Virtual Appliance Overview

Virtual Appliance Overview

A Virtual Appliance (VA) can be configured to run on VMware ESX, Microsoft Hyper-V, Linux KVM, and AWS AMI. The VA can be deployed as a Log Parser, Secure Forwarder, or a proxy server.

Log uploads provide a quick and easy way to discover cloud apps in your environment and provide a baseline assessment of the risk to using these cloud apps.

You can upload the log files from your enterprise web proxy, next generation firewalls, and other devices to the tenant instance in the Netskope cloud. Netskope Risk Insights can parse these logs to provide insight into the cloud apps being used.

The On-Premises Log Parser (OPLP) Virtual Appliance (VA) can be deployed onsite so you can upload log files. All log processing happens locally, and only the extracted events are sent to your tenant instance in the Netskope cloud.

Note

This document is dedicated to the hybrid data plane on-premises management in the cloud deployment mode; there’s a separate guide if you are managing appliances on-premises.

The target audience for this document includes IT administrators and security specialists.

Benefits of the OPLP include:

  • Local log parsing before sending extracted events to the tenant instance
  • Obfuscation of sensitive information before sending it to the tenant instance

You can upload logs to the OPLP in two ways.

  • Upload logs through SFTP or SCP to the VA.
  • Configure the OPLP VA as a syslog server to stream syslog messages directly from the firewall or proxy server.

Prerequisites

We do not recommend deploying both the Log Parser and Secure Forwarder on the same VA for performance reasons. For installation instructions on deploying the Secure Forwarder, go to Settings > Security Cloud Platform > On-Premises Infrastructure and click Installation Instructions.

  • If you haven’t already, download a virtual appliance (VA) package. Go to Settings > Security Cloud Platform > On-Premises Infrastructure and click one of the VA buttons to download it. Downloading the VA zip file requires 7 GB of free space, plus you must unzip the file using 7zip. Using another tool creates a false error saying 789 PB of space is required.
  • The downloaded VA has a starting point requirement of 8 CORES, 32 GB RAM and 400 GB disk space. Requirements vary depending on the amount of logs that needs to be processed per day. Refer to the OPLP Sizing Guide for more information.
  • The OPLP VA requires certain ports to be open; refer to the Outbound Ports and Inbound Ports sections below for more details.

Supported Log Formats

Netskope currently supports the following log formats:

DeviceLog Format
CiscoASAasa,asasyslog
BroIDSbroids
Check Pointchkp
Cisco Catalystciscofwsmsyslog
Cisco IronPortciscowsa, ciscowsasyslog
Fortinetfortigate
Bluecoat logs sent to Greenplum logservergreenplumbluecoat
MicrosoftISAisasplunk
Juniper SRXjunipersrxstructuredsyslog, junipersrxunstructuredsyslog
Mcafee Web GWmcafee
Juniper Netscreennetscreentraffic
Palo Alto Networkspanw,panwsyslog
Blue Coatproxysg, proxysghttpmain
Blue Coat logs exported in Websense formatproxysgwebsense
Cisco ScanSafescansafe
Sensage SIEMsensage
Sonicwallsonicwallsyslog
Squid Proxy           squid
Sophos Web Gatewaysophos
Symantec Web SecuritySymantecwebsecurity
Trustwavetrustwave
Websensewebsense
Zscalerzscaler

Netskope log based discovery requires the destination URL in addition to the destination IP address to accurately identify and map cloud apps. Since most service providers use netblocks to host their services, a destination IP address can be shared by multiple services and therefore, the destination IP address alone does not provide sufficient information required to identify the cloud app.

Netskope recommends either turning on SSL decryption on your firewall or proxy server to capture the destination URLs in the logs so that Netskope can more accurately determine the cloud app service in use, or steering user traffic through Netskope cloud for the most accurate understanding of apps, tenants, and activities.

Log Requirements

  • The log file must have the extension .csv, .cef(*), .leef(*), or .log, like 20160301.log.
  • You can compress the logs before uploading. Bzip, zip and gzip are currently supported.
  • Each compressed file can contain only one single log file. 
  • Make sure to upload the log to the correct log folder. For example, for checkpoint logs, use the upload/chkp folder, and for Blue Coat Proxy logs use upload/proxysghttpmain folder, and so on.

Please reach out to your SE to learn if there are any new log formats that are not listed.

Supported Character Encoding

Netskope supports ASCII and UTF-8 character encoding formats.

Outbound Ports

Use these ports for management connectivity and log uploads.

For management connectivity:

DomainDescriptionPort
config-<tenant-URL>Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.443
download-<tenant-URL>Use for software upgrades. 443
messenger-<tenant-URL>Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.443
callhome-<tenant-URL> Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL allowlisted if you have SSL decryption enabled.443

For log uploads:

DomainDescriptionPort
upload-<tenant-URL>Use for sending logs to the Netskope cloud with SFTP. This is the default port for log uploads.22
logupload-<tenant-URL>Use for sending logs to the Netskope cloud with HTTPS. This port is enabled by default. 443
<tenant-URL> Use for fetching the REST API token with HTTPS. 443

Inbound Ports

ServiceDescriptionPort
SyslogUse for receiving syslog traffic.514
AD ConnectorUse for getting IP-to-user mapping with the Netskope AD connector.4400
SFTP and SCPUse for management connectivity and log uploads to the log parser appliance.22
FTPSUse for management connectivity and log uploads to the log parser appliance.21 (using explicit SSL)

Note

Netskope does not support implicit ssl over port 990.

OPLP Sizing Guide

To ensure you have enough processing power for the amount of logs being processed, review these guidelines. Keep in mind these guidelines are for predefined parsers; core and RAM requirements for custom parsers vary depending on the complexity of the logs.

Expected Log TrafficCores RequiredRAM RequiredDisk Space Required
Approximately 72 GB per day or 3 GB per hour832 GB400 GB
Approximately 144 GB per day or 6 GB per hour1664 GB600 GB
Approximately 216 GB per day or 8 GB per hour2496 GB900 GB

Netskope recommends the following when deploying an OPLP appliance for the first time.

  1. Deploy the VA to the default disk storage without adding additional storage.
  2. Create a new disk such as vmdk, vhdx, as appropriate for your hypervisor.
  3. Add a new disk to the appliance.
  4. Run the following commands to increase the root or log partition.
    troubleshooting expand-partition root
    OR
    troubleshooting expand-partition log

    For information about increasing partition size, refer to Increase the size of the partition.

Understanding the Software Installation, Migration, and Upgrade

The flow chart describes the process you can follow to install, migrate, or upgrade the virtual appliance. For the detailed installation, migration, and upgrade procedures, refer to the following topics:

Appliance-Migration-Upgrade.png
Share this Doc

Virtual Appliance Overview

Or copy link

In this topic ...