QUX deployments prior to v9.8
Remote support allows authorized Vectra personnel to connect to your Vectra (Brain). This article details how you can enable, disable, and verify the status of remote support.
Applicability
Vectra is rolling out an update of how remote support controls are labeled in the UI and adding the ability for customers to grant Vectra access to their RUX UI without having to create and manage user accounts for the Vectra users. Initially these changes are rolling out to RUX customers. Remote Support settings are planned to be updated similarly in v9.8 for QUX customers.
Vectra has created a new Vectra Remote Support KB that details the updated controls. Please see that KB when you see the updated controls in your UI.
Introduction
Vectra Remote Support can be enabled or disabled for Brains deployed as part of the Vectra platform.
When using the Respond UX (served from the Vectra cloud platform), user accounts must be provisioned by the customer to allow access to the UI of your Vectra platform.
Enabling remote support in the Respond UX only grants authorized Vectra personnel reachability and access to the shell (CLI).
When using the Classic UX (served from a Brain when using the Vectra appliance platform), remote support can be enabled or disabled by the customer.
For Brains deployed in IaaS (AWS, Azure, etc) clouds, reachability from Vectra to the Brain and login to the shell (CLI) and UI are controlled by two separate settings.
For Brains deployed not in IaaS clouds, a single setting controls both reachability to the Brain and login to the shell (CLI) and UI by authorized Vectra personnel.
Remote Support Scope:
Remote support (reachability and login) and required for existing Vectra Sidekick customers and for new deployments using Vectra MDR. Vectra analysts must be able to access your system to perform the activities associated with these services. While remote support is enabled and operational, authorized Vectra personnel will have access to only the following components:
User Interface (classic UX only)
This is the same web UI that is accessible from your network by your authorized users.
The dedicated Vectra Admin (vadmin) account has administrative privileges in your UI but all actions are audited and logged.
This access grants no further access to any part of the customer environment.
As per the introduction above, when using the Respond UX, enabling remote support does not allow Vectra access to the UI. Accounts must be provisioned by the customer to allow Vectra login to the UI.
Shell
The shell is a Bash (Bourne Again Shell) command line system. It is only used for low level work or troubleshooting. Vectra support or analyst personnel may use this to assist in support matters, debug any errors with the customer appliance, and investigate detections or connectivity issues upon customer request. It may only be used from a secure central system inside the Vectra corporate network. This central system requires 2FA in order to log in and all activity is logged and audited. The credentials used to access this system are centrally controlled and access can be removed at any time. All credentials are also subject to minimum strength, complexity, and uniqueness requirements.
Users only have access to the local system and have no further access to any part of the customer environment. Updates and additional software may only be applied from secure authorized Vectra repositories.
Prerequisites
In order to enable remote support, the following actions are required: Your internet access should permit brain access to:
TCP/443 to rs.vectranetworks.com (74.201.86.229)
UDP/9970 to rs.vectranetworks.com (74.201.86.229)
Note:
For security reasons, Vectra appliances validate SSL certificates for all Remote Support connections. Any SSL-inspecting firewalls must disable SSL inspection for these connections because SSL interception will cause the connections to fail.
The connectivity with 443 can be tested by executing the following commands from the brain's VCLI (Vectra CLI):
Enabling and Disabling Remote Support
- For Brains not deployed in IaaS (AWS, Azure, etc) clouds:
To enable, go to "Brain-Web-UI > Settings > Remote Support"; click on Edit and toggle to on.
"Remote Support" enables reachability to the Brain and allows authorized Vectra personnel to login to the CLI and UI.
Once enabled it should say "Remote Support is enabled"
Remote Support can also be enabled by the "vectra" user from the CLI:
- For Brains deployed in IaaS (AWS, Azure, etc) clouds:
To enable, go to "Brain-Web-UI > Settings > Remote Support"; click on Edit and toggle both "Remote Support" and "Vectra Support Login" on.
"Remote Support" enables reachability to the Brain.
"Vectra Support Login" allows authorized Vectra personnel to log in to the CLI and UI.
Without this enabled, Vectra can only login with the credentials that you provide to Vectra.
Remote Support and Vectra Support Login can also be enabled with the "vectra" user from the CLI:
- For Brains with Proxy enabled:
QUX customers
RUX customers
In case you have the proxy configured on the brain "Brain-Web-UI > Data Source > Network > Brain Setup > Proxy & Status" you will need to enable the Remote Support via proxy by doing the following steps:
• Enable the Remote Support "Brain-Web-UI > Settings > Remote Support"
• Make sure you are logged to the brain with a user which is part of Admin/Super Admin role
• Open the URL https://MGMTIP_OR_NAME/a/sf/vpn_proxy/1/ (Please replace MGMTIP_OR_NAME for the IP or hostname of the brain)
• In case you want to disable it, use the following URL https://MGMT_IP_OR_NAME/a/sf/vpn_proxy/0/
• In case you want to disable it, use the following URL https://MGMT_IP_OR_NAME/a/sf/vpn_proxy/0/
Note: the proxy will be only enabled for TCP/443, UDP/9970 is not supported.
Please reach our support (support.vectra.ai or email [email protected]) to configure it.
Verify
- If you have enabled the remote support connection for the first time; reach out to support to confirm if support can access the appliance. Support will require the serial number of the appliance. The serial number of the appliance is listed at: "Brain-Web-UI > Data Source > Network > Brain Setup > Brain > Serial Number" - Vectra generates a heartbeat message once a day when remote support is enabled. These messages are part of the "Audit" log. For additional information regarding the configuration of syslog from your Vectra Brain, please see the Vectra Syslog Guide .
Sample Syslog Messages
Heartbeat (generated once a day) <109>Apr 27 03:00:39 192 vectra_json_audit -: {"user": null, "role": null, "source_ip": null, "headend_addr": "192.168.224.57", "dvchost": "192.168.1.1", "version": "6.18", "result": "success", "message": "Remote Support is Enabled (Heartbeat)", "vectra_timestamp": "1651028439"}
Enabling Remote Support: <109>Apr 26 23:36:19 192 vectra_json_audit -: {"user": "admin", "role": "Super Admin", "source_ip": "192.168.1.2", "headend_addr": "192.168.1.1", "dvchost": "192.168.1.1", "version": "6.18", "result": "success", "message": "change Access for Remote Support VPN state from off to on", "vectra_timestamp": "1651016179"}
Disable Remote Support: <109>Apr 26 23:35:32 192 vectra_json_audit -: {"user": "admin", "role": "Super Admin", "source_ip": "192.168.1,2", "headend_addr": "192.168.1.1", "dvchost": "192.168.1.1", "version": "6.18", "result": "success", "message": "change Access for Remote Support VPN state from on to off", "vectra_timestamp": "1651016132"}
Troubleshooting
For any query or assistance please feel free to contact Vectra support. If possible, please add the following information to the ticket:
Try resetting VPN connection by disabling and enabling it from VCLI or web-page:
Here are the command to run on VCLI:
Go to Vectra Brain web-page :
Go to Settings > General > Remote Support.
Click in edit; set it off; and save. Wait for setting to be saved.
Once remote support is off. Click in edit; set it on; and save.
The output of VCLI commands on Sensor:
Go to "Brain-Web-UI > Data Source > Network > Brain Setup > Proxy & Status". Click on Edit and take the screenshot.
status-report: To collect this report login to Brain VCLI (Vectra CLI); and follow below steps
Compliance
For questions about the compliance - please refer to the Vectra's Trust Center available over https://trust.vectra.ai/ .
Vectra's Trust Center is available for customers, partners, or prospects seeking additional clarity and assurance around Vectra's security, compliance, and privacy controls.
Accessing certain sections of Vectra's Trust Center might require signing an NDA (one-way) unique to our Trust Center. If you have already signed an MNDA with Vectra, we ask that you also sign this agreement.
Access to Vectra's Trust Center is valid for one year. You can access new or existing documents during that time without submitting another request.
Latest Vulnerability Update - July 31st, 2023:
Vectra is not affected by the recently published OpenSSH vulnerabiliites.
CVE-2023-38408 - Vectra Detect for Network does not use ssh-agent forwarding and has it explicitly disabled via the "AllowAgentForwarding no" setting in the ssh configuration file.
CVE-2023-2640 and CVE-2023-32629 - Vectra Detect for Network is not affected by these vulnerabilities as it already contains the mitigations for it, recommended by the Ubuntu Canonical team:
$ sysctl kernel.unprivileged_userns_clonekernel.unprivileged_userns_clone = 0
For any questions or concerns regarding any of the documentation found here, please reach out to [email protected] .
Attachments
Last updated
Was this helpful?