Cloud Exchange FAQs
Cloud Exchange FAQs
Review these sections for Cloud Exchange FAQ information.
Review these sections for Cloud Exchange FAQ information.
General
The following versions of Cloud Exchange are supported:
Yes, you can. However, after adding the proxy in the UI, you need to run the ./setup script.
No, Cloud Exchange does not support reverting to a previous version.
Starting from v5.0.1, Cloud Exchange is built on top of an NS PSIRT-hardened/reviewed Ubuntu OS and therefore does not receive notifications for OS updates. The underlying OS for Cloud Exchange as a VM will be updated to the latest version, hardened, and reviewed by NS PSIRT, with every new release.
Installation
The JWT Token secures communication between the UI and Core containers, while the Analytics Token is used to exchange analytics results with Netskope. The JWT Token is added during Cloud Exchange configuration, and the Analytics Token is hardcoded into the docker-compose.yml file.
AVX stands for Advanced Vector Extensions. Yes, AVX support is required for your machine when deploying Cloud Exchange.
Follow these steps to configure the proxy:
Cloud Exchange v4.0.x and older versions support the x86 architecture. Machines with x86 architecture and AVX support are recommended. Further details and system requirements can be found in the Cloud Exchange System Requirements article.
You can update proxy details by executing the setup script on the machine where CE is deployed. You can also update proxy details from the Cloud Exchange UI, but make sure to run the setup script afterward to apply the changes on the machine.
Follow these steps to regenerate self-signed certificates:
Cloud Exchange uses user ID 1001 for its internal worker processes to enhance security. This ensures the least privilege, improved resource management, and a more secure containerized environment. This process is automatic, so manual intervention is not required.
You will see this warning in Cloud Exchange when the v2 token expires.
Follow these steps to change the expiration and reissue the v2 token:
HA Deployment/General
Yes, High Availability (HA) works with standalone deployments on Linux machines running Ubuntu or RHEL, as well as with Cloud Exchange deployed as a virtual machine.
Cloud Exchange HA supports instances running across multiple data centers.
High Availability (HA) Setup Guide for Cloud Exchange on Linux Nodes with Azure Blob Storage
This section explains how to configure a High Availability (HA) environment for Cloud Exchange on Linux nodes using Azure Blob Storage as the NFS (Network File System) for shared storage.
Cloud Exchange System Requirements are present at:
/home/root/
/var/lib
for container storages.4369 | RabbitMQ Communication Port |
5672 | AMQP Communication PORT |
15672 | RABBITMQ Administration Console |
25672 | RabbitMQ Internal Port |
35672 | Used FOR CLI Communications |
27017 | MongoDB Port |
443 | Service Health Check |
sudo df -h
sudo free -h
sudo nproc
sudo yum install -y git curl zip
sudo yum install -y nfs-utils
sudo yum install -y python3 python3-pip python3-devel
sudo yum module enable -y container-tools:rhel8
sudo yum module install -y container-tools:rhel8
sudo yum install -y podman-plugins
sudo pip3 install podman-compose
sudo chmod +x /usr/local/bin/podman-compose
sudo ln -s /usr/local/bin/podman-compose /usr/bin/podman-compose
podman-compose —-version
podman –-version
pip3 install "pyyaml>=6.0.0"
pip3 install "python-dotenv>=0.20.0,<=1.0.0"
pip3 install "pymongo>=4.1.1,<=4.3.3
sudo mkdir -p <mount_path>
/etc/fstab
file and mentioned mounted configuration as mentioned below:cestorageha.file.core.windows.net:/cestorageha/shared-storage-nfs /mount/cestorageha/shared-storage-nfs nfs default 0 0
cestorageha.file.core.windows.net:/cestorageha/shared-storage-nfs
will be the source NFS directory present at the Azure Blob Storage NFS File share which will be obtained from sample command presents at Home > Respective Storage account > File shares > Newly created NFS File share > Overview./mount/cestorageha/shared-storage-nfs
will be the mount path and created directory.sudo mount -a
On each node, download the Cloud Exchange installation package using this command:
git clone https://github.com/netskopeoss/ta_cloud_exchange
Go to the Cloud Exchange directory. On the primary node, run the setup script with this command:
sudo ./setup
On each secondary node, go to the Cloud Exchange directory. Run the setup script using the following command, replacing <mounting_dir>
with the path to your NFS mounting directory:
sudo ./setup --location <mounting_dir>
$ vi podman-compose-ha.yml
ITERATOR_EVENT_NETWORK=stream_network_events_rollsroyce
podman-compose-ha.yml
file.$ vi podman-compose-ha.yml
index.docker.io/crestsystems/cloudexchange:rabbitmq-5.0.1-csv-hotfixx
index.docker.io/crestsystems/cloudexchange:mongo-5.0.1-csv-hotfix
.env
file:$ vi config/.env
CORE_TAG=crestsystems/cloudexchange:core-5.0.1-csv-hotfix
UI_TAG=crestsystems/cloudexchange:ui-5.0.1-csv-hotfix
podman-compose-ha.yml
On each node, create a backup of the podman-compose-ha.yml
file:
$ cp podman-compose-ha.yml podman-compose-ha.yml.backup
$ sudo ./start
After you receive the Migration completed message in the primary node, then execute the start script in the remaining nodes.
$ sudo ./start
Cloud Exchange as a VM (Virtual Machine)
VMWare (OVA), Google Cloud Platform (OVA), AWS (AMI), Azure (VHDX)
Users do not get the root access in the OVA. This is the only limitation.
To enhance security and prevent accidental alterations, starting from version 5.0.1, we have adopted a more restrictive approach. The cteadmin user now has limited privileges tailored specifically for managing Cloud Exchange. These privileges are designed to ensure a smooth operation while minimizing the risk of inadvertent modifications.
The sudo privileges are now restricted to essential commands required for Cloud Exchange management within the VM (OVA):
If the DHCP server is disabled, the following commands are permitted:
sudo systemctl restart systemd-networkd
sudo netplan apply
For setting up Cloud Exchange, as well as starting, stopping, and diagnosing Cloud Exchange containers or collecting logs, the following commands are allowed:
sudo ./setup
sudo ./start
sudo ./stop
sudo ./diagnose
By limiting privileges to these specific commands, we ensure that cteadmin users can perform necessary tasks related to Cloud Exchange management without risking unintended changes that could disrupt operations. This focused approach enhances security and stability within the Cloud Exchange environment.
In order to reboot or shutdown the Cloud Exchange (OVA) machine, you can utilize the Actions provided in the VMware vSphere Client.
In order to upgrade to the latest version of Cloud Exchange, you would have to set up a new Cloud Exchange instance (OVA VM) using the latest OVA file, mentioned in the documentation here.
Cloud Exchange Platform Logs Error Notification Setup for Slack
This section is designed to guide you through the process of setting up notifications in Slack for Cloud Exchange errors. This will allow customers to be promptly informed about any critical issues or errors encountered during the Cloud Exchange operations. Follow the steps below to configure notifications for various Cloud Exchange modules, ensuring you get notified whenever an error occurs.
To keep customers informed of critical errors in Cloud Exchange, we have implemented a Slack notifier plugin. This allows you to receive real-time alerts directly to your Slack channel whenever an error occurs in any of the Cloud Exchange modules. By setting up business rules tailored to specific modules, you can ensure that only relevant errors trigger notifications, making it easier to monitor and address issues quickly.
If you are freshly installing the plugin, configure the Slack Notifier Plugin by following the steps outlined in the Notifier Plugin for Ticket Orchestrator document. Once done, refer to this document to configure the business rules. If you have already configured Notifier, you can directly follow this document to edit the existing business rules. Below is how to configure the business rule for each Cloud Exchange module:
This section covers general Cloud Exchange Platform errors that are not tied to any specific module. These errors may include system-wide issues.
Steps to Configure the Business Rule
This section covers errors specific to the Log Shipper module in the Cloud Exchange environment. Any errors generated related to this module will trigger a notification to Slack.
Steps to Configure the Business Rule
This section covers errors specific to the Ticket Orchestrator Module in the Cloud Exchange environment. Any errors generated related to this module will trigger a notification to Slack.
Steps to Configure the Business Rule
This section focuses on the Threat Exchange module, which manages threat intelligence sharing across the Cloud Exchange platform. Errors in this module will trigger notifications to keep you informed about security-related issues.
Steps to Configure the Business Rule
This section covers errors specific to the Risk Exchange module in the Cloud Exchange environment. Any errors generated related to this module will trigger a notification to Slack.
Steps to Configure the Business Rule
Queue configuration is a crucial step where you can map the appropriate fields.
Map Fields: In this section, you can map values between alerts and notifications. Alert attributes can be accessed using the “$” symbol in the custom message field.
For example, in the screenshots below, we have mapped the values $errorCode, $alertType, and $message. As a result, when you receive the notification in Slack, it will display the information as specified here.
Map fields in queue configuration.
For example, we attempt to save the plugin while leaving the Event Types and Alert Types fields empty, it will result in an error. This error will trigger a notification on Slack.
Verified that error generated for CLS module.
Notification generated on slack.
Here are links to sections that provide detailed descriptions of various Cloud Exchange Error Codes. These sections cover specific error codes related to different modules within the Cloud Exchange platform, offering in-depth explanations of each error type, and its causes.
Log Shipper
Netskope tenants only store the three months of alerts in the database.
You can use historical pulling to retrieve the old logs from the Netskope tenant.
Go to Log Shipper > SIEM Mappings.
You just need to restart Cloud Exchange to stop the historical pulling.
No, the historical pulling of WebTx logs is not possible. Note that Web Transaction events are stored in Google PubSubLite by Netskope ingestion services, and Google PubSub retains the data of the last 7 days (1 week) only. Here is some documentation with the details: https://docs.netskope.com/en/netskope-transaction-events/#query-transaction-events-metrics.
You then receive this data at your preferred destination using a subscriber such as Cloud Exchange. Therefore, no, the historical pulling of WebTx logs for a specified time range is not possible.
Here is the list of Alerts and Events that could be fetched from the Netskope tenant using Cloud Exchange:
Threat Exchange
You can find the indicators on the Threat IoCs page.
You can use the below query to find the source.
[sources.source Like "plugin name"]
You can create tags on the Manage Tags page.
Both, the REST API V1 and REST API V2 are required for the Threat Exchange module.
In Threat Exchange, go to Business Rules, expand the Business Rule, and click the + icon.
No, Cloud Exchange only fetches IoCs from the Netskope tenant from Skope IT Malware and Malsite Alerts. On the Alerts page, click Add Filter, and for Alert Type, select Malsite and Malware, and then click Apply.
Aging Criteria showcases the time range of how long Cloud Exchange keep any indicator as active after it was deleted from the source platform. Default is 90 days.
Ticket Orchestrator
No, the Ticket Orchestrator module fetches only alerts from Netskope tenants, and then creates a ticket accordingly for them per the configuration.
You can create a deduplication rule to avoid duplicate tickets. For details go here.
The default retention period is 7 days, but you can modify it at Settings > Ticket Orchestrator.
Risk Exchange (v2)
Cloud Exchange pulls the user and host score from Skope IT UBA Alerts. On the Alerts page, click Add Filter, and for Alert Type, select UBA, and then click Apply.
Yes, an Advanced UEBA license is required for fetching user scores for Risk Exchange.