search

Vectra remote support

Configure and verify Vectra Remote Support (VPN, UI access, and CLI access) for RUX and QUX deployments, including connectivity requirements, proxy considerations, and troubleshooting.

hashtag
Applicability

This article will eventually replace the older QUX deployments prior to v9.8 article. Vectra is rolling out an update of how remote support controls are labeled in the UI and adding the ability for customers to grant Vectra access to their RUX UI without having to create and manage accounts for the Vectra users. Initially these changes are rolling out to RUX customers. Remote Support settings are planned to be updated in v9.9 for QUX customers. If you found this article prior to the changes being rolled out for QUX deployments, please see the earlier linked KB article.

hashtag
Introduction

Vectra Remote Support allows authorized Vectra personnel to connect to your deployment for troubleshooting and assistance. This can include:

  • For RUX deployments:

    • Accessing your RUX UI.

    • Connecting to and accessing the CLI of a Brain appliance that is connected to your RUX UI.

      • Once connected to the Brain CLI, accessing the CLI of any Sensors paired with your Brain appliance.

  • For QUX deployments:

    • Connecting to your Brain appliance.

      • Once connected to your Brain appliance, accessing the QUX UI.

      • Once connected to your Brain appliance, accessing the CLI of the Brain appliance.

      • Once connected to your Brain appliance, accessing the CLI of any Sensors paired with your Brain appliance.

If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant) for details.

For Vectra MDR / MXDR customers:

  • Remote support is required to be enabled for all Vectra MDR and MXDR customers. Vectra analysts must be able to access your system to perform the activities associated with these services.

  • If you are an MDR or MXDR customer and have questions about remote support that are not covered by this article, please contact [email protected]envelope.

For all other Vectra customers:

  • Enabling and disabling remote support is controlled by the customer.

hashtag
Appliance Access Without Remote Support Enabled

In order to assist customers who are unable to log in to their appliances, when the console or QUX UI can be reached, Vectra has the ability to log in to any appliance type that is not deployed in an IaaS cloud (AWS, Azure, GCP). The console or UI could be available via network, screen share, physical appliance access, etc. This is not possible in IaaS deployments because the base images cannot be distributed in the cloud marketplaces with accounts enabled on them that can be logged in to by the vendor. In some situations, it may be required to redeploy an appliance if remote support is not enabled prior to a customer account lockout.

hashtag
Capabilities

Vectra Remote Support consists of several different base capabilities:

  • Remote Support VPN

    • This enables Vectra to reach your Brain appliance at an IP level and then attempt connections as follows:

      • RUX - attempt login to the Brain CLI.

        • The RUX UI is accessible from the internet and Vectra does not require the Remote Support VPN to be enable to attempt connection to it.

      • QUX - attempt login to the QUX UI (served by your Brain) and the Brain CLI.

  • Access UI

    • This enables Vectra to log in to your UI.

    • In RUX deployments the permissions given to the Vectra user are controlled by the role that is assigned when access to the UI was enabled by the customer.

    • In RUX deployments, the customer can choose if the role reverts to read-only and when, and also if the UI access expires and when.

    • In QUX deployments, a vadmin account, that is not visible in user management, is granted administrative permissions.

  • Access CLI

    • This enables Vectra to log in to your Brain CLI.

    • In both RUX and QUX deployments, this gives vadmin level rights which provide added functionality beyond what a vectra customer user account login is provided.

      • The shell is a Bash (Bourne Again Shell) command line system. It is only used for low level work or troubleshooting.

hashtag
Scope

  • Vectra support or analyst personnel may use UI or CLI access to assist in support matters, debug any errors with the customer appliance, and investigate detections or connectivity issues upon customer request.

  • Remote Support may only be used from a secure central system inside the Vectra corporate network.

    • This central system requires 2FA in order to log in and all activity is logged and audited.

    • The credentials used to access this system are centrally controlled and access can be removed at any time.

    • All credentials are also subject to minimum strength, complexity, and uniqueness requirements.

  • Vectra users only have access to the local system and have no further access to any part of the customer environment.

  • Updates and additional software may only be applied from secure authorized Vectra repositories.

hashtag
Remote Support VPN Requirements

In order to enable the Remote Support VPN, the Brain appliance must be able to access either:

  • TCP/443 to rs.vectranetworks.com (74.201.86.229)

    • Functions with or without a customer proxy configured.

  • UDP/9970 to rs.vectranetworks.com (74.201.86.229)

    • Does not function with a customer proxy.

  • It is a best practice to allow both TCP and UDP connectivity through any firewall when possible.

Note: For security reasons, Vectra appliances validate SSL certificates for all Remote Support connections. Any SSL-inspecting firewalls must disable SSL inspection for these connections because SSL interception will cause the connections to fail.

The connectivity with 443 can be tested by executing the following commands from the Brain's VCLI (Vectra CLI):

hashtag
Enabling and Disabling Remote Support

hashtag
Scenarios

RUX and QUX UIs are served from different locations. The RUX UI is served from Vectra's cloud and the QUX UI is served from the Brain appliances. Remote Support VPN is not required for Vectra personnel to attempt login to RUX deployments. All QUX deployments will have a Brain appliance while RUX deployments without network sensors (data sources) do not have a Brain. IaaS cloud Brains required that customers explicitly grant access to the UI (QUX) and CLI. (RUX and QUX). Remote Support VPN connectivity enables a tunnel to attempt connection to Vectra so that Vectra personnel can attempt to login to the Brain appliance. All of these facts above create five unique situations:

  • RUX with no Brain appliance

    • No Remote Support VPN is required, customers can grant Vectra the ability to log into the RUX UI.

    • 1 setting is presented:

      • Access UI

  • RUX with IaaS Brain appliance

    • Remote Support VPN is required for Brain CLI access, customers can grant Vectra the ability to log into the RUX UI and Brain CLI.

    • 3 settings are presented:

      • Remote Support VPN

      • Access UI

      • Access CLI

  • RUX with non-IaaS Brain appliance

    • Remote Support VPN is required for Brain CLI access, customers can grant Vectra the ability to log into the RUX UI and Brain CLI.

    • 2 settings are presented:

      • Access UI

      • Access CLI - Enabling this will also enable the Remote Support VPN

  • QUX with IaaS Brain appliance

    • Remote Support VPN is required for UI and Brain CLI access, customers can grant Vectra the ability to log into the QUX UI and Brain CLI.

    • 2 settings are presented:

      • Remote Support VPN

      • Access UI and CLI

  • QUX with non-IaaS Brain appliance

    • Remote Support VPN is required for UI and Brain CLI access, customers can grant Vectra the ability to log into the QUX UI and Brain CLI.

    • 1 setting is presented:

      • Access UI and CLI - Enabling this will also enable the Remote Support VPN

hashtag
Enabling in the UI

To enable, go to Configuration → ACCESS → Remote Support in your Vectra UI and click the Edit or pencil icon to edit your Remote Support settings.

Depending on your scenario (see above Scenarios section), you will have different settings available. Configure them as desired.

If you are enabling UI Access for a RUX deployment, you will be presented with options for the role, read-only reversion, and overall access expiry:

For the other settings, please refer to the Capabilities section above for descriptions of what each setting does. Tooltips will also provide some guidance.

hashtag
Enabling in the CLI

For RUX UI Access, this can only be enabled in the RUX UI. Please see above for instructions. See Console access on Vectra appliances for details on how to login to the CLI.

hashtag
Set VPN Enable Command

This command will:

  • Enable the Remote Support VPN

  • For Brains deployed in IaaS clouds, the set vadmin enable command is also required to enable authorized Vectra personnel to access the CLI and QUX UI.

  • For non-IaaS Brains, vadmin access is always allowed in Vectra can reach the console or UI of the appliance via the network, via screen share, or physical console access.

To enable:

hashtag
Set vadmin Enable Command

This command is only available on Brains deployed in IaaS environments.

This command will:

  • Enable authorized Vectra personnel to access the CLI and QUX UI.

To enable:

hashtag
For Brains With Proxy Enabled

If your Brain has a proxy configured in Configuration → COVERAGE → Data Sources > Network > Brain Setup > Proxy & Status, use the following steps:

hashtag
RUX Customers

hashtag
QUX Customers

  • Please ensure that your Remote Support settings as per the earlier guidance.

  • Make sure you are logged to UI of the Brain with a user who has Admin or Super Admin rights.

  • To enable Remote Support VPN to go through the proxy:

    • Load the URL: https://MGMT_IP_OR_NAME/a/sf/vpn_proxy/1/

    • Please replace MGMT_IP_OR_NAME for the IP or hostname of the brain

  • To disable:

    • Load the URL: https://MGMT_IP_OR_NAME/a/sf/vpn_proxy/0/

Please Note: Remote Support is only available over TCP/443 when using a proxy, UDP/9970 is not supported through a proxy.

hashtag
Verification

After logging in to your Brain CLI, you can check the status of your Remote Support access as follows:

As per the earlier guidance, vadmin access is only configured for Brains deployed in IaaS clouds.

After your initial configuration of Remote Support, you may wish to verify that Vectra can access your environment per your configured remote support settings. To do so, please contact Vectra Support and ask that they confirm the access is functional. They may need your specific serial number for the Brain in question for QUX Access or your tenant URL for RUX UI access.

The serial number for your Brain appliance can be found at: Configuration → COVERAGE → Data Sources → Network → Brain Setup → Brain → Serial Number.

Your Brain appliance generates an audit log message when remote support is enabled or disabled. These messages are part of the Audit log. For additional information regarding the configuration of syslog from your Vectra Brain, please see the Vectra Syslog Guide (QUX). For RUX deployments, please see https://apidocs.vectra.ai/arrow-up-right for details on how to read the Audit log.

hashtag
Sample Syslog Messages

Enabling Remote Support

Disabling Remote Support

Sample Audit Log Message in a RUX Deployment:

hashtag
Troubleshooting

For any query or assistance please feel free to contact Vectra support. Please try the following actions first.

  • Try resetting the Remote Support VPN connection by disabling and enabling it from the Brain CLI or via the UI:

    • Here are the commands to run from the CLI:

  • For the UI:

    • Go to Configuration → ACCESS → Remote Support.

    • Turn off any setting that enables the VPN connection and save.

    • Once remote support is off, edit and turn it back on.

  • When contacting Vectra Support, please include the following:

    • Output of VCLI commands on Sensor

  • Please attach a screenshot of your Remote Support settings:

    • Navigate to Configuration → ACCESS → Remote Support, click Edit and take a screenshot.

    • Please include a status-report

      • To collect this report login to the Brain VCLI (Vectra CLI) and generate the report:

  • It will take a few minutes to run all the check and collect the logs.

  • Once complete, list the reports:

  • Copy the URL associated with the latest report (i.e. the highest ID number), put the URL in your browswer and download the report and attach it to your support case.

For questions about the compliance - please refer to the Vectra's Trust Center available over https://trust.vectra.ai/arrow-up-right. Vectra's Trust Center is available for customers, partners, or prospects seeking additional clarity and assurance around Vectra's security, compliance, and privacy controls. Accessing certain sections of Vectra's Trust Center might require signing an NDA (one-way) unique to our Trust Center. If you have already signed an MNDA with Vectra, we ask that you also sign this agreement. Access to Vectra's Trust Center is valid for one year. You can access new or existing documents during that time without submitting another request.

Latest Vulnerability Update - July 31st, 2023:

Vectra is not affected by the recently published OpenSSH vulnerabilities:

  • CVE-2023-38408 - Vectra Detect for Network does not use ssh-agent forwarding and has it explicitly disabled via the AllowAgentForwarding no setting in the ssh configuration file.

  • CVE-2023-2640 and CVE-2023-32629 - Vectra Detect for Network is not affected by these vulnerabilities as it already contains the mitigations for it, recommended by the Ubuntu Canonical team:

    • $ sysctl kernel.unprivileged_userns_clonekernel.unprivileged_userns_clone = 0

For any questions or concerns regarding any of the documentation found here, please reach out to [email protected]envelope .

PreviousPing Identity SAML (QUX)NextQUX deployments prior to v9.8

Last updated

Was this helpful?