Security Analytics Central Management Console (CMC) Quick Setup and Troubleshooting Guide

Article Id: 168155
Status: Published
Updated On: 10-10-2019 13:46
Legacy Id: TECH244706
Products:
Security Analytics
Issue/Introduction:

NOTICE: Upgrading to version 7.2.1 requires special attention, especially in a CMC environment. See the Security Analytics 7.2.1 Release Notes for essential guidance.

How to set up the Central Manager Console (CMC) and its sensors.

  • This KB article is a short version to be used as a tip sheet, which contains only the most basic information.
  • Use the Help Files to get the definitive instructions on setting up the CMC with the sensors. Find the Help Files in these two locations:
    • In the GUI open the Help Files in Settings > Help > English, and then select Central Manager in the left panel
    • Go to Symantec Support (support.symantec.com).
      • Select the Documentation tab.
      • Select Security Analytics from the drop-down list.
      • Under Administration Documents, click View for the latest Security Analytics WebGuide.
      • Select Central Manager in the left panel.

Resolution:

Before doing anything else, set up NTP for the CMC and all sensors. This is critical to ensure that your sensors . Then make sure the date and time are the same for all boxes involved.

  1. Select Settings > Date/Time
  2. Under Appliance Time, manually set the date and time to within 100 seconds of NTP time.
  3. Under Network Time Protocol, select Use Network Time Protocol (NTP).
  4. Set the Primary and at least the Secondary NTP servers for your site.
  5. If you want to verify ntp is working properly, login as root and run ntpq -p.  The offset should be less than 5.0.  Preferably less than 1.0.

When Adding a second CMC
NOTE: If this is the second CMC to be configured for your sensors, you MUST configure a different subnet for its VPN. Follow these steps to configure the new VPN subnet.
WARNING - If you do not perform these steps, the sensors may see Error Code 26 when attempting to connect to the second CMC.

  1. On the second CMC, click CMC, clear all sensors, and click Dashboard.
  2. Select Central Management > Settings.
  3. Select Reset Settings. WARNING - This will remove all sensors that are now connected and any favorites (indicators) or actions (rules) that were configured through the CMC.
  4. Enter a subnet that is not currently in use. NOTE: The address space should be large enough to provide two IP addresses for each sensor that the CMC controls.
  5. Click Save.

Add the Sensor to the CMC

  1. Obtain the eth0 IP addresses of all sensors and the CMC.
  2. On the CMC, select Settings > Users and Groups > Remote Groups.
  3. Edit the admin remote group. Add admin as a user.
  4. Select Settings > Central Management > Sensors.
  5. Select Tools > New.
  6. Provide a descriptive name for the sensor. The hostname is a good choice. (Only the first 15-20 characters of the sensor name are visible, so put the more distinguishing part of the name first.)
  7. Type "ad" for Authorizations and when it appears, select admin. Typing in admin does not work without selecting admin when presented.
  8. Optional - Add admin to the Remote Groups field in the same way.
  9. Click Save.
  10. At the top left click Download Key. This saves the authorization key file _auth_key.tar.gz to your workstation.

Connect the Sensor to the CMC

  1. On the sensor, select Settings > Central Management. If there are other CMCs present that are no longer in operation-or whose VPNs you reset-you must manually delete the CMC's entry.
  2. Click the green New button on the far right.
  3. For Authorization Key File, click Browse and then select the _auth_key.tar.gz file saved earlier.
  4. Enter the IP of the CMC.
  5. Click Save. The CMC entry should show up in five minutes or less.
  6. On the CMC, click the product logo to go to the Dashboard.
  7. You should see a graphical box under Your Sensors with the display name you entered earlier, the connection status, the capture status, and the software version number of the sensor.
  8. Click Manage Sensors for more details. You should see a name, VPN IP address, Authorized Users (showing admin) and Authorized Remote Groups of (showing admin) along with the hardware model number and software version number.
  9. Add all the other sensors by following the same procedure.

Test the Connection

  1. Click CMC on the menu bar and select two or more sensors.
  2. Click Update with Selected.
  3. The new Alerts Management Dashboard is displayed in 7.2.1, with aggregated data from the selected sensors.