Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

【Cyber Command】VMware Virtual Stealth Threat Analytics (vSTA) Deployment Guide_STA V3.0.79

Posted
Updated
Byhuijun.chan@sangfor.com
Views21

Introduction

Abbreviations and Conventions

STA in this document refers to the Sangfor Stealth Threat Analytics device.

Deployment

Deployment Impacts

The installation may take 1.5 hours.

Impacts on Business

None.

Impacts on O&M

ISO installation may take 1.5 hours.

Impacts on the Network

Deployment in bypass mode will have no impact on the network.

Others

None.

Customer-Related Deployment Preparations

Resources Required for Deployment

You need to access the customer’s VMware cloud environment and be familiar with the customer’s network configuration.

Uploading the image to the cloud platform may take 30 minutes, and the entire deployment may take 1.5 hours.

The deployment environment should have enough resources and space (at least 8C8G+64G+128G).

Precautions

The image can only be deployed in a VMware virtual environment and not with physical hardware.

Deployment of the English version is only compatible with VMware ESXi 5.0/VMware ESXi 6.0/VMware ESXi 7.0.

The host of virtual STA must support AVX. The following supported host CPU models are measured (including but not limited to):
48 CPUs x Intel(R) Xeon(R) Gold 5220R CPU @ 2.20GHz
28 CPUs x Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz
44 CPUs x Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
20 CPUs x Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz

The virtual machine should be configured with at least three virtual NICs, and the NIC only supports VMXNET3.

Compatibility List:

Please follow the specifications below to prevent mirroring function failures.

Scenario Supported Memory Configuration CPU Configuration Disk Configuration NICs Configuration
Virtual Environment Deployment
VMware ESXi 5.0.0/6.0.0/7.0.0		 Yes 8G 8 cores System: 64G
Data: 1T		 3-6
Virtual Environment Deployment
VMware ESXi 5.0.0/6.0.0/7.0.0		 Yes 16G 16 cores System: 64G
Data: 1T		 3-6
Physical Hardware Deployment No

Table 1: Virtual Environment Spec Description

Note:
Requirements for deploying and using cloud STA:
NIC only supports VMXNET3 virtual network cards, while VMXNET2 and e1000 are not supported.
At least one 64G system disk.

Deployment Process

Prepare the ISO image of STA. Then, import the image, configure the environment, and start the auto installation. It may take 1.5 hours.

Business Verification After Deployment

Check whether you can log in normally without any error prompts. When traffic can be detected, there will be traffic information.

Check as required whether customer business is operating normally.

Rollback

None.

Preparations Before Deployment

Deployment Tools

Prepare the ISO image of STA.

Deployment Environment

None.

Customer Resources

Refer to Chapter 2.2 Customer-Related Deployment Preparations.

Confirmation Before Deployment

Refer to Chapter 2.1 Deployment Impacts.

Deployment Procedures

Deployment Procedures

STA Deployment:

  1. Get the ISO image of STA and import it to the customer’s VMware cloud environment.
  2. Configure the virtual machine. Select the ISO image of STA for the virtual CD/DVD drive.
  3. Power on the virtual machine and select automatic installation.
  4. Wait for the system to install automatically.

VMware ESXi Deployment:

  1. On the ESXi Host Client, navigate to Storage > database 1 > Datastore browser. Click Upload to upload the obtained image to VMware, which may take about 30 minutes.

  1. Click Create / Register VM to create a new virtual machine.

  1. On the Select creation type page, select Create a new virtual machine. Click Next to proceed.

  1. On the Select a name and guest OS page, select VMware ESXi 7.0 virtual machine for Compatibility (you can also select ESXi 5.0 virtual machine or ESXi 6.0 virtual machine). Next, select Linux for the Guest OS family and CentOS 7 (64-bit) for the Guest OS version, as shown in the figure below. You can use any name for the VM naming.

  1. On the Select storage page, ensure that the environment has enough space. Then click Next.

  1. On the Customize settings page, configure the virtual machine as follows:
    8-core CPU, 8 GB memory, 64 GB system disk, and 1 TB data disk (minimum is 128G). This virtual STA supports 3 to 6 VMXNET3 NICs. There is one management port and five mirror ports. By default, the first and fifth mirror ports are turned on, while the remaining ports are turned off. Disable the network adapter connect setting first before starting the installation.

  1. Select an image to be added to the virtual CD/DVD drive.

  1. Select the Connect at power on checkbox.

  1. On the Ready to complete page, review your settings and click Finish.

  1. Select the newly created virtual machine and click Power on.

  1. You will go to the installation page. Press Enter to select the automatic installation (version depends on the image version).

  1. Wait for the automatic installation to complete, which may take 1 hour.

Caution:
Do not perform any operations while waiting.

  1. After the automatic installation is complete, click Reboot, the VM will boot up until show the console login as below.



  1. Then, set the network adapter to Connect to ensure the connection with the virtual switch in VMware.

After installation, enter the console to configure the IP address. You are required to find a PC with the same IP segment as the vSTA 10.251.251.251 to continue the setup. After configuring the IP address, you can log in to the web console.

The default login account username is admin with the password admin.
You may also use the console mode to add the IP address.
Press ALT + F5 to display the screen below.

On the Custom Setup screen, select Setup Network Interface IPV4 to set up the IPv4 address with the following format:
NetworkIP/segment Space reservedIP/segment
For example, 192.168.1.123 is assigned to STA, you are required to input 192.168.1.123/24 10.251.251.251/24, where 10.251.251.251 is the reserved IP address for the management port, with a space separating both IP addresses.

On the Add static route localIp screen, press Menu 3 to continue the routing and set the default static route to route to the correct gateway.

After that, you can access the web console with the same network segment or the PC able to reach the network segment to continue the licensing part. For example, vSTA’s eth0 port default ip10.251.251.251/24, please configure your PC segment to 10.251.251.123/24 to access to https://10.251.251.251 continue for the configuration.

Licensing is required to use the product. For details, check on the Sangfor Community for the new features of the version.

Note:
Virtualization deployment requires a basic configuration. For example, if CPU cores, memory size, system disk, and data disk size are non-standard, the system may fail to start, or the gateway may be unreachable.

VMware vSphere Client Deployment:

  1. Upload ISO file to VMware datastore. The upload may take 30 minutes.


  1. Click Create a new virtual machine.

  1. After entering the Create New Virtual Machine dialog box, select Typical to create a new virtual machine and then click Next.

  1. Select a host and click Next.

  1. Select a resource pool and click Next.

  1. Select the storage size, ensuring it is large enough.

  1. Select Linux OS and CentOS 4/5/6/7 (64-bit) version for the virtual machine. Then click Next.

  1. Virtual STA supports 3 to 6 NICs. The supported NIC type is VMXNET3.

  1. Add a 64 GB system disk. Then click Next.

  1. Click Continue to complete the specific configurations for the virtual machine.

  1. Change CPU to 8 cores and change memory size to 8 GB.

  1. Add a 1 TB data disk, ensuring that the environment has sufficient resources.

  1. Select Create a new virtual disk. Then click Next.

  1. Specify the virtual disk size and click Next.

  1. Click Next.

  1. Click Finish to complete the settings to add a disk.

  1. Select an image to be added to the virtual CD/DVD drive. Check the Connect at power on checkbox. Then, click Browse.

  1. Select the directory and start uploading the ISO file.

  1. After adding the file, click Finish and wait for VMware to create a new virtual machine.

  1. Select the newly created virtual machine and turn on the power to enter the automatic installation page. The operation steps are the same as VMware ESXi and will not be repeated here.

Checks After Deployment

STA Check

Log in to the STA web console to check the version. Below is the example of the version.

Business Verification

Verify the essential functions used by customers. Check whether traffic statistics are changed when the traffic is connected.

Handling of Deployment Failure

Scenario 1: Fail to start the automatic installation.

Troubleshooting:

  1. Check whether the host resources in the deployment environment are sufficient.

  2. Check whether the Connect at power on checkbox is selected when choosing the image for the added virtual CD/DVD drive.

Scenario 2: Unable to access the console when deployment is completed and the network has been configured.

Troubleshooting:

  1. Check the resource configuration of the deployment environment. For example, check whether the data disk is configured and whether the data disk size is too small.

  2. Check whether the MAC address of the management interface matches the MAC address of the NIC that the virtual machine uses to access the network.

Scenario 3: NIC status cannot be changed after logging in to the console.

Troubleshooting:

  1. Check the licensing status.

  2. Please ensure that you have configured a minimum of three NIC cards for vSTA during the installation process.

Scenario 4: vSTA’s NICs cannot receive the mirrored traffic.

Troubleshooting:

  1. Verify whether the network mirror traffic configuration in VMware has been appropriately configured.

  2. If the CPU does not support the AVX instruction set, it will cause some issues for the DPDK to receive the mirrored traffic. The server CPU models used by VMware can be checked on the Intel official website. Below is an example of the E7-4850 v1 and E7-4850 v2 versions.

  3. If the CPU does not indicate AVX, it means the server currently does not support the AVX instruction set.

Scenario 5: STA cannot detect the traffic and only single direction traffic is detected after the packet capture.

Troubleshooting:

  1. Check the licensing status.

  2. Please ensure that the physical switch has been mirrored correctly to the VMware side.

  3. Check the VLAN ID to see whether VLAN 4095 has been configured for the mirror port.


Please refer to the VMware website for more explanation on the VLAN configuration.
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-7225A28C-DAAB-4E90-AE8C-795A755FBE27.html

Rollback

None.