Deployment Guide for 12.5.1

Tags: Documentation, Installation & Upgrade, PDF Documentation, Version 12.5.1

The following article contains a summary of the NetWitness® Deployment Guide for 12.5.1.0. To see the full guide, go to Attachments on this article and download the associated PDF.

Summary of the NetWitness® Deployment Guide for 12.5.1.0.

The Deployment Guide explains how to plan, deploy, and maintain a NetWitness® Platform 12.5.1 environment. It covers core deployment requirements, optional architectures, high‑availability and disaster recovery, network and port requirements, site safety and environmental considerations. The guide stresses capacity planning and careful topology design before installation.

The Basics

This section focuses on pre‑deployment planning, assessing enterprise size, growth, data volume, and user performance needs, planning for redundancy to avoid single points of failure, and understanding supported deployment models. Supported deployment models include physical hosts, on‑prem virtual hosts, cloud environments (AWS, Azure, GCP)

Deployment Process

This section describes the high‑level deployment sequence, which includes: installing physical or virtual hosts, configuring licensing, and installing and enabling NetWitness®services on each host. It includes following version and mixed‑mode upgrade guidelines and aligning deployment steps with the appropriate installation guides (Physical, Virtual, AWS, Azure, GCP).

High‑Level Deployment Architecture

This section explains that NetWitness® is modular as it allows on‑prem, cloud, or hybrid deployments, centralized SecOps VPC with regional data aggregation, and local investigations with centralized management. Hybrid cloud architectures are highlighted for performance and flexibility.

Deployment Optional Setup Procedures

This section describes common enhancements (all procedures are optional and are explained below).

Analyst User Interface (Analyst UI) provides regional, low‑latency analyst access, offloads queries and reporting from the Primary UI, no administrative or content‑creation capabilities, and improves performance in geographically distributed SOCs.

Group Aggregation allows multiple Archivers or Concentrators to share aggregation workload, and improves query speed and investigation performance. The recommended scale is  1–2 Log Decoders and 3–5 Archivers or Concentrators. Additionally, it supports scalable, distributed data processing.

New Health and Wellness provides advanced monitoring and alerting framework, supports proactive monitoring and troubleshooting as well as providing system health metrics using Elasticsearch and Kibana. It can be deployed standalone, or on selected hosts depending on scale. And, it requires additional resources based on deployment size.

Specialized Deployment Options Include: Hybrid Categories on Series 6/7 hardware (Log/Network Hybrid), NW Server deployment on ESA hardware for higher capacity, second Endpoint Server for scale and resilience, and warm Standby NW Server for high availability.

Warm Standby NW Server and Failover

This section covers high availability for the NW Server. It explains all the following:

• Secondary NW Server mirrors the primary.
• Supports planned and unplanned failover.
• Primary and secondary servers may use different IPs.
• Includes: standby setup, failover and failback procedures, licensing and backup synchronization.
  
  

ESA Primary Disaster Recovery

This section describes disaster recovery for Event Stream Analysis (ESA). It uses an ESA Primary Standby node, synchronizes MongoDB and configuration data. Also, it enables rapid recovery with minimal data loss. It includes workflows, scripts, failover commands, and troubleshooting. And, only one ESA Primary Standby is supported.

Network Architecture and Ports

This is a comprehensive reference section that provides: logical architecture diagrams for network, logs, endpoint, and ESA, firewall requirements between all NetWitness®components, and host‑specific port tables (NW Server, Broker, Concentrator, Decoder, ESA, UEBA, etc.). The recommended network bandwidth is minimum 100 MBps between critical components.

Endpoint Architecture

This section explains NetWitness®Endpoint integration, Endpoint Log Hybrid communication, Agent‑to‑server traffic flows, as well as procedures to change default UDP ports if required by security policy.

Site Requirements and Safety

This section focuses on physical deployment safety which include Indoor, office‑grade environment requirements, proper ventilation, grounding, and rack mounting, power and electrical safety warnings. In addition to equipment handling and airflow guidelines to prevent damage or injury.

Key Takeaways

The guide serves as a reference framework, while detailed steps are delegated to specialized installation and configuration guides. Key takeaways include all the below:

• NetWitness®12.5.1 supports highly scalable, modular, and resilient deployments.
• Planning and network design are critical to success.
• High availability and disaster recovery are built in for both NW Server and ESA.
  
  

The following article contains a summary of the NetWitness® Deployment Guide for 12.5.1.0. To see the full guide, go to Attachments on this article and download the associated PDF.