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination <NW_Server_NAT_IP>:53
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p udp -m udp --dport 53 -j DNAT --to-destination <NW_Server_NAT_IP>:53
            -A OUTPUT -d <NW_Server_Real_IP>/32 -p udp -m udp --dport 123 -j DNAT --to-destination <NW_Server_NAT_IP>:123
            -A OUTPUT -d <LogDecoder_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <LogDecoder_NAT_IP>:5671
            COMMIT
         3. Start iptables.
            # service iptables start
      3. On LogDecoder where the VLC is sending logs to:
         Perform the above steps from 1) to 4).
          
         1. Add VLC entry with NAT IP in /etc/hosts.
            # vi /etc/hosts
            <VLC_NAT_IP>   vlchostname
         2. Add the following rules in gray under nat in green in iptables.
            # cd /etc/sysconfig
            # vi iptables
            
            *nat  
            :PREROUTING ACCEPT [0:0]
            :POSTROUTING ACCEPT [0:0]
            :OUTPUT ACCEPT [0:0]
            -A OUTPUT -d <VLC_Real_IP>/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination <VLC_NAT_IP>:5671
         3. Start iptables
            # service iptables start
2. Check the custom rules using the command:
   # iptables -L -nv -t nat
    
3. Test connection. For example,
   On VLC:
   # curl -v :443
   
   On NW Admin Server:
   # curl -v :443
   
    Reference:   Deployment Guide: Network Architecture and Ports

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Admin Server, NetWitness UI, Virtual Log Collector (VLC)
RSA Version/Condition: 11.x

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue