Planning Requirements

Before you install the sensors, you must plan for the following:

  • The NetWitness Platform (Admin Server and Packet Decoder Host) is on version 12.3 or later.

  • Customers must have NetWitness Cloud tenant account with entitlements that allow NetWitness Insight capability.

  • Ensure you have the administrator access to the NetWitness Cloud Portal.

  • The host on which the Insight Sensor and Cloud Connector Sensor will be installed needs to be connected to Amazon Web Services(AWS). This might require changes to your existing firewall rules. Hosts will need to connect to the IP ranges for the chosen deployment region. For more information on the current list of AWS IPs by region, see AWS IP address ranges.

  • If a proxy is identified as either the source or destination of network connections, it can limit the effectiveness of NetWitness Insight, whether it’s North-South (outbound) or East-West (lateral) traffic.

    • When a proxy is used as the source of a connection, all internal assets will appear to have the same IP addresses, as all connections are considered to originate from the same source. This can make it difficult to track the true source of connections and obtain accurate ranks, types, and categorizations.

    • When a proxy is used as the destination of a connection, all the connections will appear to be going toward the same destination. This can also cause difficulties in obtaining accurate ranks, types, and categorizations.

  • To classify assets effectively, you must decrypt the network traffic. Encrypted traffic is captured as an SSL category and hence, Insight does not have complete visibility in the data.

  • For organizations that do not follow RFC 1918 for private IP addresses, you must configure the Traffic Flow LUA parser to tag the Decoder traffic correctly. For more information on configuration, see the topic Traffic Flow LUA Parser.

  • If users are running Port Scanners in their environment, it is important to remember that these Port Scanners can generate significant traffic. Such traffic could impact the NetWitness Analytics and result in misclassification of servers as clients, affecting enterprise network exposure, peer network exposure rankings, asset category, and detection accuracy for each asset. To prevent network asset misclassification, contact NetWitness Customer Support and provide them with the list of Port Scanner IPs. Your information will be used by NetWitness Analytics to improve asset identification and classification.

  • If users do not follow the RFC 1918 standard and use a different standard to define their internal IP addresses, NetWitness Analytics may not recognize them correctly. As a result, some internal assets may be classified as external assets or vice versa. To avoid this issue, contact NetWitness Customer Support and provide them with your internal IP ranges. Your information will be used by NetWitness Analytics to improve asset identification and classification.

  • Ensure that the analysts have write (manage) access to create the Springboard panel. For more information, see the Springboard section in the Role Permissions topic in the System Security and User Management Guide.

  • Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on the Admin server. For more information on how to configure NTP server, see Configure NTP Servers.

Important

NetWitness recommends that users upgrade to version 12.4.1 or later to benefit from the significant improvements made to Insight.

Important

  • From version 12.4 or later, NetWitness no longer supports CentOS 7 and only supports Alma OS. For the Insight and Cloud Connector Sensors to upgrade to version 12.4 from lower versions, all NetWitness Platform services must be upgraded to version 12.4. This step ensures a successful upgrade for the sensors. For more information on upgrade, see NetWitness Upgrade Guide 12.4.
  • For users onboarded on version 12.4, you must follow the installation procedures to deploy the sensors. For more information, see topics Install Insight Sensor and Install the Cloud Connector Sensor.

Important

While performing the failover on Admin Server, if the Cloud Connector Server is found inactive. In this scenario, you must uninstall the Cloud Connector Service by running the script /var/lib/netwitness/cloud-connector-server/nwtools/uninstall-cloud-connector.sh from the Admin Server backend (NOTE: If you still see the Cloud Connector Service in the UI after running the uninstall script, restart jetty service). Once the service is successfully uninstalled, reinstall the Cloud Connector Sensor from UI to work correctly. For more information on installation, see Install the Cloud Connector Sensor.

You can install Insight Sensor on the following hosts:

Model Category
S5/S6/S6E/Virtual Packet Decoder
Packet Hybrid

NetWitness has tested and qualified the Packet Hybrid and Packet Decoders for NetWitness Insight:

The following table represents the qualified capture rate for Packet Hybrid and Packet Decoder.

Host Type Qualified Capture Rate in Gbps
Packet Hybrid up to 1.5
Packet Decoder up to 6*

Note

*For more information on Packet Decoders with 10G configuration, see topic Configure High Speed Packet Capture Capability (Version 11.6 and Later) in the Decoder Configuration Guide.

See also