Bandura Cyber - VMware Configuration
updated 24 September 2021
At Bandura Cyber, we pride ourselves on providing our customers a cost-effective means to make threat intelligence truly actionable, by blocking malicious traffic in real-time with no measurable impact to network performance. The majority of our customers leverage our on-premise devices, but for customers that are interested in protecting solely their VMware infrastructure, we also offer a VMware image that can be leveraged.
VMware Configuration Steps
The configuration steps outlined below can be used to properly configure a VMware image running the Bandura Cyber ThreatBlockr stack.
- Download the ISO file via the link that you received via email.
- Deploy the ISO image in VMware.
- The ThreatBlockr requires the following resources:
- 8 CPU cores
- 16 GB RAM
- 200 GB Hard drive
- Three network interfaces (admin, inside, and outside)
- Guest OS should be Ubuntu Linux (64-bit)
- The ThreatBlockr requires the following resources:
- Network Information
- Network adapter 1 is the admin interface, adapter 2 is inside, and adapter 3 is outside.
- Network Adapter Type should be set to VMXNET 3.
- The admin interface will need to be connected in order to manage the device.
- The inside and outside interfaces can be disconnected until it is ready to be put inline.
- When you are ready to put it in line, Network adapter 2 (inside) is typically connected to a vSwitch that includes the ThreatBlockr's outside interface. Network Adapter 3 (outside) is connected to a vSwitch that includes the internet router's interface. IMPORTANT: these two vSwitches or port groups will need to have Promiscuous Mode and Forged Transmits enabled to allow the ThreatBlockr to protect traffic flowing between the two networks.
Install ThreatBlockr 2.0 Recovery Console
- Power on the device. On the boot menu, select Recovery Console and press Enter.
- After the Recovery Console has booted, log in with the username 'root' and password 'redrum'. Press Enter to continue.
- To connect the admin interface to the internet, select Network Config.
- If DHCP is supported, select Start DHCP to obtain a new DHCP Lease.
- If DHCP isn't supported, select Configure Network to set a static IP. The Static IP configuration requires 4 entries: IP Address for the ThreatBlockr, Netmask, Default Gateway IP, DNS Server IP
- (This step is only required if installing software for Build 76 or earlier, if installing a later build skip to the next step) In the menu, select Request License and enter the new Registration Code (provided by support) and Serial Number (provided by support). Press enter to use the default support site URL.
- Next, in the menu select Reinstall software.
- After the software is installed, select Reboot.
- The device will now reboot into the standard ThreatBlockr 2.0 software with a default admin interface IP of 192.168.1.1/24. You can now change the IP address of the device either through the WEB UI (https://192.168.1.1, username 'admin', password 'admin') or through the console. See instructions below for changing the admin interface IP through the console.
Changing the IP address through the console
- Login with the username of 'admin' and password of 'bandura'.
- Select Network Menu and then Change admin interface settings.
- Select either DHCP or static IP and if static IP, enter the interface settings.
Reconfigure ThreatBlockr settings
- In a browser window, navigate to the device login page at http://192.168.1.1 (or the readdressed IP set in the console using the steps above).
- Login using username 'admin', password 'admin'.
- Read and accept the EULA terms by clicking Agree.
- Next, activate your ThreatBlockr by entering your GMC credentials, naming your device, and clicking the Submit button.
Note: For new customers, you should have received an email notifying you that your GMC account had been created, allowing you to confirm and create your password. If you did not receive the email, or you received a message that the link had expired by the time you clicked to create your password, you can go to https://gmc.banduracyber.com and use the Forgot Password workflow to create your password.
- Upon login, you may see a warning banner at the top of the page saying that the ThreatBlockr has lost contact with the GMC. Click on the "Fix" button, and then click "Fix" again in the modal to resolve the GMC hostname.
- You will be prompted to set a valid DNS server. Enter your DNS server IP(s) in the provided fields and press "Save" to complete.
- To change your admin password, click on the profile icon in the top right corner and select Your Profile. Enter a new password and enter it again to confirm. Click Save to submit your changes.
- Next, select "Settings" in the left menu and choose "Date & Time". Click the NTP Servers tab and click on the green + icon to add your NTP server. If you do not have one, we recommend using time.google.com. Click the Create button to add the NTP server.
- Check the system logs by selecting Logging in the left menu, followed by Internal Logs. Here you should see the device connecting to GMC with status 200. It may take a few minutes for the banner to go away, you can also try refreshing the page.
- If the banner does not go away, or you see many critical errors in the logs, please reach out to our team by email at email@example.com for assistance.
- By clicking on Settings in the left menu and choosing General, you can review and update the general settings for the device, including the hostname, lockout time/attempts, as well as password and session settings .
- You may also add additional user accounts, if you wish, by selecting System in the left menu and choosing Users.
- Finally, you will need to reconfigure your external syslog configuration by selecting Logging in the left menu and choosing External Syslog.
Assigning your subscription to your ThreatBlockr appliance
In order to ensure your ThreatBlockr appliance can connect to and sync with the GMC, you will need to assign your subscription to the asset. To do this, follow these steps:
- Log into GMC at https://gmc.banduracyber.com.
- Click on Subscriptions in the left menu.
- On the Subscriptions page, you will see your Threatblock software subscription on the left side of the page, and your ThreatBlockr virtual appliance on the right side of the page.
- Simply click on the subscription in the left column and drag the subscription across to the asset and release.
- Click on the Save button to complete the assignment.
Confirming the ThreatBlockr Configuration
- To confirm that your device is correctly configured and connecting to the internet, click on Assets in the left menu within GMC.
- From here, you should see your newly configured ThreatBlockr appliance with a recent last connection time. The connection from the appliance to the GMC is refreshed once per minute.
Updating the device software in the GMC
- In most cases, your Threatblockr device will be deployed with the latest version of the 2.0 software. If there is a newer build available, you will see a green number next to the Available Software button on the Assets page.
- Click on the Available Software button to update your software to the latest version of the ThreatBlockr 2.0 software. You may update the software right away, or schedule the update for a later time (though we strongly recommend updating the software now). Your device will reboot during the update process, however the process itself is fully automated. All of your future software updates will be done in this same manner.
- Your installation is now complete. You can find the ThreatBlockr 2.0 manual on our help site. Refer to the manual for any questions. Please visit https://www.banduracyber.com/support/ or contact our support team for any further assistance needed.