QUICK START GUIDE
Fidelis Enterprise
Collector Cluster
Rev-H — Collector Controller2 (HP
DL360-G9) and Collector XA2 (HP
DL360-G9) Platforms
www.fidelissecurity.com
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
1. System Overview
The Fidelis Collector stores network metadata and provides security analytics features of Fidelis Network. Fidelis Collector
is deployed on two or more clustered hardware appliances. The Collector Controller2 (CC2) consumes network metadata
from network attached Fidelis Sensors (i.e. Direct or internal) and delivers it to the attached Collector XA2 (CXA2)
database nodes.
Figure 1: Fidelis Network — Collector Controller 2 (Rev-H)
Figure 2: Fidelis Network — Collector XA2 Appliance (Rev-H)
2. Documentation & References
Fidelis product documentation, appliance specifications, and instructions can be found here
http://fidelissecurity.com/customer-support/login or through the
icon in the CommandPost GUI.
Collector Default Passwords
System
Account
Password
SSH / Appliance Console
fidelis
fidelispass
CommandPost GUI
admin
system
ILO
administrator
(printed on label, top of server)
Technical Support
For all technical support related to this product, check with your site administrator to determine support contract details.
Contact your reseller or if you have a direct support contract, contact the Fidelis Cybersecurity support team at:
zz
Phone: +1 301.652.7190
zz
Toll-free in the US: 1.800.652.4020 — Use the customer support option.
zz
Email: [email protected]
zz
Web: http://www.fidelissecurity.com/customer-support/login
©Fidelis Cybersecurity
www.fidelissecurity.com
2
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Things You Need
Required for Each Component:
Check
Rack space, power, and cooling for each component (Appendix B)
Rack tools, rails, and connectors
Keyboard and video monitor / KVM switch for temporary appliance setup
Power cables — two per component, appropriate for power source and region
Ethernet cables for Admin, DB, SYNC and iLO ports (Section 3)
Network switches with enough physical ports (Section 4)
Logical network information: IP addresses, hostnames (Section 5, Appendix A)
Fidelis Licenses for Collector Controller(s)
3. Collector Network Port and Cabling Requirements
Each component must be connected to the various networks with appropriate cables. The tables below describe the
physical connection and cable type associated with each port.
Collector Controller2 Appliance
Port Label
Physical Connection Type (Default)
Cable Type
ADMIN
GbE RJ45 (copper)
Cat 5 patch cable
DB Net
GbE RJ45 (copper)
Cat 5 patch cable
ILO
GbE RJ45 (copper)
Cat 5 patch cable
DB
(eth1)
4
1
iLO
ILO / IPMI
1
800W
800W
94%
94%
4
Admin
(eth0)
Fidelis Collector Controller (Rev-H)
PL-H-BLT-COL-03
Figure 3: Network Port Assignments — Collector Controller (Rev-H)
©Fidelis Cybersecurity
www.fidelissecurity.com
3
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Collector XA2 Database Node
Port Label
Physical Connection Type (Default)
Cable Type
ADMIN
GbE RJ45 (copper)
Cat 5 patch cable
DB net
GbE RJ45 (copper)
Cat 5 patch cable
SYNC net
GbE RJ45 (copper)
Cat 5 patch cable
ILO
GbE RJ45 (copper)
Cat 5 patch cable
DB
(eth1)
4
1
iLO
SYNC
(eth2)
1
ILO / IPMI
800W
800W
94%
94%
4
Admin
(eth0)
Fidelis Collector XA2 (Rev-H)
PL-H-THR-COL-03
Figure 4: Network Port Assignments — Collector XA2
4. Collector Networking Environment
The Collector components use multiple networks for service and inter-node communication. Networks may be deployed
as three independent physical switches or as multiple independent VLANs on the same switch fabric. The ADMIN, DB, and
SYNC switches or VLANs must be different broadcast domains. iLO and ADMIN networks may intersect.
Use the tables below to identify the count and type of switch ports necessary to support the number of Collector
components for your deployment.
ADMIN Network
The ADMIN Network connects the Collector Controller2 to the Fidelis Network Sensors and CommandPost systems. Also
connects the Collector XA2 nodes to the CommandPost.
Component
Switch Port Type
Collector Controller2
GbE - RJ45/Cat5+ (copper twisted pair)
Collector XA2
GbE - RJ45/Cat5+ (copper twisted pair)
Qty.
DB Network
The DB Network allows communication between Collector Controller and Controller XA nodes. This network must be
independent from other networks. Only IPv4 addresses are supported.
Component
Switch Port Type
Collector Controller2
GbE - RJ45/Cat5+ (copper twisted pair)
Collector XA2
GbE - RJ45/Cat5+ (copper twisted pair)
©Fidelis Cybersecurity
Qty.
www.fidelissecurity.com
4
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
SYNC Network
The SYNC Network provides transport for database node synchronization. This network must be independent from other
networks. Only IPv4 addresses are supported.
Component
Switch Port Type
Qty.
Collector Controller2
(n/a)
Collector XA2
GbE - RJ45/Cat5+ (copper twisted pair)
ILO Network
Optional network for remote/out-of-band server administration.
Component
Switch Port Type
Qty.
Collector Controller2
GbE - RJ45/Cat5+ (copper twisted pair)
Collector XA2
GbE - RJ45/Cat5+ (copper twisted pair)
5. Collector Logical Network Configuration
Each physical connection must be assigned logical network information. Build a table of the logical information for each
appliance (example below & table in Appendix A) that you can reference during configuration. You will reference this table
multiple times during the cluster setup.
Example Network Configuration Table
Network Setting
Interface:
Assignments
ADMIN/eth0
Hostname (FQDN)
Static IP Address
Subnet Mask
Gateway
DB/eth1
10.1.2.3
192.168.1.3
172.16.1.3
10.2.3.4
255.255.252.0
255.255.255.0
255.255.255.0
255.255.252.0
10.1.2.1
10.5.6.7
DNS Servers
8.8.4.4, 8.8.8.8
NTP Servers
pool.ntp.org.
©Fidelis Cybersecurity
iLO/IMM
collector-xa1.organization.net.
Proxy Server
Time Zone
SYNC/eth2
UTC (+0)
www.fidelissecurity.com
5
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
6. Appliance Installation
Rack Installation
Install each component in an enclosure/location that has necessary power and cooling..
Power
Connect power cables to the power supplies in the back of the component.
Appliance Network Cabling
Using the connectors and cables described in sections 3 and 4, begin to connect the appliances to the networks. Reference
the Collector Cluster network diagram for this section.
Cable the Collector Controller 2 appliance(s) to the switches:
1.Connect Admin (eth0) port to the “ADMIN” switch port
2.Connect DB (eth1) port to the “DB” switch port
3. (optional) Connect the iLO port to the ADMIN (or ILO) switch port
4. Repeat for each Collector Controller
Cable the Collector XA2 Node appliances to the switches:
1.Connect Admin (eth0) port to the “ADMIN” switch port
2.Connect DB (eth1) port to the “DB” switch port
3.Connect SYNC (eth2) port to the “SYNC” switch port
4. (optional) Connect the iLO port to the ADMIN (or ILO) switch port
5. Repeat for each Collector XA2 component.
©Fidelis Cybersecurity
www.fidelissecurity.com
6
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
4
1
iLO
1
800W
800W
94%
94%
4
Collector Controller 2
CommandPost
4
iLO
1
1
iLO
1
800W
800W
94%
94%
4
Collector Controller 2
(Failover)
4
Direct , Internal, Mail, or Web Sensor
4
1
800W
800W
94%
94%
4
4
1
iLO
1
800W
800W
94%
94%
4
Collector XA2 (A)
4
1
iLO
1
800W
800W
94%
94%
4
Collector XA2 (B)
Network Cable
Minimum: Cat5 UTP patch cable
(1GbE, RJ45)
4
1
iLO
(iLO connections not displayed)
1
800W
800W
94%
94%
SYNC Network
1
94%
DB Network
iLO
1
800W
94%
ADMIN Network
4
800W
4
Collector XA2 (C)
Figure 5: Collector Network Diagram
©Fidelis Cybersecurity
www.fidelissecurity.com
7
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
7. Component Network Configuration
1. Power on the Appliance(s)
2. Connect to the component CLI using one of the following methods:
—— Via SSH: Directly attach an Ethernet cable from a client system such as a laptop to the Admin/eth0 port on the
appliance. The default IP address is 192.168.42.11/24. Assign a static IP from the same subnet to the network
interface on the client system and connect to the appliance using SSH.
—— Via KVM Console: Connect a keyboard and monitor to the appliance.
3. Use these credentials at the login prompt:
—— user: fidelis
—— default password: fidelispass
4. From the command line, run: >sudo /FSS/bin/setup
a. You will be prompted for the SU (fidelis) password
5. Within Setup, select Network Settings.
6. Configure the network parameters for the system and each active network interface.
a. Use the Network Configuration table you prepared earlier.
b. When complete, return to the top menu.
7. When complete, select [OK] to leave Setup.
8. From command line, reboot the system: >sudo /sbin/shutdown -r now
Repeat steps for all appliances being added to the Collector cluster.
9. Use the PING command to verify connectivity between the XAs on their SYNC/eth2 interfaces.
8. Cluster Setup
On the final Collector XA2 Component
If you have not completed setup for the XA2 components in section 6 above, or you are adding an XA2 component to the
cluster, follow these steps:
1. On the last XA node of the cluster, log in to the appliance console as user fidelis.
2. Change user account to root: >su root
3. Start the Fidelis Setup program. >/FSS/bin/setup
4. At the XA2 count, configure the number of XA2 appliances, and select [Ok]
5. Review the list of IP addresses.
—— Select [Confirm] if these are correct, else [Edit] to correct them.
©Fidelis Cybersecurity
www.fidelissecurity.com
8
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
9. CommandPost Integrationn
Register Collector Controller2 (primary) with CommandPost
Note: If you are installing a failover set of Collector Controllers, register only the “primary” Collector Controller. Configure
Collector Controller failover unit IP address in the Primary Controller’s configuration page within the CommandPost GUI.
1. Log into the CommandPost GUI from a web browser.
2. Add the Collector to the CommandPost at the System>Components page. Click [Add Component].
3. Select “Collector” from the pick list. Complete the form:
—— name – this is a “friendly” name for the Collector Cluster, not the FQDN of the Controller.
—— IP address of the ADMIN interface of the primary Collector Controller2 appliance
—— (optional) description – e.g. location, business unit, etc.
—— click [Save].
4. Register the Collector to CommandPost. Click [Register] and accept the End User License Agreement (EULA).
CommandPost will then communicate with the Collector at the specified IP address.
Link Collector Controller(s) to Fidelis Sensors
1. Log into the CommandPost GUI from a web browser.
2. Select the appropriate Direct, Internal, or Mail sensor and click Config.
3. Click the Advanced page for the sensor and select a Collector at the drop down box.
4. Repeat for each Fidelis Network sensor.
10. Fidelis Licensing
To use Fidelis Network Collector Controller2 components, you must license them. The CommandPost GUI shows the Host
ID for the Fidelis Network hardware, the current license key, and the expiration date. To access the License page:
1. Log into the CommandPost.
2. Click System > Components > [component name] > Config.
3. Click the License tab.
If your license key shows <no license> or <invalid>. Refer to Request a License for more information.
Request a License
1. Click Request License or click the Host ID.
2. This sends an email to [email protected] that includes the product type, serial number, and Host ID.
3. Include in the body of the email:
—— contact name and phone number
—— organization name and site location
Fidelis Cybersecurity will respond within one business day with a license key.
©Fidelis Cybersecurity
www.fidelissecurity.com
9
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Enter a License Key
After receiving a response to a license request:
1. Copy the license key exactly into the textbox.
2. Click Save.
When complete, Fidelis Collector and Collector appliances will be operational and ready to store and analyze network
metadata.
©Fidelis Cybersecurity
www.fidelissecurity.com
10
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Appendix A: Network Configuration Worksheet
Collector Controller (Primary)
Network Setting
Interface:
Assignments
ADMIN/eth0
DB/eth1
iLO
Hostname (FQDN)
Static IP Address
Subnet Mask
Gateway
DNS Servers
NTP Servers
Time Zone
Collector Controller (Failover)
Network Setting
Interface:
Assignments
ADMIN/eth0
DB/eth1
iLO
Hostname (FQDN)
Static IP Address
Subnet Mask
Gateway
DNS Servers
NTP Servers
Time Zone
Collector XA2 (A)
Network Setting
Interface:
Assignments
ADMIN/eth0
DB/eth1
SYNC/eth2
iLO
Hostname (FQDN)
Static IP Address
Subnet Mask
Gateway
DNS Servers
NTP Servers
Time Zone
©Fidelis Cybersecurity
www.fidelissecurity.com
11
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Collector XA2 (B)
Network Setting
Interface:
Assignments
ADMIN/eth0
DB/eth1
SYNC/eth2
iLO
Hostname (FQDN)
Static IP Address
Subnet Mask
Gateway
DNS Servers
NTP Servers
Time Zone
Collector XA2 (C)
Network Setting
Interface:
Assignments
ADMIN/eth0
DB/eth1
SYNC/eth2
iLO
Hostname (FQDN)
Static IP Address
Subnet Mask
Gateway
DNS Servers
NTP Servers
Time Zone
©Fidelis Cybersecurity
www.fidelissecurity.com
12
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Appendix B: System Specifications
Component Configuration and Resources (Rev-H, 2016)
Enterprise Collector Cluster Hardware Specifications (Rev-H)
Collector Controller2
Collector XA2
Integrated 6Gbps hardware RAID
Storage Capacity* &
Configuration
Integrated 6Gbps hardware RAID
CPU
Dual - 2.6Ghz 10c v3 (20 cores total)
Dual - 3.2Ghz 8c v3 (16 cores total)
Memory
128GB (ECC DDR3 1866Mhz)
128GB (ECC DDR3 1866Mhz)
Network Adapters
4x 1GbE (copper)
• 4.8TB* on 6x HDD in RAID-10 (DB)
• 300GB* on 2x HDD in RAID-1
• 300GB* on 2x HDD in RAID-1 (OS)
Up to two additional network interface cards supported:
Optional Network
Adaptors
• 2x 1GbE (copper)
• 1x 1GbE (fiber SR)
• 2x 10GbE (fiber SR)
Out of Band Management Integrated Lights Out (iLO) Management
Performance Power
Supply
Dual hot-swap 550w High Efficiency AC
power supplies (80+ Platinum Certified)
Form Factor
1U Rack-mount chassis
Dimensions
Width: 440 mm (17.3 in)
Weight
15.6 Kg (35.5 lb.)
Operating Temperature
5°C to 40°C (41°F to 104°F)
Dual hot-swap 750w High Efficiency AC
power supplies (80+ Platinum Certified)
Depth: 734 mm (28.9 in)
Height: 43 mm (1.7 in)
Altitude: 0 to 915 m (3,000 ft)
*Raw capacity listed. A portion of the storage capacity is dedicated to the operating system.
Power Consumption and Heat Output
Collector Controller 2
(Blacktip)
Idle
Load Factor @ 85%
Maximum
Input Power (W):
80.82
286.41
321.90
Input Current (A):
0.41
1.4
1.56
Apparent Power (VA):
85.95
290.43
325.51
Heat Generation (BTU/Hr):
275.25
976.66
1097.70
Collector XA2
(Thresher)
Idle
Load Factor @ 85%
Maximum
Input Power (W):
100.1
364.41
410.65
Input Current (A):
0.51
1.77
1.99
Apparent Power (VA):
105.72
367.63
413.57
Heat Generation (BTU/Hr):
341.32
1242.65
1400.32
©Fidelis Cybersecurity
www.fidelissecurity.com
13
QUICK START GUIDE
Fidelis Enterprise Collector Cluster
Appendix C: Fidelis Network Collector — Internet Socket Communication Ports
(TCP, UDP)
Network
Ports
Admin
TCP: 22 (SSH), 443 (HTTPS), 5556 TLS, 5556 TLS
UDP: 123 (NTP), 5560 (IP2ID)
DB
TCP: 22 (SSH), 5433, 5556 TLS
SYNC
TCP: 22 (SSH), 5433, 5434, 5444, 5450, 4803,
UDP: 4803, 4804, 4805, 5433
©Fidelis Cybersecurity
www.fidelissecurity.com
14
Fidelis Cybersecurity is creating a world where attackers have no place left to hide. We reduce the time it
takes to detect attacks and resolve security incidents. Our Fidelis Network™ and Fidelis Endpoint™ products
look deep inside your traffic and content where attackers hide their exploits. Then, we pursue them out to your
endpoints where your critical data lives. With Fidelis you’ll know when you’re being attacked, you can retrace
attackers’ footprints and prevent data theft. To learn more about Fidelis Cybersecurity products and incident
response services, please visit www.fidelissecurity.com and follow us on Twitter @FidelisCyber.
©Fidelis Cybersecurity
QSC_Fidelis_CE_1607