Install Cortex XSOAR from an OVA image - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-09-17
Category
Administrator Guide
Solution
On-prem
Abstract

Download an OVA image from Cortex Gateway, deploy the image, and use the textual user interface to configure network, IP, and environment settings, and to install a Cortex XSOAR tenant.

Danger

  • To be able to download the Cortex XSOAR 8 images from Cortex Gateway, you need a license (or evaluation license via sales) assigned to your CSP account.

  • Review the System requirements for deploying a Cortex XSOAR tenant.

  • Have a basic understanding of how to deploy OVA file formats.

  • Add DNS records that point the following host names to the cluster IP address.

    • Cluster FQDN - The Cortex XSOAR DNS name for accessing the UI. For example, xsoar.mycompany.com.

    • API-FQDN - The Cortex XSOAR DNS name that is mapped to the API IP address. For example, api-xsoar.mycompany.com.

    • ext-FQDN - The Cortex XSOAR DNS name that is mapped to external IP address. For example, ext-xsoar.mycompany.com.

Tip

In Google Chrome, to download the image and license files together, you may need to set the the browser Settings → Privacy and security → Site settings → Additional permissions → Automatic downloads to the default behavior Sites can ask to automatically download multiple files.

  1. Log in to Cortex Gateway. For your Cortex XSOAR license, select Download On Prem.

    By default, the Production-Standalone license is selected. You can also select Dev.

    Production and development are separate Kubernetes clusters with no dependency between them. For example, you can deploy a three-node cluster for production and a standalone node for development. Or you can support small scale for development and large scale for production.

  2. Click Next.

  3. Select the OVA image format to download.

    OVA is supported by VMWare.

  4. Select the checkbox to agree to the terms and conditions of the license and click Download.

    Two files download: A zipped license file containing one or more JSON license files with instructions, and a zipped image file of the type you selected (.ova, .vhd)

  5. Extract (unzip) the license and image files.

The following is an example of deploying your VM on VSphere from an OVA image. For more details, see Deploying OVF Templates.

If you set your Cortex XSOAR environment as a standalone (single node), you cannot add nodes to it and switch to a cluster. If you deploy three nodes, you can later add nodes and expand the cluster. For more information, see Add or remove nodes in a cluster.

  1. Copy the downloaded image file into your hypervisor.

  2. Wherever the templates are located, right click one of the templates and select Deploy OVF Template.

    Note

    Although you can create a virtual machine directly from the OVA image file, deploying an OVF template enables creating multiple configured virtual machines from one downloaded OVA instead of downloading the same OVA for each virtual machine, which can be time consuming.

  3. Right click the template file and select New Virtual Machine.

  4. Follow the wizard instructions to define the virtual machine properties, including:

    1. Select the storage for the virtual machine configuration and disk files.

      • Batch configure or configure per disk.

      • Set the virtual disk format.

      • Set the VM storage policy.

      • Disable storage DRS.

    2. Select Customize this virtual machine's hardware from the clone options and go to the Customize hardware step. This includes CPU, memory, hard disk space, network adapter, and other settings.

      Important

      Every virtual machine is provided with a 256 GB hard disk to run the OS. However, you also need to add an extra hard disk for each virtual machine instance you want to deploy to run the application.

      All virtual machines in a cluster must have the same storage size.

      To ensure successful deployment, make sure the hard disks meet performance requirements detailed in the System requirements.

      1. Select ADD NEW DEVICE → Hard Disk.

      2. Set the disk space for the extra hard disk to 775 GB.

      3. Choose the Thin Provision hard disk type (for SSD).

      4. If the virtual machine is running, reset it.

    3. Click FINISH.

    4. Go to the folder the virtual machine was deployed to and select the virtual machine name you defined.

    5. In the Summary tab Guest OS section, click the console to launch the new virtual machine.

  5. Repeat from Step 3 for each additional virtual machine in the cluster.

  6. Log in to each virtual machine console. When logging in for the first time, enter the default user name admin and password admin and then create a new password.

    Note

    The password must be at least eight characters long and contain at least:

    • One lower case letter

    • One upper case letter

    • One number, or one of the following special characters: !@#%

    The textual UI menu appears with all the configuration and installation options.

You need to configure network and IP settings in each node in a cluster. For standalone, there is just a single node.

Note

When choosing the network settings, either use private IPs or a public IP covered by an access policy defined in a security group.

  1. In the textual UI menu, select Host Configuration.

  2. Configure the following network and IP settings for each node/virtual machine.

    • Network interface  - A list of available interfaces on the node that the textual UI runs on. For example, ens160

    • IP address - IP address for this node. After deployment, this field will not be editable. For example, 10.196.37.10

    • Default gateway - IP address of the default gateway for this interface. For example, 10.196.37.1

    • DNS server 1 - IP address of the DNS server. For example, 10.196.4.10

    • DNS server 2 (optional) - IP address of a secondary DNS server. For example, 10.196.4.11

    • NTP - The IP address of NTP server that the node will be synced with. By default, the nodes get an out-of-the-box NTP server, you can override the value.

    opp-oci-host-config.png
  3. Select Save.

If you want to use a proxy, define the proxy address and port settings. The proxy can be set at any point, during Cortex XSOAR deployment or at a later stage.

  1. From the textual UI menu, select Proxy Configuration.

  2. Configure the following settings.

    • Proxy Address

      Note

      Enter the address as IP:port without a http:// or https:// prefix.

    • Proxy Port

  3. Select Save.

This task is not relevant for a standalone deployment (single node).

For each VM (node) in a cluster, the nodes must have SSH connections between them. Establish trust between all the nodes in a cluster by declaring one node as host for a signing server and the other nodes connecting to it using a token displayed on screen by the host.

Important

You need to set the host again and reestablish trust between all the nodes if you want to add more nodes to the cluster after completing installation.

  1. In the textual UI menu for the VM you want to be the host, select Connect Nodes.

  2. Select Host.

    opp-nodes-trust-host.png

    A message displays that this action cancels prior trust established with other nodes. Select Yes to continue.

    This node becomes the host, and a token is generated on the screen. Copy the token.

    Note

    Keep this window open until trust is established between all nodes to enable the host to listen for the token from the other nodes.

  3. In the textual UI for each additional node (VM) in the cluster:

    1. Select Connect Nodes.

    2. Select Join.

    3. Paste the Token generated for the host.

    4. Enter the Host IP Address.

    5. Select Submit.

    opp-nodes-trust-join.png

    A message displays that this action cancels prior trust established with other nodes. Select Yes to continue.

  4. Select OK.

  5. After trust is established between all the nodes in the cluster, go back to the host node and close the listening window.

  1. From the textual UI menu, select Cluster Installation.

    The virtual machine you use to run the installer will deploy Cortex XSOAR on all virtual machines in a cluster.

  2. Configure the following settings.

    • Cluster Nodes: A list of IPs of all virtual machines/nodes in the cluster, separated by a space. For example, 10.196.37.10 10.196.37.11 10.196.37.12

    • Cluster FQDN: The Cortex XSOAR environment DNS name. For example, <subdomain>.<domain name>.<top level domain>

      Note

      This name must be registered in your DNS server so the FQDN will be resolved to the IP of the node if it is a single node, or to the IP of the entire cluster if using the built-in virtual IP feature. If you use your own load balancer, you need to register the FQDN to match the IP of the load balancer.

      Cortex XSOAR supports only static IP addresses for each virtual machine in the cluster, it does not support a DHCP (dynamic IP) network interface.

    • Virtual IP (optional): The Cortex XSOAR environment virtual IP for the multi-node cluster. It must be a different IP than the IPs of the nodes. It is a virtual interface assigned to one of the nodes to provide load balancing to the cluster. For more details, see Load balancing for Cortex XSOAR.

    • Cluster Region: The region the cluster is located in. For example, US.

    • Cortex XSOAR Admin Email, Password, and Confirm Password: These are credentials for the first user to log in to Cortex XSOAR .

      Note

      The password must be at least eight characters long and contain at least:

      • One lower case letter

      • One upper case letter

      • One number, or one of the following special characters: !@#%

  3. Select Install.

    Verify all nodes meet the required hardware and network requirements, and select Install again.

    opp-oci-cluster-installation-2.png

    The virtual machine you use to run the installer will deploy Cortex XSOAR on all virtual machines in a cluster.

After installation completes, verify that you can log in to Cortex XSOAR and upload your license. If you do not upload your license, all pages are disabled.

  1. Log in to Cortex XSOAR.

    When you log in for the first time, use the Admin password and email you set during installation.

  2. Upload your license to Cortex XSOAR.

    For more information, see Add the Cortex XSOAR license.