Deployment guide

Deployment preparation,
installation and configuration of
the Vectra X-series appliance

Traffic requirements
The Vectra® X-series appliance automatically detects threats in
Internet
real time by passively monitoring network traffic. It is deployed by
connecting to a port on the core network switch configured as
a Switch Port Analyzer (SPAN) port or to a network Test Access WAN Router Data Center

Port (TAP).

Since most threats originate from a compromised host within

Direction of traffic
an enterprise network, the X-series must see bidirectional traffic flow seen by
Vectra X-series
flows for accurate threat detection. The table below outlines the
types of network traffic that enable the X-series to detect phases Core
of an attack in progress.

Tr a f f i c t y p e Purpose
Access
User to Internet Detect C&C connections, botnet monetization, Layer
click fraud, data exfiltration

User to data center Detect reconnaissance, data acquisition,

data exfiltration

User to user Detect reconnaissance, lateral movement, data

acquisition, data exfiltration
Network
User to authentication Detect brute force login attempts, lateral deployment Tr a f f i c v i s i b i l i t y
servers movement; also used for host identification
Core switch • User-to-Internet traffic
• User-to-user traffic crossing the switch
DHCP Identify hosts
• User-to-server traffic

Access switch • User-to-Internet traffic

• User-to-user traffic within the switch
Network deployment • User-to-server traffic
Network placement of the Vectra X-series is critical to ensure it
detects all phases of an attack. Different segments of the network
provide access to different types of data traffic. The X-series
Initial configuration
should be deployed on the internal side of the network, behind Before you begin, obtain the following configuration parameters:
the firewall and proxy at the core or aggregation layer switch.
• IP address, network mask and default gateway for the Vectra
This placement enables the X-series to monitor traffic to the X-series management interface
internet, internal traffic that crosses the switch and traffic to the • DNS server address
data center. The network topology in the next column shows a
• NTP server hostname or IP address
sample deployment of the X-series.
• SMTP server hostname or IP address (optional)
• Syslog server hostname or IP address (optional)
• Any public IP address within your organization to be
monitored (optional)
Connectivity requirements Connection Method 1: Using monitor and keyboard
The table below outlines the connectivity needed by the Vectra • Connect a monitor and keyboard to the VGA and USB ports on
X-series. You may require modification of firewall rules to allow the rear of the Vectra X-series appliance.
access to these services from the Vectra X-series appliance. • Use the default user credentials used for CLI access.

Source IP GIGABIT ETHERNET 1-4

address Destination host Comment
IPMI
MGT1 update2.vectranetworks.com: SSL access to Vectra cloud
443 update (required) USB1 LAN1 LAN2 VGA
IP address
USB2
MGT1 api.vectranetworks.com: 443 SSL access to Vectra cloud
IP address service (required)

MGT1 vpn.vectranetworks.com OpenVPN tunnel to the

IP address UDP: 9970, TCP: 443 Vectra support operations
(required)

MGT1 DNS server Domain name resolution

IP address (required)
Connection Method 2:GIGABIT
SSHETHERNET
access1-4
to the
MGT1 NTP server Setting time (required) LAN2 portIPMI GIGABIT ETHERNET 1-4

IP address IPMI
• Connect aUSB1
computer to LAN1
port LAN2
LAN2 via anVGA
Ethernet cable. The
MGT1 Syslog server Syslog messages (required) USB1 LAN1 LAN2 VGA
LAN2 interface
USB2 has a default IP address of 169.254.0.10 and
IP address USB2
subnet mask 255.255.0.0.
MGT1 Email server Email notifications (optional)
IP address • Set the management host IP address to 169.254.0.11 with
subnet mask of 255.255.0.0, and initiate the SSH connection to
the X-series. » ssh [email protected]
The Vectra X-series initial configuration requires both CLI and
• Use the default user credentials for CLI access.
HTTPS UI access to the X-series.
GIGABIT ETHERNET 1-4
GIGABIT ETHERNET 1-4
1) CLI access is required for setting the IP address, network mask IPMI
IPMI
and default gateway. USB1 LAN1 LAN2 VGA
USB1 LAN1 LAN2 VGA
2) UI access is required for setting DNS, NTP server settings and USB2
USB2
other optional settings such as notifications.

The table below lists the default admin credentials required to

access the X-series.

For releases <= 4.13:

Username/password Purpose
You can complete the initial configuration by accessing the UI
GIGABIT ETHERNET 1-4
vectra/youshouldchangethis Default user credentials used for via LAN2 interface https: //169.254.0.10. Refer to the section
CLI access IPMI
Connecting to the User Interface on Page 4 for configuration steps.
LAN1 LAN2 VGA
admin/youshouldchangethis Default user credentials used for USB1
UI access
The table below lists the commands required for initial configuration:
USB2

For releases >= 4.14: Command Purpose

Username/password Purpose set password Change the default CLI

access password
vectra/changethispassword Default user credentials used for
CLI access set interface mgt1 <dhcp | static> Set the MGT1 interface
[ ip <ip> netmask <netmask> gw network settings
admin/changethispassword Default user credentials used for <gateway> ]
UI access
show interface mgt1 Display interface network settings

exit Exit CLI

Connecting to the CLI
The two onboard Ethernet ports on the Vectra X-series are
labeled LAN1 and LAN2. LAN1 corresponds to MGT1 and LAN2
corresponds to MGT2.

Vectra Networks Deployment Guide 2

Changing the default CLI access password 3) Navigate to the settings icon (a gear icon in the upper right
corner) and click on Settings.
> set password
4) Change the password for admin user. You can also create
(current) password: *******************
additional admin user accounts from the users page.
Passwords must be at least eight characters long and contain at least
5) Configure the system settings:
1) one digit (0-9)
2) one upper case letter (A-Z)
GIGABIT ETHERNET 1-4
3) one lower case letter (a-z)
IPMI
4) one symbol (~!@#$%^&*_-+=`| \ ( ){ }[ ]:;”’<>,.?/)
USB1 LAN1 LAN2 VGA
Enter new password:
USB2
**********
Retype new password: **********

Setting the MGT1 IP address

> set interface mgt1 static ip 192.168.254.209 netmask

255.255.255.0 gw 192.168.254.254 • DNS server IP address. The system default is the Google domain
GIGABIT ETHERNET 1-4 name service.
Verifying the
IPMI
interface configuration
• NTP server IP address or hostname. The system default is set to
> show interface
USB1 mgt1 LAN1 LAN2 VGA the Ubuntu network time protocol servers.
mgt1 : USB2
• Custom e-mail alerts to selected recipients for high-severity
dhcp : threats (optional).
ip : 192.168.254.209 • Syslog integration for detected threats and their contextual
netmask : 255.255.255.0 information (optional).
gw : 192.168.254.254 • Click on Apply Changes at the bottom of the page to apply
the changes.
GIGABIT ETHERNET 1-4

IPMI Best practices for configuring SPAN

USB1 LAN1 LAN2 VGA
The SPAN enables a switch to copy traffic from a port or a
USB2
VLAN to another port for network monitoring. While the syntax
for configuring switches will differ from vendor to vendor, best
practices and deployment considerations for SPAN and TAP ports
are consistent.

• When planning a port mirroring strategy, consider that many

Connecting to the user interface switch vendors have a limit of two SPAN ports per switch.

From a computer attached to the network, connect to the MGT1 • It is easy to oversubscribe SPAN ports resulting in dropped
interface of Vectra X-series appliance with a standard web browser packets. Use of TAP may be preferred.
(e.g., Firefox, Chrome, Safari, IE version 9 or newer). • If only one port is to be mirrored, capture both RX and TX to
ensure monitoring of bidirectional traffic.
1) Enter https://[IP address for MGT1] into the address line
• If all ports are to be mirrored, capture either RX or TX to prevent
of the browser. (e.g., https://192.168.254.209).
duplication of traffic twice and reduce the load on the switch.
2) Login with the default username and password specified on
• If one or more VLANs are to be mirrored, capture either RX or
page 2.
TX to prevent duplication of traffic twice and reduce the load on
the switch.
• If multiple ports are to be mirrored, capture both RX and TX with
filters to prevent duplication of traffic. Consider using VLANs if
the traffic from the monitored ports can be isolated.

Vectra Networks Deployment Guide 3

Automated backup Enabling backup
The Vectra X-series appliance supports automated backup, > backup enable --weekday Sunday --hour 2
wherein a backup archive is created and transferred to an external
The X-series will now perform automated backup on the chosen
server. This can be configured using the CLI.
day and time. The time specified will be in the local time zone
The archives capture all known host objects, detection objects configured on the X-series appliance.
(including their PCAP files), and campaign objects, as well as
Cognito configuration information, including users, roles, triage
rules, sensor pairings, and UI settings.

The archive size will vary with the quantity of hosts, detections
and campaigns on the system. It is typically expected that
the archives will reach a size of 2–5 GB. The backup process
will generate audit log entries tracking backup start, backup
complete, backup transfer start and backup transfer complete.

To utilize this, enable audit logs via syslog under the Notifications
tab in Settings. An MD5 hash of the backup archive is provided
via audit logs. The integrity of the backup can be independently
verified using this hash.

Configuring backup
> backup clear
> backup configure-target --target-user <username on external
server> --target-server <IP address or domain of target server>
--target-path <path where the backup should be stored> --copy-
mode <sftp/scp> --enable-external --target-rotate <number of
backups to keep on the remote server; 0 means old backups are
never deleted>
> backup show

The RSA public key from the backup show command should
now be copied to the ~/.ssh/authorized_keys file in the home
directory of the target user on the target server. This step should
be complete and tested before enabling the scheduled backup.

Testing backup
> backup test

The command above will copy a temporary file to the backup

server to verify that the target is reachable.

[email protected] Phone +1 408-326-2020

vectra.ai DPG_CognitoDeploymentGuide_031720

© 2020 Vectra AI, Inc. All rights reserved. Vectra, the Vectra AI logo, Cognito and Security that thinks are registered trademarks and Cognito Detect, Cognito Recall, Cognito Stream, the Vectra
Threat Labs and the Threat Certainty Index are trademarks of Vectra AI. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.