Professional Documents
Culture Documents
Arbor Virtual Sightline 9.5.0.0-Virtual Machine Installation Guide 2021-09-07
Arbor Virtual Sightline 9.5.0.0-Virtual Machine Installation Guide 2021-09-07
Version 9.5.0.0
Legal Notice
The information contained within this document is subject to change without notice. NETSCOUT SYSTEMS, INC.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. NETSCOUT SYSTEMS, INC. shall not be liable for errors
contained herein or for any direct or indirect, incidental, special, or consequential damages in connection with the
furnishings, performance, or use of this material.
© 2015-2021 NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary.
Document Number: SP-VM-9500-2021/09
07 September, 2021
Contents
Preface
About the Sightline and Threat Mitigation System Documentation 6
Conventions Used in this Guide 8
Contacting the Arbor Technical Assistance Center 10
Introduction
This guide describes how to install Sightline software in a VM and configure it for your
network. It also describes how to convert a physical Sightline appliance to a VM.
Audience
This information is intended for network security system administrators (or network
operators) who are responsible for configuring and managing Sightline on their networks.
Administrators should have fundamental knowledge of their network security policies
and network configuration.
This guide is intended for system administrators who are responsible for installing,
configuring, and maintaining Sightline.
In this section
This section contains the following topics:
Sightline and Threat Mitigation Instructions and information that explain how to
System User Guide configure and use Sightline and TMS devices and
software via the Sightline user interface (UI) and the
command line interface (CLI).
You can access the User Guide by clicking the
icon in the Sightline UI. It is also available as a PDF.
The User Guide contains all information that was
previously included in the following documents:
n Sightline and Threat Mitigation System Advanced
Configuration Guide
n Sightline and Threat Mitigation System Licensing
Guide
Sightline and Threat Mitigation This document has been discontinued. The content
System Advanced Configuration previously included in this document is now
Guide included in the Sightline and Threat Mitigation System
User Guide.
Sightline and Threat Mitigation Descriptions of the support for multi-version, multi-
System Compatibility Guide platform Sightline and TMS deployments.
Sightline and Threat Mitigation Lists the enforced limits and guideline limits for
System Deployment and Device Sightline and TMS deployments. It also covers the
Limits enforced limits and guideline limits for supported
Sightline and TMS devices.
Sightline and Threat Mitigation This document has been discontinued. The content
System Licensing Guide previously included in this document is now
included in the Sightline and Threat Mitigation System
User Guide.
Sightline and Threat Mitigation Instructions and information for the managed
System Managed Services services customers who use the Sightline user
Customer Guide interface.
Sightline and Threat Mitigation General information about the following APIs:
System API Guide n REST API
n Web Services API
n Current SOAP API
n Classic SOAP API (the API that was released prior
to SP version 5.5)
Sightline REST API Documentation Instructions and information that explain how to
use Sightline REST API. You can access this
documentation from the Sightline UI by selecting
Administration > Sightline REST API
Documentation. It is also available for download.
ArbOS REST API Documentation Instructions and information that explain how to
use ArbOS REST API. You can access this
documentation from the Sightline UI by selecting
Administration > ArbOS REST API Documentation.
It is also available for download.
Software Threat Mitigation System Instructions on installing Software TMS on your own
Installation on Hardware hardware. Follow the instructions in this guide if you
are installing Software TMS on hardware instead of
a VM.
Installation Guide for Sightline Instructions and requirements for the initial
and Threat Mitigation System installation and configuration of Sightline and TMS
appliances appliances.
Italics A label that identifies an area On the Summary page, view the
on the graphical user Active Alerts section.
interface.
Monospaced bold Information that you must Type https:// followed by the IP
type exactly as shown. address.
Monospaced A file name, folder name, path Type the server's IP address or
italics name, or other information hostname.
that you must supply.
The following table shows the syntax of commands and other types of user input. Do not
type the brackets, braces, or vertical bars that indicate options and variables.
[ ] (square brackets) A set of choices for options or variables, all of which are optional.
For example: [variable1 | variable2].
Contact methods
You can contact the Arbor Technical Assistance Center as follows:
n Phone US toll free — +1 877 272 6721
n Phone worldwide — +1 781 362 4301
n Support portal — https://support.arbornetworks.com
Example
Sightline Virtual Machine Installation Guide
SP-VM-9500-2021/09
Page 9
You can deploy Sightline in a virtual machine (VM). Doing so allows you to dynamically
add routers to your deployment so that you can monitor more of your infrastructure and
improve performance. It also frees you from managing a large deployment of physical
Sightline appliances. You must read this section for information you need to know prior
to installation.
In this section
This section contains the following topics:
Hypervisor Information 12
Hardware Environment Information 13
Additional Recommendations 14
Reference Benchmarks 15
Hypervisor Information
NETSCOUT supports the following hypervisors for running Sightline in a virtual machine:
n VMware vSphere Hypervisor software (formerly known as ESXi)
We have confirmed Sightline functionality with versions 5.0, 5.1, 5.5, 6.0, and 6.5.
n KVM
We have confirmed Sightline functionality with KVM running on QEMU version 5.1.
Note
We recommend running the Sightline leader and the Sightline traffic and routing
analysis role in separate VM instances. If a single VM is used as both the leader and a
device with the traffic and routing analysis role, the VM should be provisioned with the
recommended hardware specifications, listed below.
Disk 500 GB 1 TB
allocation
(traffic and
routing
analysis
role)
Important
Do not configure more than two
Sightline VM instances to share a
network interface, especially if they
have the traffic and routing analysis
role.
Additional Recommendations
Note the following additional recommendations concerning Sightline VM instances:
n Time service
If you are using VMware, the guest VM currently synchronizes time automatically from
the host, and you cannot configure NTP servers on the guest VM. Make sure that the
host is synchronized using NTP to a time source that is in sync with the other Sightline
and TMS appliances in your deployment.
If you are using KVM, configure NTP servers on the guest VM that are in sync with the
other Sightline and TMS appliances in your deployment.
n Storage device
Sightline is very disk intensive. For this reason:
l When running Sightline in a VM, we strongly recommend using a solid-state drive
(SSD) as the storage device.
l Each Sightline VM instance should have its own storage device.
l If a Sightline VM instance must share a disk with another VM instance, the disk must
be an SSD.
n VM server load
For best performance, do not run other applications or services on the VM server that
runs the Sightline VM instance.
n VMware vMotion
You can use vMotion to move a Sightline VM instance to another VM host server. We
recommend that you stop Sightline services on the VM instance before you move the
VM instance.
Important
Both VM instances must use the same network name.
n VMware provisioning options
When configuring the VMware settings, use the default settings except for the
following settings:
Setting Selection
Network adapter E1000
Important
Your VMware must be booted using BIOS mode, not UEFI mode. Refer to the VMware
documentation if you need to switch the boot mode from UEFI to BIOS.
n Backup and restore
Sightline supports the use of VMware snapshots without snapshotting the VM’s
memory. Sightline does not support snapshots that include the VM’s memory. We
recommend you configure snapshots to quiesce the guest file system.
Reference Benchmarks
This section lists performance benchmarks when using Sightline appliances. We
recommend that your Sightline VM instances provide similar performance.
ApacheBench benchmarks
Expected Flow
Performance Requests Bytes Request Rate
Cores (Flows/sec) Completed Transferred (Requests/sec)
Note
Benchmarks should be generated without services running.
Command Description
/ system This command displays whether any benchmark tests are running
benchmark show and when the last benchmark test was run. It also displays a
summary of some of the statistics from the most recent
benchmark run.
Command Description
/ system This command produces the test results in CSV format after
benchmark show benchmarks are run. The output also includes a legend.
raw To show what each entry in the comma-separated output stands
for, you can import the legend into a spreadsheet program along
with the comma-separated output. Fields in the < > brackets
change, while the values “bonnie,” “ab,” and “sysinfo” are static
fields. The format for most of the fields in the < > brackets is
“test type: subtype; units.”
The following sections describe how to install Sightline 9.x and later in a VM. The following
table describes the CLI command syntax used in these sections:
In this section
This section contains the following topics:
Configuring Interfaces
To configure interfaces:
1. Determine if you are using the listed interface.
2. If you are not using the interface, press ENTER.
3. If you are using the interface, do the following:
Caution
Do not enter 0.0.0.0/0 or ::/0 as a CIDR for a service unless absolutely necessary. We
recommend that you use the narrowest CIDR you can for each service.
3. At the BGP access prompt, press ENTER to skip configuring BGP access to the device.
You can configure BGP access to the device in the Sightline UI when you configure
routers.
4. At the Cloud Signaling access prompt, press ENTER to skip configuring Cloud Signaling
access to the device.
You can configure Cloud Signaling access to the device in the Sightline UI when you
configure a managed object.
5. At the HTTP access prompt, enter the CIDR_block from which you want allow HTTP
access to the device.
6. At the HTTPS access prompt, do one of the following:
n If you are configuring a device that has the user interface role, then enter the
CIDR_block of a network from which you want to enable HTTPS access.
n If you are configuring a device that has the traffic and routing analysis role or the
data storage role, then press ENTER.
7. Repeat Step 5 for each network from which you want to enable HTTPS access.
8. At the OpenFlow access prompt, press ENTER to skip configuring OpenFlow access to
the device.
Sightline does not use OpenFlow.
9. At the ping access prompt, enter the CIDR_block from which you want to allow ping
access to the device.
10. Repeat Step 8 for each network from which you want to enable ping access.
11. At the SNMP access prompt, enter the CIDR_block from which you want to allow
SNMP queries to the device.
12. If the SPCOMM access prompt appears, press ENTER to deny all SPCOMM access to
the device.
Note
Configurations that you perform later (bootstrap command) will automatically add
SPCOMM access as needed.
13. At the SSH access prompt, enter the CIDR_block of the network from which you want
to enable SSH access.
Note
You cannot access the VM using SSH until an SSH key is generated and the SSH
service is started. See “Generating an SSH key and Starting the SSH Service” on
page 24.
14. Repeat Step 15 for each network from which you want to enable SSH access.
For additional information about adding DNS servers, see "Configuring DNS Servers and
Configuring Network Services" in the Sightline and Threat Mitigation System User Guide.
In this section
This section contains the following topics:
Conversion Methods 26
Converting an Appliance by Backing Up and Importing 27
Converting a Leader Appliance 29
Converting a Non–leader Appliance with the TRA Role 32
Conversion Methods
There are several methods available for converting a physical appliance to a VM. The
conversion method you can use depends on the type of appliance you are converting.
Converting non-leader appliances with the Traffic and Routing Analysis (TRA)
role
There are two methods for converting a non–leader with the TRA role:
4. Do one of the following to import the backup created in step 1 onto the VM:
n In the Sightline UI of the new VM, navigate to the Managed Backups page
(Administration > System Maintenance > Backups) and perform tasks to import
and restore the backup.
n In the CLI of the new VM, use the following commands to import and restore
the backup:
/ services sp backup import {full | incremental}
scp://user@host/path/password
/ service sp backup restore skip_arbos
user = the user name that is required to access the remote server
host = the fully qualified DNS name, or IPv4 or IPv6 address (with or without a port
number) of the remote server
path = the directory path to where you want to export the backup on the remote
server
password = the password that is required to access the remote server
Important
If you restore the full backup, the IP interface, IP access, and IP route settings will no
longer be correct. Make sure to configure these settings on the new appliance so
that they are the same as those on the old appliance. For information about how to
configure these settings, see the appliance's Installation Guide
at https://support.arbornetworks.com.
5. In the CLI of the new VM, enter the following commands to bootstrap the VM,
keeping the database and starting services.
a. Enter / services sp bootstrap nonleader leader_IP_address nonleader_
IP_address zone_secret role
leader_IP_address = IP address of the new leader appliance
nonleader_IP_address = IP address of the non-leader appliance
zone_secret = the word or phrase that is used by all appliances in the system
for internal communication
role = the role to assign to the appliance, specified by one of the following:
bi: data storage role
cp: traffic and routing analysis role
pi: user interface role
b. Enter n to keep the existing alert and mitigation database.
Specification requirements
Note the minimum and recommended specifications listed in "Hardware Environment
Information" on page 13. However, make sure that the specifications provisioned to the
VM are at least equal to the specifications of the appliance being converted to a VM.
Backup leaders
Do not use the procedures listed below to convert a backup leader.
See “Converting other non-leader appliances (including the backup leader)” on page 26.
7. Follow the steps below to trigger a manual failover so that the virtual leader is now
the leader:
a. Log in to the VM’s CLI using the administrator user name and password.
b. Enter / services sp backup failover activate
c. To confirm, enter y
Note
It may take a few minutes for the new configuration to propagate to all the other
appliances in your deployment.
8. If you want to continue to use the original backup leader as the backup leader, follow
the steps below to reinstate the original backup leader:
a. Navigate to the Edit Appliance page for the original backup leader.
b. Click the High Availability tab.
c. Select the Backup Leader check box.
d. Click Save, then commit your changes.
9. If you want to use the original leader as an appliance in the deployment, power on
the original leader and initialize it for reuse in the deployment.
See “Initializing an Appliance for Reuse in the Deployment” on page 22.