Engine air gap installation - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Install a Cortex XSOAR engine offline when you don’t have access to the Internet (tested on RHEL v8).

An air gap is a security measure that involves isolating a computer or network and preventing it from establishing an external connection. An air-gapped computer is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices.

Use these instructions to install an engine on a machine without internet connectivity.

On a machine that has internet access, you need to download dependencies, Docker images, and from the Cortex XSOAR tenant, the engine installation files. You then need to transfer and install the files to the machine without internet access.

Download dependencies for offline installation

Install the following top level dependencies according to your operating system. These dependencies may be dependent upon other OS libraries.

Note

Always verify that your dependencies are updated and take into account that they might change across releases.

Download Docker images offline

To download Docker images you need to use the download_packs_and_docker_images script to download the docker image according to the content pack integration you want to use, such as AWS-ILM, Cybereason, and EWS.

The download_packs_and_docker_images script enables you to download the latest content packs Docker images in a zip folder to your machine. The script is located in the Utils folder in the GIT Content repository. If you do not have access to the GIT Content repository, you can download the script from here. For detailed information and how to download the Docker images, see download packs offline.

Install an engine offline
  1. On a machine with internet access, download the following:

    1. Dependencies for your deployment type.

    2. Relevant Docker images.

  2. In the Cortex XSOAR tenant, download the engine installation file.

    1. Select Settings & InfoSettingsIntegrationsEnginesCreate New Engine.

    2. In the Engine Name field, add a meaningful name for the engine.

    3. Select one of the installer types from the list.

      For Linux systems we recommend using the Shell installer.

    4. (Optional) If you want to add the engine to a load balancing group, from the list, select the group.

      The list only appears after you have created and connected an engine and created a load balancing group. To add the engine to a new group, select Add new group from the list.

      The engine cannot be used as an individual engine and does not appear when configuring an engine from the list.

    5. (Optional) (Shell only) Select the checkbox to enable multiple engines to run on the same machine.

      If you have an existing engine, you did not select the checkbox, and you want to install another engine on the same machine, you need to delete the existing engine.

    6. (Optional) Add any required configuration in JSON format.

    7. Click Create New Engine.

  3. On the machine you want to install the engine, do the following:

    1. Transfer the files downloaded in steps 1 and 2.

    2. Verify that the required dependencies in step 1a is installed successfully by running one of the following commands.

      • (Red Hat) repoquery -a --installed

      • (Ubuntu or Debian) apt list --installed

    3. Install the engine.

      1. Grant execution permission by running the following command:

        chmod +x /<engine-file-path>

      2. Install the engine by running the following command:

        sudo ./d1-<engine-name>-<XSIAM-version>-xxxxxxx.sh -- -tools=false -do-not-start-engine=true

        For example, sudo ./d1-engine1-8.35-318874.sh -- -tools=false -do-not-start-engine=true

        If you receive a permissions denied error, it is likely that you do not have permission to access the /tmp directory.

    4. (Red Hat v8 & above) If you have not already done so, install and configure Podman, by following the steps in Migrate From Docker to Podman (from step 2 onwards).

    5. Load the Docker images that you downloaded in step 1b, by doing one of the following:

      • (Ubuntu, Debian, Red Hat v7 & below) Run the following command:

        sudo docker load -i <YOUR_DOCKER_FILE>.zip

      • (Red Hat v8 & above) Do the following:

        1. Ensure that the Docker file has demisto:demisto ownership.

        2. Ensure that you are in the root directory (cd /).

        3. Run the following commands:

          sudo -su demisto

          podman load -i <YOUR_DOCKER_FILE>.zip

        4. (Optional) To verify that images are able to run, use the podman images command. You can also run the podman images -q "demisto/python:1.3-alpine" command to validate specific images and identify any issues.

  4. Start the engine, by running the following command:

    sudo systemctl start d1

    Note

    For multiple engines the d1 service name may differ.

  5. (Optional) After installation has completed, do the following:

    1. Confirm that the engine status is active, by running the systemctl status d1 command.

    2. Validate that the engine is connected and running by going to Settings & InfoSettingsIntegrationsEngines.

    3. Run the engine on a sample integration. For example, go to Settings & InfoSettingsIntegrationsInstances and search for the Hello World (Community Contribution) integration. Add or edit the instance and in the Run on field, select the engine.

    4. Run a simple command to test that the engine is working properly using the integration.

      For example, !helloworld-say-hello name"Mamba"