Professional Documents
Culture Documents
Contents
MXs Managed by SOM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Working with SOM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Registering MXs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Setting Up SSL with Certificate Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setting Up SSL with Certificate Authentication on SOM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Setting Up SSL with Certificate Authentication on MX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
SSL Certificate Expiration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Removing MXs from SOM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Deploying MX and SOM Behind a NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding MX Deployment Behind a NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
This section presents how to work with SOM and it contains the following sections:
You can apply the following objects defined on SOM: policies, action sets, reports, global objects and signatures.
Objects downloaded from SOM are displayed in the MX GUI with the special icon which indicates that this object was
defined on SOM and only limited changes are allowed.
Policies defined on SOM are applied to MXs using the following two flows:
• Mandatory: Enables sending the policies defined on SOM to MX and running them immediately on all the server
groups/services/applications. In this flow policies downloaded from SOM cannot be unapplied.
• Optional: Enables sending the policies defined on SOM to MX and keeping them there without applying them,
or applying them only to a part of the services there. Once the policy is on MX, you can decide if you want this
policy to run now or later.
Scheduling for reports and audit policies can be defined on SOM and downloaded to MXs or defined locally on each
MX.
For more information about working with SOM, refer to the SOM User Guide.
Registering MXs
In order to allow SOM to manage an MX, you need to register that MX on SOM.
Note: You can only register Mxs to SOM with SSL certificate via port 8084.
All the MXs that have been registered on that SOM are presented in the Registered MXs table.
Registered MXs
Registered MXs
Description
Parameters
Registered MXs
Description
Parameters
Last Update Time When was the last time that MX responded to status check.
Using SSL with Certificate provides authentication and data encryption. This method is recommended when SOM and
MX are located in different local networks and sensitive data is sent.
In order to establish the communication between SOM and MX with authentication and encryption, SOM and MX must
present certificates to each other. You need to import or generate a SOM certificate before registering a new MX. Once
the certificate is ready, you need to export it in order to send it to MX.
On SOM: Generate a SOM Generate a SOM certificate that will Setting Up SSL with Certificate
1
certificate be used to communicate with MXs. Authentication on MX
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the SOM Certificate details section, click Replace Certificate. The Generate New SOM Certificate dialog
box appears.
3. Click on Click Here, the Upload Certificate dialog box appears.
4. If you have a valid certificate in the PFX format, do one of the following:
◦ Click Browse next to the PFX file box and type the password.
◦ If a certificate has been previously installed on the machine and you want to overwrite it, click Overwrite
Existing Certificate.
◦ Click Upload. The Upload dialog box appears with the status bar that presents the progress of the upload.
5. If you do not have a valid certificate, in the Generate New SOM Certificate dialog box, set the period of time in
which the certificate is valid using the From/To options. The default for From is today. The default for To is a
year from today.
6. Click Generate. The Generate Certificate status bar appears, presenting the progress of the certificate
generation.
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the SOM Certificate details section, click Export Certificate. The Export Certificate dialog box appears
presenting the export status bar.
3. Once the export process is completed, click Download Certificate to open/save the certificate file. Depending
on your browser settings, the certificate is downloaded either to a predefined folder or to the folder that you
specify.
4. Send the file to the MX machine using your preferred file transfer method (use a thumb drive, shared drive or
network file copy).
To upload MX certificate:
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the SOM Certificates table, click Create New. The Upload Trusted Certificates dialog box appears.
3. In the Upload Trusted Certificates dialog box, click Browse and select the file to upload.
4. If you want the new certificate to overwrite an existing one, select Overwrite Existing Certificate.
5. Click Upload. The uploaded MX certificate appears in the SOM Certificates table.
1. In the Main workspace, click Setup > Registered MXs. The Registered MXs window appears.
2. In the Registered MXs window, click Add. The Add New MX dialog box appears.
3. In the Add New MX dialog box, type the name of the MX that you want to add and click Create. The Add New
MX dialog box closes and the MX details pane displays the name of the new MX.
4. In the MX details pane, set the following general settings:
◦ Name: The name of the new MX as you want it to appear on SOM and on MX.
◦ Host Name/IP Address: The host name or the IP address of the new MX.
◦ Username: MX’s admin username that is used to enter SecureSphere GUI.
◦ Password/Verify Password: MX’s admin password that is used to enter SecureSphere GUI.
5. Define the following Communication Settings, as described in the table below.
6. Define the following Drilldown Settings:
◦ Drilldown Security Options: Enables navigating into the MX with the following methods:
• Use SSL: Browsing MX using HTTPS.
• Do not Use SSL: Browsing MX using HTTP.
◦ Drilldown Port:The port that is used by SOM to navigate to MX.
7. To save your setting at any configuration stage, click Save.
8. To save your settings and to complete the first time registration, click Save & Register. The new MX appears in
the Registered MXs table.
9. To save any changes that are performed on a registered MX, click Save.
10. To verify that the new settings have been applied, click Test Connections.
Communication Settings
Setting Description
Enables verifying the host. SOM makes sure that this host is really who it says it is, as
certificate itself does not prove that.
SOM verifies the host name of the received certificate by resolving its address using
Verify MX Host Name: DNS and comparing it to sender's address.
This option is recommended when you suspect that the MX certificate may be leaked
to malicious users who may try to use it to establish connection with SOM. In this
case use this option and ensure that DNS will correctly resolve the address of the MX.
Select 8084.
Communication Port: You can set port numbers that is different from the default value.
Note: The communication port numbers must be the same on SOM and MX. It is
needed to set the communication port on MX in Setup>Settings>SOM to MX
Communication Settings>Communication Port.
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. Set the Communication Port parameter to 8084.
Note: The communication port numbers must be the same on SOM and MX. 8084 is the
default port number. You can define a different port number for this authentication
method on both, SOM and MX. For the instructions on how to use a communication port
different from 8084 for this authentication method on MX, refer to the Knowledge Base
or contact Imperva Technical Support.
To generate an MX certificate:
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the MX Certificate details section, click Replace Certificate. The Generate New MX Certificate dialog box
appears.
3. Click on Click Here, the Upload Certificate dialog box appears.
4. If you have a valid certificate in the PFX format, do one of the following:
◦ Click Browse next to the PFX file box and type the password.
◦ If a certificate has been previously installed on the machine and you want to overwrite it, click Overwrite
Existing Certificate.
◦ Click Upload. The Upload dialog box appears with the status bar that presents the progress of the upload.
5. If you do not have a valid certificate, in the Generate New MX Certificate dialog box, set the period of time in
which the certificate is valid using the From/To options. The default for From is today. The default for To is a
year from today.
6. Click Generate. The Generate Certificate status bar appears, presenting the progress of the certificate
generation.
To export MX certificate:
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the MX Certificates Details section, click Export Certificate. The Export Certificate dialog box appears
presenting the export status bar.
3. Once the export process is completed, click Download Certificate to open/save the certificate file. Depending
on your browser settings, the certificate is downloaded either to a predefined folder or to the folder that you
specify.
4. Send the file to the SOM machine using your preferred file transfer method (use a thumb drive, shared drive or
network file copy).
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the SOM Certificates table, click Create New. The Upload Trusted Certificates dialog box appears.
3. In the Upload Trusted Certificates dialog box, click Browse and select the file to upload.
4. If you want the new certificate to overwrite an existing one, select Overwrite Existing Certificate.
5. Click Upload. The uploaded SOM certificate appears in the SOM Certificates table.
Certificates are valid for a restricted period of time. SecureSphere provides the following capabilities for dealing with
certificate expiration:
• A System Event is generated as the certificate is close to the expiration day. The event is generated on SOM
when the SOM certificate is about to reach its expiration, and on each MX as its own certificate is close to the
expiration day.
• A new certificate may be automatically generated when the existing one expires.
1. In the Main workspace, select Setup > Settings. Select SOM to MX Communication Settings. The SOM to MX
Communication Settings pane appears.
2. In the SOM to MX Communication Settings pane, set the items in the table SSL Certification Expiration
Settings below.
3. Click Save.
Parameter Description
Certificate Validity (read-only): Presents the validity that was defined when this certificate was created.
System Warning Before Certificate Enables to define how many days before the certificate expires a
Validity Expires (In Days): System Event will be generated
All the MX registered to SOM appear in the Registered MXs table on SOM. Removing an MX from SOM, simply means
removing this MX from the Registered MXs table.
On MX you can see the SOM connection status in the Monitor > Dashboard, as follows:
• When MX is registered to SOM and they are connected, the SOM Status pane displays: Connected to SOM.
• When MX is removed from SOM using the Registered MX table option on SOM, the SOM Status pane does not
appear in the Dashboard on MX.
• When the communication between SOM and MX is lost, MX users can detatch MX from SOM using the Disconnect
option that appears in the SOM Status pane in the Dashboard on MX.
1. On SOM, in the Main workspace, click Setup > Registered MXs. The Registered MXs window appears.
2. In the Registered MXs table, select the MX that you want to remove and click Remove.
You can also deploy an MX behind a NAT when the SOM isn't behind a NAT, or there is no SOM. For more information,
see Understanding MX Deployment Behind a NAT.
5. Register your MX machines to SOM. For more information, see Registering MXs.
• When you deploy an MX behind a NAT, you need to expose the following ports for the MX to be visible. These
ports are:
• 8083
• 8084
• It is recommended that you use a multi-NAT, since a regular NAT exposes only one IP address, and only one MX
can be behind it. However, a multi-NAT that allows multiple IP addresses enabling you to have many MXs
behind it.