Testing cloud connectivity for Threat Blades from Security Analytics

book

Article ID: 168422

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

This is to assist in configuration and debugging of Threat Blades on Security Analytics for connectivity to the Cloud.

Cause

A firewall or proxy is common between the Security Analytics Managed Appliance and the Bluecoat cloud.  Knowing if the connection can be made is useful but can be problematic.

Resolution

Note: First check Settings / Data Enrichment  in the UI and make sure that not only Threat Blades are enabled, but also that the Data Enrichment Enrichment mode is set to "Query Global Intelligence Network". The option "Query Local Database" will disable cloud connectivity regardless of your Threat Blade settings.

To test, login as root and run the following command:

curl -ik -XHEAD 'https://ti.soleranetworks.com/CloudActions/ThreatBlades'

The expected results are:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Uptime: 2233354214
Request-Count: 3777163
Successful-Request-Count: 3777152
Item-Count: 3904496
Cache-Miss-Count: 12332036
Request-Count-1m: 90
Successful-Request-Count-1m: 90
Item-Count-1m: 1648
Cache-Miss-Count-1m: 436
Request-Count-1h: 5834
Successful-Request-Count-1h: 5833
Item-Count-1h: 67859
Cache-Miss-Count-1h: 17306
Request-Count-1d: 153160
Successful-Request-Count-1d: 153159
Item-Count-1d: 2219612
Cache-Miss-Count-1d: 597715
Content-Length: 0
Date: Mon, 13 Feb 2015 12:45:05 GMT


You can also try to trace the path to the cloud server and look for problems by running:

tracepath ti.soleranetworks.com

If you have access to the cloud, but results seem to be slow, the tracepath command can show where the latency is.