Sign in
Follow

Partner Deployment Checklist

Setting up your MSP Portal

Configure report branding with your MSP logo (here)

  • Click on your name in the top right of MSP Portal
  • Choose “Partner Settings”
  • Choose “Branding”
  • Setup logo, small logo, and url

Configure notifications for sensors being down

  • Click on your name in the top right of MSP Portal
  • Choose “Partner Settings”
  • Choose “Settings”
  • Enter names of users to receive notifications via email

Configure ConnectWise integration (here)

  • Click on your name in the top right of MSP Portal
  • Choose “Partners”
  • Click on your partner name
  • Choose edit
  • Change the ticketing system to ConnectWise
  • Fill-in the settings
  • Click “Check Tickets API” to confirm the stings are working

 Setting up users in the MSP Portal (these are not customer users "contacts")

  • How a Partner Administrator adds other MSP users to the MSP Portal (here)
  • How the MSP user sets up their new MSP Portal account (here)

 

Setting up your customers

Installing customer sensors

  • Hardware

    • Customer Portal process: (here) - MSP's should not use this process as it requires the MSP to have a unique 'contact' email setup to access the customer portal.
    • MSP Portal hardware setup process:
      • In MSP Portal go to sensor details page by going to sensors and clicking on “Show inactive sensors” then clicking on the sensor name
      • By this point, if the sensor is communicating out, there should be entries under “Setup History” with failed for the reason of no pending setup
      • Confirm the IP address it is coming form is the proper external IP
      • Enter the IP address in the “Sensor Setup” box and hit “configure”
      • Once configured, the “Sensor Setup” box will disappear a and there will be a green “Configured” label next to “Sensor Setup”
  • Virtual Machine  (here)

    • Converting VM to Hyper-V (here)
    • vmWare workstation/player - Basic Process:
      • Download VM from the sensor details page in the portal
      • Bridge one interface into the network card that will be the mirror
        • Choose “bridged”
        • Select “configure adapters”
        • Un-check all except the interface that will contain the mirror traffic
      • Uncheck the “Connected” box for the mirror interface
      • Bridge the other (internet) interface into the network card for internet access
        • Choose “bridged”
        • Select “configure adapters”
        • Un-check all except the interface that will contain the internet traffic
        • The ensures that agents can see the sensor when deployed
        • *NOTE* it is possible to use the same interface for both, but is advised against, especially in high bandwidth networks as this can rapidly lead to link saturation
    • vSphere/ESXI - Basic Process:
      • Download VM from sensor details page in the portal
      • Import VMware workstation VM into VMware using vSphere client
        • Configure VM with proper CPU/RAM based on network bandwidth
        • 4 cores and 8 Gb RAM up to 100 MB/s
        • 8 Cores and 16 Gb RAM up to 200 MB/s
        • More than this contact NetWatcher for deployment advice
      • Change the main disk size to accommodate network bandwidth
        • Slack space ( > ~50gb) is used for rolling packet captures
        • These aid in forensics when we need the full session packet capture
        • Rough formula is 30GB per 1 Mb/s in bandwidth * # of days desired (we recommend at least 7)
      • Create a virtual switch to be used for receiving the mirrored traffic
        • In the vSphere client
          • Go to Configuration, [Hardware] Networking, vSphere Standard Switch
          • Choose “Add Networking”
          • Choose “Virtual Machine” as connection type
          • Select only the physical interface that will be used to mirror traffic
      • Enable promiscuous mode for the mirror vSwitch
        • Under properties, vSwitch choose edit
        • Go to the security tab
        • Choose “Accept” under Promiscuous mode
      • Connect one interface of the imported VM to the mirror vSwitch
      • Connect the other interface to another, normal, vSwitch for internet
        • Make sure this network is visible outside the virtual network if you intend on deploying NetAgents
      • Uncheck the “Connected” box for the mirror interface
    • Setting up a static IP for the sensor if necessary (here)
      • Log in through console with creds (ask NetWatcher support to provide credentials)
      • Option [4] and use code from “Get one-time pass” on sensor details page
        • If sensor has not been setup yet, it can be reached by going to sensors in the MSP Portal and clicking on “Show inactive sensors”
      • Edit the interface for the internet port
        • If unsure, the MAC is printed on the bottom of the device for each port and is shown on the console prompt
        • Enter IP address in <IP>/<MASK> (CIDR) format
        • Enter gateway
        • Enter DNS
      • Hit yes to save and the system will hang for up to 30 seconds, may require reboot if it doesn’t show immediately after this
    • Set a static blank IP address on mirror interface if unsure of DHCP settings from this port
      • Log in through console (ask NetWatcher support to provide credentials)
      • Option [4] and use code from “Get one-time pass” on sensor details page
        • If sensor has not been setup yet, it can be reached by going to sensors in the MSP Portal and clicking on “Show inactive sensors”
      • Edit the interface for the internet port
        • If unsure, the MAC is printed on the bottom of the device for each port and is shown on the console prompt
        • Leave the IP address blank and hit enter
        • Leave the gateway blank and hit enter
        • Leave the DNS blank and hit enter
      • Hit yes to save and the system will hang for up to 30 seconds
    • Confirm Mirror/SPAN port is working for IDS traffic
      • Configure mirror (refer to device manual)
        • Should be mirroring internet egress traffic a chokepoint on the inside of an NAT
      • Connect mirror port cable to sensor
      • Confirm sensor seeing mirror traffic
        • Go to sensors, click on the sensor name, open “State”
        • Packet Count of the mirror interface should be > 1000 depending on the network bandwidth
        • Maximum value is 10000
        • State updates every 10 minutes, can see last time it was updated in the heading

Installing customer NetAgent endpoints

  • Overview (here)
  • Process:
    • Download Customer Specific Installer
      •  Go to customer page in portal o Click “Download NetAgent” in the top right
      • This installer is specific to each customer
      • It auto updates
      • The executable installs itself on first execution, if not already installed
      • Registers as a service and provides a valid entry in “Add/Remove Programs”
      • Reports asset information and manages other modules
      • Currently supports Windows Vista+, support for Linux, and OSX is coming soon
      • Note - The exe is self-contained and checks if it has been run as a service on start.  If it is not, it simply copies itself to its installation directory, installs itself as a service (set to auto), and exists.  There is no silent switch, as there is only notification if UAC needs to be bypassed.  You can install the agent via GPO, we would recommend using the Computer Configuration > Policies > Software Settings > Assigned Applications section.   If you run the NetAgent manually you must bypass UAC, as you are using your account credentials.  If you run it through GPO it will run under the system account and there will be no popup.
    • Deploy by either manually executing as an admin user or running via GPO/RMM as an admin user unaffected by UAC
    • Confirm that it shows in the portal under “NetAgents”
    • Choose Modules
      • Go to NetAgents
      • Bulk modules can be installed by selecting net agents and choosing “Add modules” from the top
      • Individual modules can be added by using the “Modules” are in the right column or by going to the details page
        • HIDS – The Host Intrusion Detection System monitors and analyzes the internals of the computer for security issues. If there is an issue it is sent to the NetWatcher sensor for additional correlation. OSSEC is installed through this module. This module requires that the agent can connect to a deployed sensor.
        • Logs – The logging module monitors the Windows Event log for issues and if there are issues sends them to the NetWatcher sensor for additional correlation. NXLOG is installed through this module. By default, if the agent can connect to a deployed sensor, logs are sent to the sensor for analysis. If the agent is unable to reach a sensor, logs are sent to a cloud deployment.
        • Sensor in the Cloud – Most computers are mobile (laptops) and when they are on premise their traffic to the internet can be analyzed via a local Intrusion Detection System (IDS) located on the NetWatcher on-premise sensor. However, when a user is a home or in a coffee shop using a public WIFI they are more at risk. The Sensor in the Cloud provides that same deep packet inspection and security analysis that a local sensor would provide event when the user is offsite.
        • Systray – Some organizations provide the users the ability to administrate their own computers. If this is the case a systray icon may be necessary to deploy to those computers. This module provides that systray to allow the user to start and stop the different modules deployed to the computer.

Configuring logs to be correlated by the sensor (SIEM)

  • Overview (here and here)
  • Process:
    • Allow the asset to send logs to the sensor
      • Go to “Syslog” in the middle pane
      • Choose the “Manual Syslog Assets” tab
      • Choose “Add manual IP for Syslog” in the top right
      • Enter the asset’s IP address
      • Choose the sensor
    • Enable the log rules for the device type
      • Under the sensor details page choose “Syslog Questionnaire”
      • Select all that apply
      • If the device type is not listed fill out “Request additional option”
    • Ensure syslog collection is enabled for the sensor
      • On the sensor details page make sure the Syslog enabled checkbox is checked
      • Make sure it says “Syslog is Active” in the blue area

Setting up vulnerability scanning

  • Overview (here)
  • Process:
    • Ensure OpenVas is enabled for the sensor
      • On the sensor details page make sure the OpenVas enabled checkbox is checked
      • Make sure it says “OpenVas is Active” in the blue area
    • Create any credentials (recommended)
      • Go to vulnerabilities and click on the “Credentials” tab
      • Choose “Create new”
      • Choose the type and fill in the details
      • Repeat for all credentials
      • We recommend creating separate, non-privileged, accounts for scanning that just allow access to the assets so that they can be checked locally
    • Create a weekly Full and Fast scan job (recommended)
      • Go to vulnerabilities and click on the “Scan Jobs” tab
      • Click the “Create new” button
      • Enter a name
      • Choose the customer
      • Choose the sensor
      • Choose the credentials
      • Choose Full and fast for the scan config
        • Ultimate scans enable checks that may cause issues with some devices and are only recommended for scanning specific assets if you have a reason to do so
        • Deep scans will take a very long time and are not recommended as a routine scan unless you can set aside days for the scan to comlete
      • Un-check “Scan now”
      • Enter a periodic schedule
      • Check “Auto Generate Report” and enter an email to receive a link to the report when done
      • Choose the networks tab
      • Select the top level “Networks Item”
        • This will ensure the scan is against any assets we have detected up to this point
      • Hit Create

Setup reports for your customer

  • Overview (here)
  • Process:
    • Go to “Create Customer Report” in the middle pane
    • Choose the customer
    • Choose “Situational Awareness”
    • Choose the date range you would like this to encompass
      • Period will be repeated when you add to recurring
      • Choose what would be the complete range for the end of the last period
    • Choose “Add to Recurring”
    • Enter tech contact or catch all address for “Send To”
      • This address will get notified when the report is ready
      • We do not email the report to keep the details private
      • Due to this you should not enter the customer email unless they have portal access
        • In this case you would just add them as a contact and choose their contact here
    • Enter a report name such as “Weekly Situational Awareness”
    • Choose a period and start date
    • *NOTE*: The report will be branded with your branding, but you will need to download and send to the customer. If you have some storage method setup, we can integrate with it to automatically push to your storage. Other reports can be configured the same way. If we do not have a kind of report you desire, let us know and we will work with you to get it in.

 

 

Comments

Powered by Zendesk