CLOUD SOLUTIONS

Security Server

Configure the SNMP agent on Security Server

Configuring SNMP Agent on Bitdefender Security Server will make possible the communication and information delivery to your SNMP Manager.

Simple Network Management Protocol (SNMP) is used for collecting information from network devices such as servers, hubs, switches and routers on an Internet Protocol network. It is designed to have minimal transport requirements and to continue working when most other network applications fail. SNMP is collecting information such as CPU and RAM usage, server load, and traffic status on a network interface.

The SNMP agent is a program that is packaged within the network element. Enabling the agent allows it to collect the management information database from the device locally and makes it available to the SNMP manager, when it is queried for.

In typical uses of SNMP, one or more administrative computers called Managers have the task of monitoring or managing a group of hosts or devices on a computer network. Each managed system executes a software component called Agent, which reports information via SNMP to the Manager.

This section explains how to configure the SNMP Agent on Bitdefender Security Server to make possible the communication and information delivery to your SNMP Manager.

Note

The SNMP package is present on the Security Server Multi-Platform starting with version 6.1.68.7705.

To configure the SNMP Agent on the Security Server:

  1. Log in to Security Server via SSH, using the root credentials or another user with administrative privileges, if set.

    Important

    The default password for root is sve. We recommend changing it as soon as possible!

  2. Open the configuration file of the snmp daemon with the following command:

    $ sudo nano /etc/snmp/snmp.conf
  3. Change the agentAddress directive to allow all connections instead of only those originating from the local computer.

    For this purpose, you need to comment out the first agentAddress line and uncomment the second one.

    18178_1.png
  4. Create a user named bootstrap to allow access from the SNMP Manager. For this purpose, insert the following line in the config file and replace the parameters with their actual values, as described in the table:

    createUser bootstrap auth_type auth_password privacy_protocol encrypt_password

    Parameter

    Description

    Value

    auth_type

    The authentication method to be used.

    MD5 or SHA

    auth_password

    The pass phrase used to authenticate the connection.

    It must be at least eight characters long.

    privacy_protocol

    The encryption method to be used. This parameter is optional.

    DES or AES

    encrypt_password

    The pass phrase used to encrypt communication. If missing, the authentication pass phrase will be used for the privacy protocol as well.

    It must be at least eight characters long.

    For example:

    createUser bootstrap MD5 MyAuthPassword DES
  5. Insert the following line to set up the user rights to read/write and enforce encryption:

    rwuser bootstrap priv
  6. Save and close the file.

  7. Restart the snmpd service to apply the changes with the following command:

    sudo service snmpd restart

    If the SNMP Manager cannot connect, please try:

    sudo service snmpd stop
    sudo service snmpd start

    You can now connect to the Security Server from the SNMP Manager.

By default, the SNMPD service starts manually. To start the service automatically when the Security Server restarts, run these commands:

# systemctl enable snmpd
# systemctl start snmpd

Update the operating system of the Security Server to Ubuntu 20.04 LTS

This topic provides all the information you need to upgrade Security Servers in your environment to use Ubuntu 20.04.

Introduction

Why updating the OS of the Security Server?

Security. Currently, Security Server relies on Ubuntu 16.04 LTS, which becomes officially EOL on April 30th, 2021. This means it will stop receiving critical fixes and security patches, exposing the appliance to potential threats.

Because you can. You do not need to redeploy any of the appliances like in the past. Since the April 2021 update, GravityZone offers the option to update Security Servers through the Update Security Server task. The task is available for both GravityZone platforms, cloud and on-premises, and all integrations with virtualized environments including cloud integrations.

It is easy. The OS update task is automatic, and you can schedule it to run in a maintenance window. The task applies to both multiplatform and agentless environments.

No icons with issues. After updating GravityZone, you may notice that the Security Server will appear as outdated. This means the Security Server version with OS update is available to download and install.

Warning

If you have a cloud integration (Azure or AWS) and choose to update the OS for your Security Servers, Bitdefender is not accountable for the billing changes that this update might generate according to your service-based model.

Prerequisites
  • The OS update task is available in GravityZone Control Center starting with the April 2021 update for cloud platform, and version 6.23.1-1 for on-premises platform.

  • Compatible Security Server versions:

    • Multiplatform: 6.2.1

    • For VMware NSX-V: 6.2.0

    • For VMware NSX-T: 1.1.0

  • The OS update on Citrix XenServer 7.1 LTSR requires you to apply the Citrix XS71ECU2060 hotfix first.

    Note

    You can install the hotfix automatically from Citrix XenCenter. The installation requires hypervisor reboot.

  • The update requires at least 2 GB of disk space available on the appliance to run.

  • Adjust resource allocation for the Security Server according to the new hardware requirements:

    Consolidation

    Number of protected VMs

    RAM

    CPU

    Low

    1-30

    2 GB

    2

    31 - 50

    4 GB

    2

    Medium

    51 - 100

    4 GB

    4

    High

    101 - 200

    4 GB

    6

  • Update location for the Security Servers must be one of the following:

    • update-onprem.2d585.cdn.bitdefender.net:80

    • upgrade.bitdefender.com

    • Bitdefender Endpoint Security Tools Relay for Linux version 6.2.21.141

    Check the assigned policy, under the Relay > Update section, to have the option Define custom update locations enabled.

    Warning

    Bitdefender Endpoint Security Tools Relay for Windows does not support the OS update.

Best practices
  • Take snapshots of the Security Server appliances, because the changes are major.

  • Since Bitdefender does not have any control on the infrastructure where Security Server runs, the update task does not limit the number or combination of Security Servers to be selected.

    The recommendation is to run several update tasks on groups of Security Servers, considering redundancy and availability. Do not run the task on all Security Servers at once, or you will lose protection.

  • Schedule the Security Server update in a maintenance window, especially for NSX and HVI environments, or migrate the VMs from one host to another one before starting the update.

  • Enable the Task status notification to know when the update is complete.

Updating steps
  1. Select the target Security Servers in the Network page.

  2. Run an Update Security Server task with the feature update option.

    This update will prepare the Security Servers for the OS update.

  3. Run again an Update Security Server task, this time with the OS update option.

  4. Select to run now or choose a date from the calendar to schedule the maintenance window.

To check the status of the update task, go to the Tasks page. Follow the links in the Status column to view the status of the task for each target Security Server.

How it will happen

The update process is incremental, the operating system being upgraded to Ubuntu 18.04 LTS, and then to Ubuntu 20.04 LTS, under Canonical official recommendation. The process happens transparently, with no user intervention.

During the update, the following operations will be performed in the backend:

  • Update requirements are checked.

  • Non-Bitdefender repositories are disabled.

  • Third-party packages are uninstalled.

    You can reinstall the third-party packages once the update is complete.

  • Existing Bitdefender services are stopped.

  • The OS is updated to Ubuntu 18.04 LTS.

  • The OS is updated to Ubuntu 20.04 LTS.

  • Repositories are changed to receive Ubuntu 20.04 updates and patches.

  • Non-Bitdefender repositories are enabled.

  • Bitdefender services are started.

    Note

    The appliances will automatically reboot several times.

Frequently asked questions
Q1: What happens with the protection during the update on agentless environments?

A: Protection on that host is lost. This is why we recommend moving the VMs on another protected host while the Security Server is updating. Plan this operation in a maintenance window.

Q2: How long does the OS update last and what is the expected downtime?

A: Depending on the networking and storage characteristics, the update duration can vary. In most cases, it will take between 20-30 minutes.

Q3: Will the update work if the Security Server has various minor Ubuntu 16.04 kernel versions?

A: Yes. Before starting the OS upgrade, all packages are updated to the latest versions available.

Q4: What happens with custom repositories or third-party packages during the update?

A: Any third-party packages will be uninstalled during the OS upgrade. They will not be automatically restored because Bitdefender repositories do not include them. The additional repositories will still be there, so you can reinstall the custom packages after the upgrade is complete.

Q5: How do I know if the update fails on a Security Server?

A: In Control Center, follow the Status link of the update task to open the Task Status window. You will view all target Security Servers and the status of the task on each of them. You can filter to view only where the task status is Failed. Select the Security Server with a failed update and check the error message in the lower part of the window.

Q6: Can I install the Security Server manually?

A: Yes. Follow the steps described in Bitdefender Security Server manual installation.

Q7: What happens if GravityZone is in an offline environment?

A: Follow the usual procedure to download the update archive. For details, refer to GravityZone products offline update.

Q8: Will the task run if Security Server runs on Ubuntu 12.04?

A: No. The task can only run if Security Server runs on Ubuntu 16.04. In this case, you need to redeploy the Security Server.

Q9: Will the task be available for the vShield integration?

A: No, it is not supported. You need to upgrade to VMware NSX.

Adjust the OVA resources for Security Server for VMware NSX

Following the compatibility with VMware NSX-V 6.4.8, a new OVA file was published for the Security Server for NSX-V (6.1.72.10094).

The new OVA image will be increased to 6GB RAM and 4 vCPU.

Depending on the situation, you can choose one of the following options:

Adjust resources without uninstall

Change the default hardware configuration of Security Server:

  1. Log in to VMware vSphere Web Client.

  2. Go to the Datacenter section of your virtual machine.

  3. Select the cluster that contains the virtual machine you want to initiate the increase of OVA resources.

  4. Expand the section and select the virtual machine.

  5. Select the Actions button and hover over the Power button.

  6. Click the Shut Down Guest OS option. A message asking you to confirm the Guest Shut Down will appear on the screen. Select Yes.

  7. Select the Actions button again and click the Edit Settings action. A message asking if you want to proceed will appear on screen. Select Yes.

  8. From the CPU section drop-down menu, select 4.

  9. In the memory capacity section, write 6.

  10. From the Actions tab, select Power On.

Note

This method will not keep the changes if the Security Server has to be redeployed or if any new deployment occurs. Each new virtual machine will have to be manually configured.

Redeploy Security Servers
  1. Uninstall all Security Servers on the environment (vCenter).

  2. Publish the new OVA from GravityZone.

  3. Redeploy all Security Servers with the new configuration.