Broadcom Symantec S550, Installation Manual

Page 1: ...Symantec Endpoint Detection and Response 4 5 Installation Guide for the S550 appliance ...

Page 2: ...9 Proxy recommendations 23 Symantec EDR platform support matrix 23 Obtaining a Symantec EDR license file and installing it 24 Installing the physical appliance 25 S550 appliance installation workflow 25 Connecting the cables on the S550 appliance 26 Powering on the S550 appliance and verifying the LEDs 27 Configuring the serial terminal or terminal emulation software 28 Rack mounting the S550 appl...

Page 3: ...allation Guide for the S550 appliance Appendix B Hardward specifications 43 Symantec S550 appliance specifications 43 Appendix C Re installing Symantec EDR onto the S550 45 Re installing Symantec EDR onto the 550 appliance from a USB stick or DVD 45 3 ...

Page 4: ...ies For more information please visit www broadcom com Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability function or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom does not assume any liability arising out of the application or use of this information nor the application or use...

Page 5: ...d providing Endpoint Communications Channel ECC functionality Symantec EDR has certain version requirements based on various components of SEP The minimum SEPM version is 12 1 RU6 or later Symantec EDR can connect to multiple SEP sites with one connection per SEP site up to a total of ten connections to SEPM hosts Symantec EDR can manage the client endpoints that run SEP version 12 1 RU 6 MP3 or l...

Page 6: ...stallation Guide for the S550 appliance Windows 7 64 bit only Windows 8 64 bit only Windows Server 2008 Windows Server 2012 Windows Server 2012 R2 or later recommended See the Symantec Endpoint Protection documentation for SEPM system requirements 6 ...

Page 7: ...a specialized standalone internal server or a Windows server that runs PUTTY It can be convenient if it provides remote access via RDP or HTTP This computer also needs to be local to the appliance Configuring the serial terminal or terminal emulation software Have Ethernet cables up to four normal cables and two crossover cables available The number and types of cables depends on your network conf...

Page 8: ...lly prior to commencing installation Provide this checklist to the administrators who will be performing the installation tasks You should also retain a copy for your records for archival and backup purposes Table 3 Set up serial terminal or terminal emulation software S550 appliance only Configuration Description Value to input Configure the terminal emulation software You must configure the term...

Page 9: ...of a second name server ________ yes ________ ________ ________ ________ ________ no Network scanner role only IP address of the Management Platform The management port IP address of the management platform appliance that controls this scanner ________ ________ ________ ________ Management platform or network scanner roles only Communication Channel password A secure password to encrypt communicat...

Page 10: ...xists Symantec EDR license location ______________________________________ SMTP Settings Symantec strongly recommends that you specify the SMTP settings in the setup wizard Doing so lets you recover a lost password Otherwise you can check Skip adding SMTP server configuration and specify the settings later in the EDR appliance console SMTP Server and Port The fully qualified domain name and port n...

Page 11: ...d as network scanners Each network scanner can monitor traffic on a different network and send its incident data to the management platform Depending on the operating mode the network scanner may block malicious traffic in real time A network scanner does not have the EDR appliance console You configure and manage the network scanner from the management platform Its incident data is consolidated w...

Page 12: ...e cabling is necessary when you switch between these modes The physical appliance has two Inline interfaces in Inline Monitor mode 1 Management 2 WAN 2 LAN Bypass Inline mode failsafe Installed out of the box Standard NIC mode Configured for Inline deployment Bypass mode Configured for Tap deployment Standard NIC mode Reimaged factory reset after any previous deployment Standard NIC mode Same as I...

Page 13: ...points in the organization While each deployment varies the physical appliance has a capacity of approximately 25K simultaneous connections These numbers are for inline mode In Tap mode hardware can support approximately twice the number of connections as inline Symantec EDR features If the deployment is to use mostly network scanning then a separate scanner and management platform deployment prov...

Page 14: ...witch that is set to span mode Not used Port span tap with multiple monitor ports This configuration uses two monitor ports and one management connection Extra monitor ports allow the same appliance to connect to multiple switches from different subnets This configuration does not block file transfers or websites Port on your LAN switch Connect Monitor1 to network tap or port on your LAN switch th...

Page 15: ...perform the following depending upon its role Scan all network traffic coming into and out of the organization Determine the source and destination of all traffic Detect internal connection endpoints Act as a network proxy for endpoints if integrating with Symantec Endpoint Protection Manager Have a minimal affect on network performance If your architecture includes a demilitarized zone DMZ and yo...

Page 16: ...endpoints for the endpoint proxy The management network should not be open to the Internet as a whole If you need access to the management network from outside a VPN or short lived Remote Desktop connection is recommended In Inline mode the management port must be on a different subnet from the Inline interface The following figures show examples of network configurations You might need crossover ...

Page 17: ...Symantec Endpoint Detection and Response 4 5 Installation Guide for the S550 appliance 17 ...

Page 18: ...Symantec Endpoint Detection and Response 4 5 Installation Guide for the S550 appliance 18 ...

Page 19: ... ports Depending on your network layout you may need to open some ports on your firewall and edit your firewall rules These changes let you access the important web addresses that are essential for Symantec Endpoint Detection and Response operations Symantec EDR web and IP addresses lists the web and IP addresses to which Symantec EDR requires access 19 ...

Page 20: ...identify malicious websites stnd avpg crsi symantec com stnd ipsg crsi symantec com TCP 443 Used to send detection telemetry to Symantec register brightmail com TCP 443 Used to register the appliance swupdate brightmail com TCP 443 Used to check for and download new releases of Symantec EDR shasta rrs symantec com shasta mrs symantec com TCP 443 Used to perform reputation lookups for Windows execu...

Page 21: ...municate with Symantec EDR RRS endpoint submissions ECC 1 0 HTTPS HTTP HTTP 443 80 8443 SEP Symantec EDR The SEPM private cloud that lets endpoints communicate with Symantec EDR Symantec cloud detection analysis and correlation services and telemetry services If endpoint activity recorder enabled If endpoint activity recorder disabled 443 TCP All appliances Symantec External traffic Cloud service ...

Page 22: ... when content is blocked at an endpoint Not required for Inline Monitor or Tap Span modes Synapse SEPM connection with Embedded DB optional Supported for SEPM 14 3 MP1 and earlier HTTPS 8081 TCP default Management platform or all in one appliance SEPM server Internal traffic Required if using the embedded database for Synapse connection to SEPM Connection to SEPM database HTTPS 2638 TCP default Ma...

Page 23: ...ers deploy Symantec EDR between the internal network and the proxy it gives Symantec EDR full visibility of endpoint information You must deploy Symantec EDR when you are load balancing proxies between the internal network and a farm of proxies This information ensures Symantec EDR can failover to the proxy In this scenario the LAN port of the proxy is the good place to plug in Symantec EDR inline...

Page 24: ...lment confirmation Welcome email that includes your serial number and a license key file attachment If you did not receive a Broadcom Welcome letter or you cannot locate your license key file click here to go to the Broadcom web site where you can access your license key file Save your license key file to a location that you can access from the EDR appliance console Install the license key file in...

Page 25: ...nfigure the appliance 4 Run the status_check command Run the command status_check to determine if the network connectivity has been set up properly The command lists all of the items that are checked and the status of whether each item is successful or not status_check command 5 Run the setup wizard Management platform or all in one appliances only The Symantec EDR setup wizard guides you through ...

Page 26: ... see the illustration below 1 Connect the RJ45 end of the included serial cable to the appliance s real panel RJ45 serial port and connect the other DB9 end of the cable to the serial terminal or workstation with terminal emulation software The serial connection is necessary to perform the appliance s initial configuration 2 Connect an Ethernet cable to the RJ45 eth0 port labeled 0 0 and connect t...

Page 27: ...either of these ports to a Tap Span port on a switch or router Table 10 Port to function summary 0 0 Management port 2 0 WAN1 port 2 1 LAN1 port 2 2 WAN2 port 2 3 LAN2 port Powering on the S550 appliance and verifying the LEDs Table 11 Front panel LEDs colors states Front panel LED Color state Power LED Black Powered off or no power present Amber Powered on and booting up Blinking green Power swit...

Page 28: ...e in a four post equipment rack CAUTION Before rack mounting the appliance Power off the appliance and disconnect all cables Verify that the weight of the system does not exceed the rack s fully populated weight limit For more information refer to the manufacturer s instructions included with the rack For weight stability load the rack from the bottom up Read the Rack Mount Warnings section of the...

Page 29: ...mounting configurations 1 Disassemble the two side rail assemblies by fully extending each side rail and sliding out the inner chassis rails 2 Attach the two inner rails to the appliance Align each rail to the mounting posts on each side of the chassis and slide the rails toward the front of the chassis until the mounting posts snap into place 29 ...

Page 30: ... 3 Attach the rack rails to the rack Insert the front of each rail in the rack while opening and then releasing the front latch Repeat to attach the rear of the rails extending or retracting the rails as necessary so they fit Verify the rack rails are installed at the same rack height 30 ...

Page 31: ...e 4 Install the appliance in the rack Align the inner rails attached to the appliance with the slide rails in the rack and slide the appliance gently all the way into the rack until it clicks and locks in place The appliance can be installed from either the front or rear of the rack 31 ...

Page 32: ...the levers immediately so the rail safety locks engage in the fully extended out position Take care not to push or pull too far especially while pressing the blue levers Doing so could cause the appliance to fall from the rack d While continuing to press the levers carefully slide the appliance out the front or rear of the rack Make sure to use two persons or a mechanical aid to lift the appliance...

Page 33: ... The following table describes the bootstrap prompts New password Type a new secure password for the console This password replaces the default password symantec Weak password Try another y n A password that is similar to a word in the Dictionary is too short or not complex enough is less secure Type y to delete the new password and be prompted to try again Type n to keep the new password you prev...

Page 34: ...gure IPv4 static routes y n Type y to configure an IPv4 static route or n to skip this configuration step Static routes may be required For example use static routes to connect a network scanner to its management platform Destination CIDR allowed Gateway If you choose to configure IPv4 static routes you are prompted to type the destination IP address and the gateway IP address Add another route y ...

Page 35: ...1 On a computer that is accessible to the appliance open a window on a supported browser and type https IP address of the management port For example if you assigned the static IP address 10 20 20 20 to the appliance during bootstrap type https 10 20 20 20 NOTE You must use the HTTPS protocol when you type the address of the setup wizard The HTTPS protocol is required 2 If the browser displays an ...

Page 36: ...ddress where alerts such as a license expiration notification are sent from If your mail server requires a secure logon to receive messages check Authorize Then type a user name and password that Symantec EDR can use to authenticate with the mail server Create an Administrative account Specify a logon name password display name and user email address for the initial administrator account You need ...

Page 37: ... from your endpoints for example a dump of all its events Configure backups Configure one or more backup schedules and locations Configure secure access to the EDR appliance console Upload a certificate to encrypt EDR appliance console sessions For Inline Block operation you may also want to customize the blocking page Blocking pages are used only when you operate in Inline Block mode and scanning...

Page 38: ...any messages 3 On the Internet go to the following URL http testatp coe org uk 4 Click on each of the links on the test page You should see a corresponding incident in the database whether you are in Tap mode or Inline Monitor mode Cloud based sandboxing detections may be delayed during virtual execution If you are in Inline Block mode file downloads except the cloud based sandbox new file submiss...

Page 39: ...o the management port of your management platform or all in one appliance NOTE To view Symantec EDR appliance pages or access the Symantec EDR console through the cloud website you must be connected via your company LAN or VPN or provide Symantec EDR with a public IP address that is accessible from the Internet Otherwise the following error message appears This page can t be displayed If you re us...

Page 40: ...Symantec Endpoint Detection and Response 4 5 Installation Guide for the S550 appliance Appendix Materials 40 ...

Page 41: ...nnected to your internal network WAN1 Monitor1 Ethernet port In tap mode connect the Monitor1 port to the network tap device or a monitoring port on a switch for SPAN In inline mode connect the WAN1 port to a switch toward your Internet connection or to your firewall LAN1 Monitor2 Ethernet port In tap mode you may connect the Monitor2 port to the network tap device or a monitoring port on a switch...

Page 42: ...ndicators Three pairs of LED indicators appear on the bypass NIC card The Link Activity pair is solid green and blinks green on activity when bypass mode is off It is off when bypass mode is on The Bypass pair is solid green when the appliance is running in bypass mode and is off when bypass mode is off The DISC pair is always off not used 42 ...

Page 43: ...6MHz Common Components on the Mother Board PCH Lewisburg L Intel C628 SSL Interface None Non By pass Ethernet Ports 2x Intel X550 By pass Ethernet Port 4x X557 PHY SAS Controller SAS Mezzanine card BMC IPMC AST2500 Boot Device SSD 2 x SATA III M 2 2242 SSD 64GB Key Storage Device SPI FLASH 1x ME 64MB fixed image 2x 32M re image able Power Supply 2 x PSU BEL POWER AC1600W System Fans 40W 6 Serial P...

Page 44: ...e Carrier 3 dual half height O2B O3A None Super cap for Mezz card RMSP3AD160F IOC 16port Mez Card None ROC 16port Mez Card 1 RAID Controller Intel R IntegratedRAIDModuleRMSP3AD160 LCM None Default Option Cards only one of the following delivered as Field Replaceable Unit PE310G4BPI71 SR 1 PE310G4BPI71 LR 1 44 ...

Page 45: ...wizard To follow the installer To perform a USB stick installation 7 Obtain an ISO image from Symantec 8 Create a bootable USB stick For Linux Click the following link to learn more about how to create a bootable USB stick on Linux https access redhat com documentation en us red_hat_enterprise_linux 7 html installation_guide sect making usb media For Mac A List the mounted devices For example List...

Page 46: ...e device For example M021204TKG3QD Downloads john_doe diskutil unmountDisk dev disk4 Unmount of all volumes on disk4 was successful C Write ISO image onto the USB stick In this example the USB stick is on dev disk4 M021204TKG3QD Downloads john_doe sudo dd if ATP 4 0 0 3 iso of dev disk4 bs 1m Password 2390 1 records in 2390 1 records out 2506612736 bytes transferred in 776 888341 secs 3226477 byte...

Page 47: ...3s1 2 Apple_HFS BackupMcBackface 2 0 TB disk3s2 dev disk4 external physical TYPE NAME SIZE IDENTIFIER 0 CDROM 15 9 GB disk4 M021204TKG3QD Downloads john_doe diskutil unmountDisk dev disk4 Unmount of all volumes on disk4 was successful 9 Plug the USB stick into the USB port 10 Boot to the device To boot to the device 11 Follow the installer To follow the installer To boot to the device This procedu...

Page 48: ...VD or USB stick 15 Select the option Test this media install ATP The install occurs automatically and can take up to 30 minutes The host reboots after the installation is complete Do not shut off the host until the login prompt appears 16 After the reboot completes log in as an administrator and perform the bootstrap 48 ...

Page 49: ......