Secfense Broker can run both as a physical device or virtual appliance. The latter deployment is more common and will be used as a basis further in this guide.
Secfense Broker is delivered as an image in Open Virtualization Format (OVA file) and can be installed on any type of hypervisor, however we do recommend VMware. The guest operating system running the appliance is Alma Linux 64 bit.
The minimal requirements to run Broker are:
- 5.5 GB RAM
- 4 vCPU
- 40GB HDD
We recommend enabling the memory reservation option in VMware to avoid potential issues with RAM being taken away from the containers.
Once OVA file is imported you will be informed about these requirements. These values can be increased.
If your environment has a DHCP server and the VM has access to network Secfense Broker would have an IP address assigned automatically. If that is the case you can choose to use a terminal emulator of your choice to connect to the system. Otherwise, you will need to finish the configuration in the console.
- Log in to device using default credentials (username secfense; password secfense). First login will enable the configuration wizard.
- Enter Hostname (default: secfense)
- Select interface used for traffic.
- Secfense Broker runs on “one-legged” network design, which means it uses a single Interface and IP address to work.
- Confirm or add new IP address (remember the network mask)
- Confirm or change the gateway IP
- Confirm or change DNS address
At this stage the wizard asks to confirm network settings. If the IP address changed from default and you are using SSH connection the application will disconnect you and you will need to reconnect and re-login.
- Configure the remote syslog IP (or skip, this can be added later)
- Configure NTP Server
Please note this is very important. Without proper time synchronization TOTP (Time-Based One-Time Password) authentication might not work properly.
At this stage Secfense Broker will start configuring containers. This might take couple of minutes. Once the process is finished you will be asked to change your password.
- Enter current “secfense” user password
- Type and retype new password
With these actions the installation is concluded, and you are able to log in to Secfense Broker. You can choose to stay within the CLI scope, however for most users it is advised to move to web browser. You can reach the application by navigating to its IP address on TCP port 8002. For example:
Default credentials are admin/123456
You will be forced to change the default password after first login.
As for now the web browser should welcome you with a certificate error. This is expected as the Broker uses certificate issued by Secfense CA and your browser needs to be explicitly configured to trust it. You can fix it either by adding Secfense CA to your trust stores or import your own, trusted certificate to for admin panel.
You can download Secfense CA from /ca.crt path of the application, f. ex.:
You can upload your own certificate for admin panel under the “Custom SSL/TLS Certificate for admin panel” in the section:
Clustering the device
Please note – it is strongly advised to use separate hypervisors for each Secfense Broker instance that would belong to the cluster.
In order to bind two Secfense Broker instances into a cluster make sure:
- both devices were installed separately (cloning an existing instance is not acceptable)
- both IP addresses can communicate with each other
- both devices are running the same software version
To cluster the devices please issue this command:
bin/cluster_wizard
Be careful when asked, whether current device is the main – otherwise, in case you put a clean device on the cluster you risk of deleting all configuration made up to this point.