Configure a High Availability Cluster - Administrator Guide - Cortex XSIAM - Cortex

Configure a High Availability Cluster - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-25

Category

Administrator Guide

Abstract

Learn how to configure a High Availablity Cluster.

You can create a High Availability (HA) cluster by either creating a new cluster from scratch and then adding applets and Broker VM nodes to the cluster, or by creating a new cluster from an existing standalone Broker VM. There is no limit to the number of clusters and nodes that you can add.

There are a number of different ways that you can configure the HA cluster to acheive fault tolerance depending on your system requirements. For example, once a cluster is created from scratch, you can start by configuring the applets that you want the cluster to maintain and then adding the Broker VM nodes that will be managed by the cluster to maintain this configuration, or vise versa. When you create a new cluster from an existing Broker VM, the cluster inherits the applets already configured, which can help save time with your cluster configuration.

For the cluster to start working and provide services, you need at least one operational node. Until this node is added, the cluster is unavailable. Once a node is added, the cluster begins operating, but it's not considered healthy. For the cluster to be healthy and maintain HA and redundancy, you need at least two working nodes in the cluster.

For "active/active" applets that require load balancing, you must install a Load Balancer in your network to distribute the incoming data between the nodes.

Danger

Be sure you do the following tasks before creating a cluster from an existing Broker VM:

Since the Pathfinder applet isn't supported when configuring HA clusters, you must ensure Pathfinder is deactivated on the Broker VM.
If the Broker VM is explicitly specified in some Agent Settings profile, which mean Cortex XSIAM agents retrieve release upgrades and content updates from this Broker VM, you must change the Broker VM's current designated role. To do this, you need to modify the Agent Settings profile by removing the specific selection of this broker as a Download Source for XDR agents (Endpoints → Policy Management → Prevention → Profiles → Edit Profile → Download Source → Broker Selection). After you create the cluster for this broker, you can go back the Agent Settings profile and select the cluster that you created from this broker to be used as a Download Source for XDR agents.

Perform the following procedures in the order listed below.

Task 1. Open the Broker VMs page in Cortex XSIAM

Select Settings → Configurations → Data Broker → Broker VMs.

Task 2. Determine how you want to create an HA cluster

To create a cluster and then add Broker VMs to the cluster, click Add Cluster.
To create a new cluster from an existing Broker VM in the Brokers tab, right-click a standalone Broker VM, and click Create a Cluster from this Broker.
Important
- You can only create a new custer from an existing Broker VM, when the Broker VM version is 19.0 and later, and the STATUS is Connected.
- The Create a Cluster from this Broker option is only listed if the Broker VM is not already added to a cluster.

Task 3. Set the applicable parameters

Define the following parameters:

Implementing a Load Balancer requires exposing a health check API that is called by the Load Balancer at regular intervals. You can access the health check page by sending an HTTP request to http[s]://<Broker VM IP>:<port>/health/. A successful HTTP response of 200 OK as the status code indicates the Broker VM’s readiness to receive logs.

When Disabled the Load Balancer Health Check listening port is blocked. When Enabled (default), the listening port is opened, and you must define the Port number (default 8088) and Protocol (default HTTP).

Important

When the Protocol is set to HTTPS, you may need to perform a few follow-up steps to establish a validated secure SSL connection with the Broker VM.

If you're using your own Certificate Authority (CA) to sign the certificates, you'll need to place the CA in the client, such as the Load Balancer, and upload the certificates to the Broker VM.
If you're using a Trusted CA Signed SSL Certificate, you'll only need to upload it to the Broker VM.
If the SSL Server Certificates of the Broker VM are self-signed certificates, no further steps are necessary.

You can configure automatic upgrades within Broker VM HA cluster nodes to update cluster nodes without noticeable down-time or other disruption of the HA cluster service by implementing the rolling upgrade mechanism. Setting automatic upgrades includes these parameters:

Once configured, the rolling upgrades are only performed when the cluster STATUS is Healthy. An automatic upgrade is performed in the following order:

Task 4. Save your changes

Click Save.

The cluster is now listed in the Clusters tab of the Broker VMs page, whose output differs depending on how the cluster was created:

Task 5. Add Broker VMs to your cluster as you require to achieve fault tolerance and high availability

For the cluster to be healthy and maintain HA and redundancy, you need at least two working nodes in the cluster.

To add Broker VM, see Add Broker VM to Cluster.
To add applets, see Add an Applet to a Cluster.