Algosec Security Management Suite: Installation and Setup Guide

AlgoSec Security Management
Suite
Software Version: A30.00
Installation and Setup Guide
View our most recent updates in our online ASMS Tech Docs.
Document Release Date: 1 April, 2020 | Software Release Date: August 2019
Legal Notices
Copyright © 2003-2019 AlgoSec Systems Ltd. All rights reserved.
AlgoSec, FireFlow, and BusinessFlow are registered trademarks of AlgoSec Systems Ltd. and/or its affiliates
in the U.S. and certain other countries.
Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-
1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,
UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates.
Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, and ACI are trademarks or registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of
Juniper Networks, Inc.
All other product names mentioned herein are trademarks or registered trademarks of their respective
owners.
Specifications subject to change without notice.
Proprietary & Confidential Information

This document contains proprietary information. Neither this document nor said proprietary information shall
be published, reproduced, copied, disclosed, or used for any purpose other than the review and
consideration of this material without written approval from AlgoSec, 65 Challenger Rd., Suite 310,
Ridgefield Park, NJ 07660 USA.
The software contains proprietary information of AlgoSec; it is provided under a license agreement
containing restrictions on use and disclosure and is also protected by copyright law.
Due to continued product development this information may change without notice. The information and
intellectual property contained herein is confidential between AlgoSec and the client and remains the
exclusive property of AlgoSec If you find any problems in the documentation, please report them to us in
writing. AlgoSec does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of AlgoSec Systems Ltd.
Security Management Suite (A30.00) Page 2 of 121

Contents
Introduction 7
ASMS products 7
Server installation options 8
ASMS deployment checklist 10
Infrastructure and analytics 10
AlgoSec Firewall Analyzer deployment tasks 11
Network visibility and awareness 12
Intelligent policy change automation 12
Application discovery and management 13
System requirements 13
Hardware minimum requirements 13
Software requirements 15
Networking requirements and recommendations 15
Capacity planning for AFA 18
Sample assumptions 18
Example 1 - Daily analysis of 4 devices, stored one year back 18
Example 2 - Bi-weekly analysis of 50 devices, stored three months back 18
Larger installations with hundreds of devices 19
Prepare an AlgoSec hardware appliance 19
Shipping carton contents 20
Device name mapping 21
Generation 9 technical specifications and elements 21
Generation 10 technical specifications and elements 23
ASMS system security 25
Additional hardening procedures 25
Connecting securely to the AFA server 26
Connecting securely from the AFA server 26
Download ASMS software packages 27
Required software packages per deployment 28
FIPS 140-2 compliance 29

Deploy standalone appliances 30

Deploy clusters and distributed architectures 32
Deploy clusters and distributed architecture nodes 32
Deploy ASMS on the cloud 35
Deploy ASMS on AWS 35
Deploy ASMS on Microsoft Azure 36
Configure ASMS machines 45
Connect to the Administration Interface 45
Perform basic configurations 47
Configure NAS storage 48
Deconfigure NAS storage 51
Test machine installation and configuration 52
Manage clusters 53
Cluster roles and modes 53
High availability clusters 54
Disaster recovery clusters 55
Build a cluster 55
Verify cluster connectivity 56
HA clusters only: Add a second interface 56
Build an ASMS HA or DR cluster 58
Configure HA/DR parameters 60
Break a cluster 61
Switch appliance roles 63
Troubleshoot HA/DR clusters 64
DR clusters: primary appliance failed 64
DR clusters: secondary appliance failed 64
Split-brain situations 65
Current synchronization operation canceled 65
Manage nodes automatically removed from clusters 65
Forcibly remove a node from a cluster 66
Collect logs for AlgoSec technical support 67

Set up the ASMS environment 68

Define the first ASMS Administrator 68
Run the FireFlow setup program 71
Additional optional configurations 72
Configure a distributed architecture 74
Configure load distribution 74
Configure geographic distribution 75
Enabling distributed processing 76
Add or edit Load Slaves 77
Add or edit Remote Agents 79
Delete Load Slaves or Remote Agents 82
Disable distributed processes 83
Basic sanity checks 84
ASMS basic functionality 84
Test basic ASMS processes 85
Test basic AFA functionality 86
Test basic FireFlow functionality 88
Test basic BusinessFlow functionality 88
Populate your environment 90
Upgrade ASMS 91
Licensing during upgrade 91
Enabling new features after upgrade 91
Upgrade prerequisites 91
Mandatory upgrade prerequisites 91
Minimum version required for upgrades 92
Downtime requirements for upgrades 92
Disk space requirements for upgrades 93
NAS storage requirements for upgrades with HA/DR clusters (2018.1
only) 93
Recommended upgrade pre-requisites 93
Backup your system before upgrading 93
CPU and RAM recommendations for upgrades 94

VisualFlow recommendations for upgrades 94

HA cluster recommendations for upgrades 94
Service recommendations for upgrades 94
Upgrade your system 94
Perform an automated ASMS upgrade 95
Troubleshoot your automated upgrade 98
General system maintenance 99
Reboot the appliance 99
Reset the appliance to factory defaults 100
Contact AlgoSec technical support 101
Backup and restore 102
Backup and restore prerequisites 102
Access backup and restore from FireFlow or BusinessFlow 102
ASMS licensing 104
Obtain a license 104
Online license requirements 105
Install a license 106
HA/DR clusters 108
License usage 109
Virtual router licensing 110
Public cloud licensing 110
View license usage statistics 110
Update licenses 112
Logins and other basics 114
Supported browsers 114
Log in to ASMS 114
Customize your landing page 117
View ASMS product details 118
Log out of ASMS 119
Send us feedback 121

Installation and Setup Guide | Introduction
Introduction
This guide describes how to deploy the AlgoSec Security Management Suite (ASMS),
upgrade to new versions, or reconfigure deployment options on existing environments.
This section includes:
l ASMS products
l Server installation options
ASMS products
ASMS installations can include the following products, depending on your license:
AlgoSec Analyze security devices across your network, including both on-
Firewall premises and cloud devices.
Analyzer (AFA)
FireFlow Manage your network security life cycles on devices managed by

AFA.
BusinessFlow Manage application-centric security policy management tasks on

devices managed by AFA. BusinessFlow is powered by FireFlow.
An ASMS environment can use AFA alone, AFA with FireFlow, or AFA with both
FireFlow and BusinessFlow. Each product in use must be enabled on the ASMS
license.
AlgoSec also provides the following additional software for use with ASMS:
AlgoSec Installed on top of AlgoSec BusinessFlow, AutoDiscovery enables

BusinessFlow you to import business services as BusinessFlow applications.
AutoDiscovery
AlgoSec Provides quick access to core ASMS functionality and data from
AlgoBot the comfort of your existing chat platforms, including desktop, web,
and mobile options.
For more details, see AlgoBot: The First Intelligent Chatbot for
Network Security Policy Management.

Server installation options

ASMS products can be deployed using the following server installation options:
AlgoSec AlgoSec can provide you with hardware appliances that are pre-
Hardware installed with AlgoSec software.
Appliances No software installations are required for the initial setup, although
you may need to perform upgrades for new versions.
For details, see Deploy standalone appliances.
Virtual AlgoSec can provide you with a pre-installed VM image for you to
Appliances deploy on your own system.
No software installations are required for the initial setup, although
you may need to perform upgrades for new versions.
Cloud Deploy ASMS on Amazon AWS or Microsoft Azure to manage

deployments your devices from the cloud.
For details, see Deploy ASMS on the cloud.
Advanced options
Advanced server configuration options include:
l High Availability / Disaster Recovery (HA/DR) clusters
Prevent data loss or downtime using cluster environments.
l Distributed architectures
AlgoSec supports the following distributed architecture options:
Geographic Manage devices across multiple geographic locations using

distribution Remote Agents that are managed by a Central Manager AlgoSec
appliance.
Geographic distributions enhance both performance and security
because you only need one connection to manage firewalls in
multiple locations.

Load Increase computing power with slave machines that are managed
distribution by a master AlgoSec appliance.
In this configuration, all slaves must be in the same geographical
location as the master appliance.
For more details, see Deploy clusters and distributed architectures.

Installation and Setup Guide | ASMS deployment checklist
ASMS deployment checklist

If you are deploying a full ASMS system out-of-the box, use the following list to prepare
for deployment and ensure that you've configured your system as recommended.
For more details, see also Download ASMS software packages and ASMS system
security.
For details not included in this guide, see the online ASMS Tech Docs.
Infrastructure and analytics

Deploy ASMS infrastructure
Step Description
AlgoSec architecture Work with AlgoSec to understand our architecture

recommendation recommendations for your needs.
review
Infrastructure Ensure that your hardware or virtual components meet our

component provisioning system requirements.
For details, see System requirements and Capacity
planning for AFA.
Standalone appliances Deploy your pre-installed, standalone VMware virtual

appliance or AlgoSec hardware appliance.
High-availability / Set up your environment, including high availability or

Disaster recovery disaster recovery clusters, as well as load or geographic
configuration distribution.
For details, see:
l Deploy clusters and distributed architectures
Load distribution /
remote distribution l Manage clusters
configuration l Configure a distributed architecture

AlgoSec Firewall Analyzer deployment tasks

Step Description
Licensing Install your license.

application For details, see:
l Obtain a license
l Install a license
Networking Populate AFA with your devices.

estate
provisioning
Environment View your network map in AFA and confirm that it displays as
visibility and expected.
accuracy
validation
Authentication Define how AFA handles user authentication and authorization.

and
authorization Best practice: Whenever possible, leverage LDAP/LDAPS for
configuration authentication. This enables all ASMS users to log in easily,
including change requestors, application owners, auditors, and
so on.
Configuring LDAP/LDAPS for ASMS also enables auto-
provisioning, which means that users are automatically created
and assigned to their appropriate roles based on their
LDAP group membership, without any additional configuration.
User and role Define AFA users and their roles.

configuration
Outbound Configure AFA to send email notifications.

mail
integration
configuration
Storage and Configure AFA settings for data storage.

retention
configuration

Step Description
Infrastructure Configure monitoring systems for each ASMS product.

component
monitoring Best practice: Deploy WatchDog monitoring to provide the
broadest and most up-to-date set of system parameters to be
monitored.
Direct syslog messages WatchDog to your enterprise NOC.
Schedule AFA Configure AFA settings for scheduled analysis jobs.

analysis
Network visibility and awareness

Build your ASMS network topology
Step Description
Sanity end-to-end Run an end-to-end traffic simulation query to ensure that

traffic simulation the data presents as expected.
Network topology After viewing default reports and query results, you may
modeling & adjustment want to adjust the way AFA displays your data.
Intelligent policy change automation

Deploy AlgoSec FireFlow
Step Description
FireFlow initial FireFlow templates and workflows are fully configurable.

setup We recommend using the default configuration to get started,
and then customizing FireFlow as needed.
FireFlow sanity- Create a sample change request and push it through the entire
check request workflow to test each step in the process.

Application discovery and management

Deploy AlgoSec BusinessFlow
Step Description
BusinessFlow initial Set up BusinessFlow to view your network details from a

setup business perspective.
BusinessFlow sanity- View data for your application from BusinessFlow to test
check application each feature.
AlgoSec Install and configure AutoDiscovery so that BusinessFlow

AutoDiscovery can automatically detect your flows and applications.
Deployment tasks
System requirements
ASMS's system requirements include the following:
l Hardware minimum requirements
l Software requirements
l Networking requirements and recommendations
Note: ASMS performance on VMs depends on the other, non-AlgoSec machines

residing on the same VMware platform. To ensure performance, we recommend
working with dedicated resources.
Hardware minimum requirements

We recommend that ASMS deployments meet or exceed the following minimum
hardware requirements.
These requirements apply for both active and standby nodes, and on standalone
systems, Central Managers, and geographic or load distribution agents.

Hardware Required
CPU 4 cores
Memory 16 GB
Storage 300 GB
Network For details, see Bandwidth requirements for distributed environments
Note: These minimum requirements suffice for initial demo and testing environments,
such as for up to 50 simple devices. For details about final sizing calculations for
production environments, contact your AlgoSec partner or sales engineer.
Differences per environment configuration

Hardware requirements will differ, depending on your environment configuration and
type. Main differences and considerations include:
Configuration Description
NAS storage If you configure AFA to store all reports on a remote NAS server, this
will impact where the storage space is needed.
For details, see Configure NAS storage.
HA/DR Each node in an HA/DR cluster must be identical, including the same
clusters type of installation (AlgoSec hardware or VM appliance), and have
the same amount of disk space.
For details, see Manage clusters
Distributed In distributed architecture environments, consider the requirements

architecture for the central manager/master and each remote agent (geographic
distribution) or slave (load distribution).
Slaves and remote agents do not store reports.
For details, see Configure a distributed architecture.

Configuration Description
AWS If you are deploying on AWS, we recommend:

deployments
l Ensuring that your machine is compatible with CentOS6. We
recommend machines from the Amazon EC2 General Purpose
M4 family.
l Ensuring that your AWS instance includes high performance
storage, such as SSD disks
For more details, see the AWS Documentation.
Software requirements
ASMS requires the following software, depending on your deployment method:
Deployment Requirements
AlgoSec hardware AlgoSec hardware appliances comes pre-installed with all

appliances require software.
No additional software is needed.
Virtual appliances ASMS can be deployed on virtual machines that use VMWare
ESX versions 5.5 and higher.
For more details, see the Support page on the AlgoSec portal.
Networking requirements and recommendations

This section includes the following data:
l System requirements
l Required port connections
l Bandwidth requirements for distributed environments
l Email and device connectivity requirements
l AFA server DNS name / IP address recommendations
l Security certificate recommendations
For more details, see Manage clusters and Configure a distributed architecture.

Required port connections

Deploying ASMS requires the following port connectivity between nodes:
Central Manager Central Manager <> Slave <>

Type Port <> Slave Remote Agent Slave HA/DR
ICMP ✔ ✔ ✖ ✔
SSH TCP/22 ✔ ✔ ✖ ✔
HTTPS TCP/443 ✔ ✔ ✖ ✔
syslog UDP/514 ✖ ✖ ✖ ✔
hazelcast TCP/5701 ✔ ✖ ✔ ✔
activemq TCP/61616 ✔ ✖ ✖ ✔
postgrsql TCP/5432 ✔ ✖ ✖ ✔
postgrsql TCP/5433 ✖ ✖ ✖ ✔
additional port
HA/DR TCP/9595 ✖ ✖ ✖ ✔
Bandwidth requirements for distributed environments

Distributed environments must work with the following minimum bandwidths between
nodes:
Central Manager and load distribution agents 1 Gb/s
Between High Availability nodes 1 Gb/s
Central Manager and geographic distribution agents 100 Mb/s
Between Disaster Recovery nodes 100 Mb/s
Tip: The faster your network speed, the faster your clusters will be completely
synched.
Email and device connectivity requirements

Enable the following connectivity for AFA and FireFlow:

Requirement Description
Email Define an e-mail address to be used by AFA and FireFlow, such as

address fireflow@mycorp.com, on a mail server that supports SMTP and
POP3/IMAP4.
Alternatively, emails can be forwarded to AFA and FireFlow as an
MTA (message transfer agent).
Email Enable access from AFA and FireFlow to the mail server via SMTP
access and POP3/IMAP4
Device Enable access from the Central Manager, any high availability
access standby nodes, and Remote Agents to devices via SSH, OPSEC,
REST, or SNMP (as needed)
This connectivity configuration includes configuring the necessary passwords for

FireFlow.
AFA server DNS name / IP address recommendations

The AFA server must have a fixed DNS name or IP address that can be used to access
the AFA user interface.
We recommend that you do not configure the server to obtain an IP address

automatically or to use DHCP.
Security certificate recommendations

To prevent warnings from appearing about security certificates, install a certificate
signed by a CA instead of a self-signed certificate.
For more details, see the Centos documentation.
Note: AlgoSec recommends using a 2048-bit certificate instead of the 1024-bit

certificate recommended by the Centos documentation.
â See also:
l The AlgoSecAutoDiscovery User Guide

Capacity planning for AFA

The storage requirements required for your ASMS deployment depends on log and
report size, and retention time. To determine your storage needs, request the AlgoSec
Appliances Sizing document from AlgoSec support.
The following examples may help you to determine the storage capacity you require.
Sample assumptions
The examples in this section assume an average report size of 75 MB, which is a typical
report size in an enterprise environment.
However, in cases of extremely large devices, report size can reach hundreds of MB.
Reports for specific device brands, such as Check Point, are generally larger than 75
MB.
To plan your capacity correctly, we recommend analyzing your largest device.
Example 1 - Daily analysis of 4 devices, stored one year back

This example covers 4 devices, whose policies change daily. We configure AFA to
perform analysis daily, and we want to store reports for the past year.
In this situation, AFA reports will consume 75 MB x 4 = 300 MB per day. 7 x 4 x 75 = 2.1
GB per week.
Over the course of a year, we will need 2.1 GB x 52 = 109 GB.
If the analysis time is 10-30 minutes per device, with a 20 minute average, the daily
analysis will typically run for 1 hour and 20 minutes.
Example 2 - Bi-weekly analysis of 50 devices, stored three

months back
This example covers 50 devices, whose policies change twice a week, on average.
In this case, we'd set AFA to analyze upon install, and configure the system to delete
reports that are older than 3 months old, keeping a single report for each of the previous
periods.

AFA will generate about 2 x 13 reports in a 3-month period, plus three representative
reports from each previous quarter. this results in about 30 reports, per device, per year.
The calculation for the required disk space is: 50 x 75 MB per report x 30 reports = 112
GB for the entire year.
If the analysis time is 10-30 minutes per device, with a 20 minute average, the total
analysis calculation is:
(20 min. x 50 devices x 2)/7 = about 5 hours
To avoid analysis batches that overlap in time, ensure that AFA has enough time to run
the full analysis. Since we have a 5-hour analysis, we'll schedule the next analysis to
run at least 7 hours after the start of the previous one.
Larger installations with hundreds of devices

If you are implementing AFA on a system with hundreds of devices, contact your
AlgoSec sales representative or technical support to assist in planning your capacity.
Prepare an AlgoSec hardware appliance

This section describes how to prepare an AlgoSec hardware appliance before
continuing with your deployment.
Do the following:
1. Review the contents of the shipping carton, technical specifications, and

appliance elements. For details, see:
l Shipping carton contents
l Device name mapping
l Generation 9 technical specifications and elements
l Generation 10 technical specifications and elements
2. Mount the appliance on the rack, with the AlgoSec logo facing front.
3. Connect one end of the power cable supplied to the power jack on the appliance's

rear panel. Plug the other end into an electrical outlet.
4. Do one of the following:
Configure the Do the following:

appliance directly a. Use a VGA cable to connect a monitor to the video
(Recommended) port on the appliance's rear panel.
b. Connect a keyboard to one of the USB ports on the
appliance's front or rear panel.
Configure the Do the following:

appliance via iLO a. Connect one end of the network cable supplied to
the iLO port on the appliance's rear panel.
b. Connect the other end of the cable to a network port.
5. Remove the bezel from the front panel, and press the Power On button.
Shipping carton contents

Each AlgoSec hardware appliance comes in a shipping container with the following
items:
A Hardware appliance One of the following AlgoSec hardware appliances:

l Generation 9 (model 2062, 2162, or 2322)
l Generation 10 (model 2063, 2203, 2403)
Two power cables Only one power cable is needed for 2062 appliances.
Two network cables Only one network cable is needed for 2062 appliances.
License For all models except the 2062 appliance:

A Hewlett Packard Enterprise (HPE) iLO license
Note: iLO provides additional features for controlling and maintaining the appliance.
For 2062 appliances, you may want to contact HPE to acquire an iLO license. For
more details, see the HPE iLO documentation.

Device name mapping

For all appliances, the names of physical devices start with 1. Corresponding OS names
start with 0.
For example, a physical device might be named NIC1. The OS would be ETH0.
Generation 9 technical specifications and elements

l Generation 9 technical specifications
l Generation 9 2062, 2162, and 2322 front panel elements
l Generation 9 2162, and 2322 rear panel elements
Generation 9 technical specifications
2062 2162 2322
Dimensions 429x434.6x607.6 432x434.7x698.5 mm 432x434.7x698.5 mm

(HxDxW) mm
Weight 17 kg 15.3 kg 15.3 kg

(maximum)
Form Factor 1U rack-mount 1U rack-mount 1U rack-mount
Voltage 110/240V 110/240V 110/240V
Power 550W PSU 500W PSU redundant 800W PSU redundant

Supply
CPU 1X Intel Xeon 2 X Intel Xeon 2 X Intel Xeon

E52603, 6 cores, E52630v3, 16 cores, E52698v3, 32 cores,
1.6GHz 2.6GHz 2.3GHz
Memory 16GB 64GB 128GB
Hardware HPE HPE HPE

Manufacturer

Generation 9 2062, 2162, and 2322 front panel elements
Element Description
Power On/Standby button with a LED whose state indicates the

appliance's power status:
n Flashing. The appliance is initializing.
n On. The appliance is on.
n Off. The appliance is off.
A LED whose state indicates the appliance's hard disk status:

n Flashing. The hard disk is in use.
n Off. The hard disk is not in use.
Video connector.
USB ports.
UID Unit ID button (activates Unit ID LED on the rear panel).
Health LED.
NIC activity LED.
Generation 9 2162, and 2322 rear panel elements
Element Description
Power Two power jacks for supplying power to the appliance (that is, redundant
jack PSUs).
ETH2 Ethernet ports.

ETH3 When a HA cluster is configured, one port can be used to connect the
ETH4 source and target appliances.
Four USB Ports.
Serial connector (inactive)
Video connector

Element Description
iLO iLO /NIC connector.
UID Unit ID LED (activated by Unit ID button on the front panel).
Generation 10 technical specifications and elements

l Generation 10 technical specifications
l Generation 10 rear panel elements
l Generation 10 front panel elements
Generation 10 technical specifications
2063 2203 2403
Dimensions 4.29 x 43.46 x 70.7 4.29 x 43.46 x 70.7 4.29 x 43.46 x 70.7
(HxDxW) cm cm cm
1.69 x 17.11 x 27.83 1.69 x 17.11 x 27.83 1.69 x 17.11 x 27.83
in in in
Weight 8 SFF 16.27 kg 8 SFF 16.27 kg 8 SFF 16.27 kg

(maximum) (35.86 lb) (35.86 lb) (35.86 lb)
Chasis HP Rack Mount HP Rack Mount HP Rack Mount

Consoles Consoles Consoles
Storage 2 x 1200GB 5 x 1200GB 8 x 1200GB
Power Supply 500W PSU 500W PSU 800W PSU

redundant redundant redundant
CPU 6 cores: Intel Xeon 20 cores: Intel Xeon 40 cores: Intel Xeon
Bronze 3104 Silver 4114 Gold 6138
Memory 16GB 64GB 128GB
Hardware HPE HPE HPE

Manufacturer

Generation 10 front panel elements
Element Description
Power On/Standby button with a LED whose state indicates the

appliance's power status:
n Flashing. The appliance is initializing.
n On. The appliance is on.
n Off. The appliance is off.
A LED whose state indicates the appliance's hard disk status:

n Flashing. The hard disk is in use.
n Off. The hard disk is not in use.
Video connector.
USB ports.
UID Unit ID button (activates Unit ID LED on the rear panel).
Health LED.
iLO iLO /NIC connector.
NIC activity LED.
Generation 10 rear panel elements
Element Description
Power Two power jacks for supplying power to the appliance (that is, redundant
jack PSUs).
ETH2 Ethernet ports.

ETH3 When a HA cluster is configured, one port can be used to connect the
ETH4 Active and Standby appliances.
Four USB Ports.
Serial connector (inactive)

Element Description
Video connector
UID Unit ID LED (activated by Unit ID button on the front panel).
ASMS system security

AlgoSec products are released after a careful hardening procedure, which is also
updated periodically as needed per industry standards.
We use standard vulnerability scanners, customer feedback, as well as our own security
expertise to create, run, and make updates to this hardening procedure.
To ensure maximum security, make sure to routinely install any security patches
released by AlgoSec. These security patches may include updates for AlgoSec Firewall
Analyzer, FireFlow, BusinessFlow, as well as appliance package updates.
Additional hardening procedures

You may wish to do additional hardening by doing the following:
l Place the AFA server in a special zone behind one of your devices.
l Write very restricted policy rules to control access to the AFA server.
l Install valid certificates properly signed by a certificate authority, replacing the pre-
installed, self-signed certificates that are provided by default on AlgoSec web
servers.
For more details, see How to Install and Generate an SSL key and Certificate
Signing Request (CSR) KB article on AlgoPedia.
When configuring external firewalls for your ASMS system, see the following sections:
l Connecting securely to the AFA server
l Connecting securely from the AFA server

Warning: If you want to perform additional hardening on your AlgoSec system,

contact AlgoSec professional services.
Performing hardening procedures on your own may render your AlgoSec system
inoperable and void your support contract.
Connecting securely to the AFA server

We recommend limiting inbound connectivity from other computers to the AFA server.
Your team's computers must be able to browse the AFA reports via the internal Apache
Web server, which is configured to serve pages using SSL (HTTPS) and listen on port
TCP/443.
The TCP/80 port can be closed.
Connecting securely from the AFA server

Part of hardening a Linux server involves filtering network traffic to and from the server.
When doing so, you must ensure that the communication ports used by AFA remain
open.
AFA sends the following outgoing requests, which require no open, listening ports:
Request Description
Outbound HTTPS AFA issues output, HTTPS requests (TCP/443) only to

requests activate licenses.
These requests are sent to
https://portal.algosec.com/en/support/support_home.
Ensure that this traffic is not blocked, and that your outbound
Web proxies do not manipulate or sanitize it.
DNS queries AFA may need to issue DNS queries to the local

DNS server (UDP/53).
SMTP communication AFA sends email notifications if configured to do so.

When configured, AFA must be able to communicate with
your local mail server via SMTP (TCP/25).

Request Description
POP mail retrieval Email retrieval via "fetchmail" over POP3 must be
accessible, if configured (TCP/110).
SSH device If you want to enable remote access to the AFA server, we
communication recommend using SSH. Ensure that port TCP/22 is
accessible.
Authentication LDAP authentication must be open, if relevant (TCP/389 or

TCP/636)
RADIUS authentication must be open, if relevant
(UDP/1812)
Backup saves AlgoSec automatic backup over FTP must be open, if

relevant FTP (TCP/21) or SFTP (TCP/22)
Syslog messages Communication must be open to send Syslog messages to a

Syslog server, if AFA is configured to do so
Note: AFA will send additional requests via interfaces that differ depending on your
device types.
Download ASMS software packages

This section describes how to download ASMS software packages from the AlgoSec
portal.
Do the following:
1. Browse to the AlgoSec Portal, and navigate to Downloads > Software > AlgoSec

Security Management Suite.
Tip: To read about hotfix updates, click the Hotfixes menu.
2. Do one of the following, depending on whether you are upgrading or deploying a

new installation:

New installation Select New Installation, and then:

a. Select your deployment type and version.
b. Click Next > Download.
Upgrade Select Upgrade, and then:

a. Select your version, and click Next.
b. On the Update page, select the builds you want
to upgrade, and then click Download All. For
more details, see Required software packages
per deployment.
Note: If you have FIPS deployment, click I need the

FIPS version. Click I need the 2xxx Series version
to return to the default page. For more details, see
FIPS 140-2 compliance.
3. Continue with one of the following to install your software:
l Deploy standalone appliances
l Deploy clusters and distributed architectures
l Deploy ASMS on the cloud (AWS AMI or Microsoft Azure)
Required software packages per deployment

Download the following software packages, depending on your deployment type:

Major When upgrading to a major version, you must download the Appliance
version build and the software builds for all active products, even if they are not
upgrades included in your license.
Product activation is as follows:
l AFA is always active.
l By default, FireFlow is inactive, and BusinessFlow is active.
FireFlow is activated when FireFlow is deployed.
l Using an appliance as a Remote Agent or Load Slave automatically
deactivates both FireFlow and BusinessFlow. FireFlow and
BusinessFlow are installed, but are not active on Remote Agents or
Slaves, and therefore only require the Appliance and AFA build
files.
l FireFlow and BusinessFlow can also be deactivated manually.
Hotfix If you are upgrading to a hotfix version, the build files required will
upgrades depending on the content of the hotfix.
Note: For details about native Linux installations, see Deploy or upgrade a
standalone native Linux server in AlgoPedia.
FIPS 140-2 compliance

AlgoSec supports a version of the Appliance build file that uses FIPS 140-2 compliant
encryption packages.
If your environment includes a geographic or load distribution architecture, make sure to

install the FIPS installation package on all Remote Agents / Slaves, as well as the
Central Manager / Master Appliance.
Warning: Using this mode of Appliance build is irreversible. Once the FIPS package
is running on your system you must use FIPS installation packages for all future
upgrades.

Installation and Setup Guide | Deploy standalone appliances
Deploy standalone appliances

This topic describes the high-level steps required to deploy pre-installed, standalone
VMware virtual appliances or AlgoSec hardware appliances.
Note: Each installation package includes software for the full AlgoSec Security
Management Suite. Functionality for each ASMS product is enabled via license, and
not by installation.
Do the following:
AlgoSec hardware Starting by preparing your machine.

appliances For details, see Prepare an AlgoSec hardware
appliance.
AlgoSec VMware virtual Download a VMware OVF machine.

appliances For details, see Download ASMS software
packages.
2. Perform initial configurations, including configuring your machine's IP address. For

details, see Configure ASMS machines.
3. Connect your machine to your organization's network. To connect an AlgoSec

Hardware Appliance to the network, ensure that you use the ETH0 on the
appliance's rear panel.
4. If you configured a dynamic IP address using DHCP, verify the IP address

assigned. For details, see Configure ASMS machines.
5. (Optional) Configure NAS storage. For details, see Configure NAS storage.
6. Test your installation. For details, see Test machine installation and configuration.
7. Set up your environment. For details, see Set up the ASMS environment.
8. Perform sanity checks. For details, see Basic sanity checks.

Installation and Setup Guide | Deploy standalone appliances
9. Continue to deploy ASMS products, including populating your environment with

devices and users. For more details, see ASMS deployment checklist.

Installation and Setup Guide | Deploy clusters and distributed architectures
Deploy clusters and distributed

architectures
This section describes how to deploy clusters and / or distributed architectures.
Note: Each installation package includes software for the full AlgoSec Security
Deploy clusters and distributed architecture nodes

Clusters and distributed architectures must be deployed on virtual appliances or
AlgoSec hardware appliances, or as AWS or Azure instances. If you are deploying
clusters, each node must be identical: either both hardware appliances, or both virtual
appliances.
Both nodes must run the same version of ASMS, and must have the same amount of
disk space.
Do the following:
AlgoSec hardware Starting by preparing your machine.

appliances For details, see Prepare an AlgoSec hardware
appliance.
AlgoSec VMware virtual Download a VMware OVF machine.

appliances For details, see Download ASMS software
packages.
Note: If you are reusing an appliance in a new role, you must re-set it to it's
factory defaults.

For example, you might do this if you appliance was previously used as a
Central Manager, and you now want to use it as a Load Slave or Remote
Agent.
For details, see Reset the appliance to factory defaults and Switch appliance
roles.
2. Perform initial configurations, including configuring your machine's IP address. For

details, see Configure ASMS machines.
3. Connect your machine to your organization's network. To connect an AlgoSec

Hardware Appliance to the network, ensure that you use the ETH0 on the
appliance's rear panel.
4. If you configured a dynamic IP address using DHCP, verify the IP address

assigned. For details, see Perform basic configurations.
5. For NAS storage, do one of the following:
HA clusters Configure NAS storage for the primary node of the cluster.
The cluster building process automatically configures NAS on
the secondary HA node.
DR clusters If you want NAS on both nodes, you must configure NAS on both
nodes. In order to achieve this, you must provide a second NAS
server at the disaster recovery site.
Load Configure NAS for the master appliance only. NAS will
distributions automatically be configured for the load slaves.
Note: NAS support for load distribution environments is only

supported with NFSV4.
Important: The user/customer is responsible for configuring the NAS server at

the primary site and the NAS server at the disaster recovery site to sync with

one another.
For more details, see Configure NAS storage.
6. If you are deploying clusters, build and configure the clusters. For details, see
Manage clusters.
7. Test your installation. For details, see Test machine installation and configuration.
8. Set up your environment on your primary node or Central Manager / Master

Appliance. For details, see Set up the ASMS environment.
9. If you are deploying an HA/DR cluster on the primary appliance or Central

Manager / Master Appliance, install a license on the secondary node using the
Administration Interface CLI. For details, see Connect to the Administration
Interface.
Slaves and Remote Agents do not need their own licenses installed.
10. If you are deploying a distributed architecture, configure the distribution. For
details, see Configure a distributed architecture.
11. Perform sanity checks. For details, see Basic sanity checks.
12. Continue to deploy ASMS products, including populating your environment with
devices and users. For more details, see ASMS deployment checklist.
â See also:
l Introduction
l ASMS licensing
l General system maintenance

Installation and Setup Guide | Deploy ASMS on the cloud
Deploy ASMS on the cloud

This topic describes how you can deploy ASMS on Amazon AWS or Microsoft Azure to
manage your devices from the cloud.
Note: Each installation package includes software for the full AlgoSecSecurity
l Deploy ASMS on AWS
l Deploy ASMS on Microsoft Azure
Deploy ASMS on AWS

Deploy ASMS on an AWS instance using an ASMS AMI available from the AlgoSec
Portal.
If you are deploying on AWS, we recommend:
l Ensuring that your machine is compatible with CentOS6. We recommend

machines from the Amazon EC2 General Purpose M4 family.
l Ensuring that your AWS instance includes high performance storage, such as
SSD disks
For more details, see the AWS Documentation.
Do the following:
1. Deploy your AWS AMI. For details, see Download ASMS software packages.
On the Download AlgoSecSecurity Management Suite > AMI page, select an

AWS Region and enter your AWS Account ID.

The AlgoSec AMI is shared with your account. When the setup process is
complete, you are notified and provided with the details required to access your
new instance with ASMS.
2. If you are deploying clusters or distributed architectures, continue with Deploy

clusters and distributed architectures.
Otherwise, continue with deploying ASMS products, including populating your

environment with devices and users. For details, see ASMS deployment checklist.
Deploy ASMS on Microsoft Azure

Deploy ASMS on Microsoft Azure by converting a VHD file available from the AlgoSec
portal to an Azure image.
Do the following:
1. Download the ASMS Azure files.
2. Create an Azure image from the VHD.
3. Log in to your Azure virtual machine as the root user.
You may need to unlock the root user before logging in. If so, run:
sudo passwd -u root
If you are deploying clusters or distributed architectures, continue with Deploy clusters
and distributed architectures.
Otherwise, continue with deploying ASMS products, including populating your

environment with devices and users. For details, see ASMS deployment checklist.
Download the ASMS Azure files

When you click Download on the Download AlgoSecSecurity Management Suite >
New Installation page, a VHD file is downloaded to your local machine.
For more details, see Download ASMS software packages.

Create an Azure image from the VHD

The following steps describe how to convert your ASMS VHD file to an Azure image,
and refer to areas of the Azure portal. For more details, see the Microsoft Azure
documentation.
Note: Converting a VHD file to an Azure image has a variety of options and methods.
Use the steps described below when deploying your ASMS installation to prevent
unexpected errors.
Do the following:
1. Create a new Azure storage account.
Define your settings as follows:
Resource Under the Resource Group field, click Create new to create a
Group new resource group.
Enter a meaningful name for your new resource group, such
as ASMS-Deployment.
Storage Enter a meaningful name for your storage account, such as

account name asmsdeployment.
Account kind Select Storage (general purpose v1).
Replication Select LRS (Locally-redundant storage).
For example:

Continue in the wizard to create the new storage account and wait while it's
deployed.
2. Once the new storage account is deployed, navigate to the Storage accounts
area, and click the new storage account to view details.
3. In your new storage account, click Containers, and then to add a new
container.
Define your new container with a meaningful name and a Public access level of
Private (no anonymous access).

For example:
4. Switch to the Azure CLI, and ensure that the PowerShell Az module is installed.
If it's not installed, run the following:
Install-Module -Name Az -AllowClobber -Scope AllUsers
Tip: You may need to configure the Set-ExecutionPolicy cmdlet.
For more details, see Set-ExecutionPolicy and Install the Azure PowerShell
module in the Microsoft documentation.
5. Connect to the Azure account from the CLI. Run:
Connect-AzAccount
When prompted, enter your credentials to log in.
6. Copy the VHD file downloaded from the AlgoSec portal to your Azure resource
group.
From the CLI, run:
Add-AzVhd -ResourceGroupName "ASMS-Deployment" -Destination

"https://asmsdeployment.blob.core.windows.net/asmsvhd/<VHD_
NAME>.vhd"
-LocalFilePath "<VHD_NAME>.vhd"

In this command, replace <VHD_NAME>.vhd with the exact name of the file you
downloaded.
For example: AlgoSec-app-3000.10.100-asms-75-co6.vhd
Note: While the VHD that AlgoSec provides is dynamic, and the Azure requires
a fixed hard disk, the upload process converts the dynamic file to a fixed file
format.
Additionally, while you can convert this dynamic file to a fixed file manually, this
requires a very large upload, and also runs the risk of errors. We recommend
using the commands provided here to perform this upload.
7. Return to the Azure portal to create your image. Navigate to Images, and click
.
In the Create image pane, enter the following details:
Name Enter a meaningful name. For example, ASMS_image.
Resource Select the new resource group you created for ASMS.
group
OS type Select Linux.
Storage blob Click Browse, and navigate to the VHD you uploaded via the
CLI.
Account type Select Standard SSD.
For example:

8. Navigate to the Azure Virtual machines area, and click to create a new
virtual machine.
On the Create a virtual machine page, enter the following details:

Resource Select the resource group you created earlier.

group
Virtual Enter a meaningful name for your virtual machine.

machine
name
Image Navigate to and select the image you created earlier.
Size Click Change size, and select a minimum of B4ms.
Authentication Select Password.

type
Username / Enter the credentials you want to use when accessing the new
Password virtual machine.
Note: Although you must set these credentials now, you'll

need to log in to the machine as user root in order to deploy
ASMS.
Select Select HTTPS (443) and SSH (22).

inbound ports
For example:


9. Click Next: Disks > to continue, and then select Standard SSD.
10. Continue through the wizard to create your virtual machine with ASMS installed.
When you're done, log in to your machine to deploy and set up your ASMS system.
Continue with step 3 above.
â See also:
l Introduction
l ASMS licensing
l General system maintenance

Installation and Setup Guide | Configure ASMS machines
Configure ASMS machines

This section describes how to access the ASMS Administration Interface, also known as
the algosec_conf menu CLI, and perform basic configurations on your ASMS
appliances.
Configure or de-configure NAS storage as needed for your deployment or upgrade, and

test your installation and configuration after making system changes.
For details, see:
l Connect to the Administration Interface
l Perform basic configurations
l Configure NAS storage
l Deconfigure NAS storage
l Test machine installation and configuration
Connect to the Administration Interface

Connect to the ASMS Administration Interface, or conf menu CLI as follows:
During Do one of the following:

initial
l AlgoSec Hardware Appliances: Connect directly (with a monitor/VGA
setup
cable) or via an iLO connection, depending on the way you prepared
the appliance. For more details, see Prepare an AlgoSec hardware
appliance.
l Virtual Appliances: Connect via a remote console.
After Connect to the administration interface via SSH.

initial
setup
Do the following:
1. Open the console.
If you are connecting via iLO, do the following:

a. In a browser, navigate to the IP address of the iLO interface. By default, this

is done via DHCP.
b. Log in using the username and password printed on the sticker on top of the
hardware appliance.
c. Select Remote Console in the menu on the left.
d. Click Java Integrated Remote Console.
The system prompts you for your login credentials.
2. Log in to the machine as user root.
Default password: algosec.
The main menu appears:
Please select a configuration item:

1. Configure IP address
2. Configure Time and Date
3. Configure DNS Server
4. Change DNS domain name
5. Change Hostname
6. Change root password
7. Change afa password
8. Upgrade software
9. Reset AFA admin password
10. Reset database password
11. Configure NAS
12. Install license
13. Configure HA/DR
14. Setup FireFlow configuration
15. Distributed Architecture configuration
16. Setup BusinessFlow configuration
17. Services status

18. Collect Logs

Q Logout
Press 'a' to exit shell
Your choice:
>
For more details, search this guide for the relevant procedure.
Perform basic configurations

This procedure describes how to configure an ASMS machine's IP address, as well as
other basic settings.
Note: Configuring the IP address is mandatory during initial configuration.
Do the following:
1. Connect to the Administration interface. For details, see Connect to the

Administration Interface.
2. Enter 1 to do any of the following:
l Configure a static IP address
l Configure DHCP
l Look up the IP address, after configuring DHCP
Tip: We recommend using static IP addresses for Central Manager appliances,

primary nodes, Load Slaves or Remote Agents, and so on.
Note: If you are working with clusters, and you change the IP address for an
HA cluster, you must re-build the cluster afterward.
For details, see Build a cluster.

3. Configure any of the following options by entering the relevant number:
l Configure the time and date
l Configure a DNS server
l Configure a DNS domain name
l Change the machine's hostname
l Change the root password
l Change the afa password
l Reset the AFA admin password
l Reset the database password
For more details, see Connect to the Administration Interface.
4. When you're done, enter Q to exit.
Configure NAS storage

This procedure describes how to configure AFA to store all reports on a remote
NAS server.
NAS storage support
ASMS supports NAS storage configurations as follows:
Support Description
Supported NFSv4 (default) and NFSv3, depending on the NAS server.

protocols ASMS attempts to connect first via NFSv4, and if it cannot,
automatically uses NFSv3.
Deployment VMs with an AlgoSec-provided image deployed and AlgoSec

types Hardware Appliances only.
HA clusters Configure NAS on the primary node.

When you build the cluster, NAS is automatically configured on the
secondary node.

Support Description
DR clusters Secondary nodes can have their own NAS server at the disaster
recovery site.
In such cases, customers are responsible for configuring the
communication synchronization between the NAS servers at the
primary and disaster recovery sites.
Load Load distribution architectures are supported with NFSv4 only.

distribution Configuring NAS for the Master Appliance automatically configures
architectures NAS for all Load Slaves.
Do the following:
1. Log on to the NAS server, and create a new directory in a shared space.
2. Connect to the Administration interface on your ASMS machine. For details, see
Connect to the Administration Interface.
3. Enter 11 to configure NAS. The system confirms that NAS is not configured.
4. Enter 1 to set NAS for storing system reports. The system displays a message
similar to the following:
You are about to configure a NAS server for storing system reports.
Note: No changes will take place without your final approval.
Before adding NAS configuration, your reports will be copied to the
following directory: algosec/firewalls_back_algosec/groups_back
algosec/matrices_back algosec/fwfiles_back
Once NAS configuration completes successfully, you may copy the data
back to the original directories.
5. Enter the NAS server IP.
6. Enter the NAS mount path. This is the directory that you created on the NAS
server in step 1.
The system confirms by displaying the NAS configuration IP, mount path, and
NFS version.

For example:
NAS configuration details:

NAS server IP: <NAS IP you entered>
NAS Mount path: <NAS mount path you entered>
NFS version: NFSv4
Tip: If you specifically want to use NSFv3, change the NFS version manually.
7. The system prompts you to confirm the details. Enter y to confirm.
If there is already content present in the mount path directory, the system prompts
you to continue with one of the following:
1. Abort NAS addition

2. Delete directory content
3. Use directory content
Enter 3 to use directory content.
If you have load slaves configured, the system configures NAS on the load slaves
as well.
When the configuration is complete, the following message appears:
NAS configured successfully
The system confirms
8. Copy reports from algosec/firewalls_back_algosec/groups_back

algosec/matrices_back algosec/fwfiles_back to your newly moutned NAS
directory.
For example: algosec/firewalls algosec/groups algosec/matrices algosec/fwfiles
NAS storage is now enabled and ASMS can connect to the NAS server.

Deconfigure NAS storage

Deconfigure NAS if needed as part of a larger process, or if you don't want reports to be
stored on your remote NAS server.
Note: When NAS is deconfigured for a Master Appliance, it is automatically

deconfigured for all Load Slaves.
Do the following:
1. Log on to the NAS server.
2. Connect to the ASMS machine's Administration Interface. For details, see Connect
to the Administration Interface.
3. Back up your data by copying the reports from the mounted NAS directory. For
example, copy the files from algosec/firewalls algosec/groups algosec/matrices
algosec/fwfiles to a backup directory at algosec/firewalls_back_algosec/groups_
back algosec/matrices_back algosec/fwfiles_back.
4. From the ASMS Administration Interface, enter 11 to deconfigure NAS.
The system displays the NAS configuration details, and prompts you to select
whether you want to check the NAS connectivity status or remove the NAS server.
5. Enter 2 to remove the server.
The system prompts you to confirm that you want to remove the existing
configuration.
6. Enter y to confirm.
NAS is removed from any slaves, as needed. When NAS is fully removed, the
following message appears:
NAS removal succeeded. Press 'Enter' to go back to main menu.

*NAS is not configured*

7. Copy your reports to your production directories and remove them from the remote
NAS server.
NAS is deconfigured, and ASMS no longer connects to the remote NAS server.
Test machine installation and configuration

This section describes how to test that your ASMS machines are installed and
configured correctly. Do this after making changes to your configuration, deploying a
new system, or upgrading.
Do the following:
Open a browser, and browse to IP address of your AlgoSec machine.
If the AlgoSec home page appears, your machine is connected and configured correctly.
For example:
If this page or another like it does not appear, check to see that your basic configurations
have been done correctly. For details, see Perform basic configurations.

Installation and Setup Guide | Manage clusters
Manage clusters
ASMS clusters prevent data loss and downtime in the event of hardware failures. Virtual
Appliances and AlgoSec Hardware Appliances support both high availability and
disaster recovery clusters.
Note: If you have both ASMS deployed on virtual machines and also AlgoSec
Hardware Appliances in your system, each cluster must have nodes of the same
type: hardware-hardware or VM-VM. Clusters are not supported on Native Linux
server installations.
For more details, see:
l Cluster roles and modes
l High availability clusters
l Disaster recovery clusters
To manage clusters, use the following procedures:
l Build a cluster
l Configure HA/DR parameters
l Break a cluster
l Switch appliance roles
l Troubleshoot HA/DR clusters
Cluster roles and modes

Each appliance node in the cluster is assigned one of the following roles and service
statuses:
Roles l Primary appliances synchronize data to the secondary

appliance.
l Secondary appliances receive data from the primary
appliance.

Service modes l Active appliances currently run AlgoSec services.

l Standby appliances do not currently run AlgoSec services.
By default, the primary appliance is active, and the secondary appliance is in standby
mode.
The primary and secondary appliances regularly verify that they can communicate with
each other and that the other is alive. In the event that the primary appliance goes down,
the secondary appliance will become active, in an event called failover.
ASMS clusters include the following types:
l High availability clusters
l Disaster recovery clusters
High availability clusters

High availability clusters both prevent downtime and protect data, as follows:
l A secondary appliance automatically becomes active if the primary appliance

fails.
Ping nodes are used to determine whether the primary appliance is connected to
the network. If a ping to the node that represents the primary machine fails, the
network connection on the primary appliance is considered to be down, triggering
a failover to the secondary appliance.
Automatic failover is enabled by default, but can be disabled by configuration.
l Both nodes are located at the same site and are physically connected.
This prevents a situation called split-brain, where failover might occur when the
primary appliance is actually still active, such as if a ping from the primary
appliance fails to reach the secondary appliance due to networking issues only.
l Configuring HA clusters includes configuring a virtual IP address shared by both

machines.

This ensures that if or when failover occurs, AlgoSec services remain available at
the same IP address.
ASMS databases in HA clusters

ASMS databases are handled as follows in HA clusters:
AFA In HA clusters, the AFA database is fully active only on the secondary
node, and partially active on the primary node.
The secondary node also offers both read and write capabilities, while the
primary node offers only read capabilities.
In most cases, this does not affect your appliance configuration.
FireFlow In HA clusters, FireFlow's database is synchronized only when FireFlow

is active.
Therefore, if you start using FireFlow only after building the HA cluster,
you will also need to rebuild the cluster after installing the FireFlow
license.
Disaster recovery clusters

Disaster recovery clusters protect data only.
The appliance nodes are located at different sites. If a primary appliance fails, the
secondary appliance must be put into active mode manually. This is called manual
failover, or switching appliance modes.
For more details, see Switch appliance roles.
Build a cluster
This section describes how to build an ASMS HA or DR cluster, starting with the primary
appliance. Data from the local or primary appliance is copied to the secondary or remote
appliance during the build process.
For details, see;
l Verify cluster connectivity
l HA clusters only: Add a second interface

l Build an ASMS HA or DR cluster
Note: The amount of time the build process requires is dependent on the size of the
database and the monitoring directory, and may be significant.
Verify cluster connectivity

If communication between the primary and secondary appliances goes through a
firewall, make sure to allow traffic between their defined communication ports and
services in both directions.
For more details, see Required port connections.
Important: For HA clusters, you must not make any changes to the iptables service.
This service is crucial to the communication between the nodes, and any manual
changes may compromise the environment.
HA clusters only: Add a second interface

Before building an HA cluster deployed as a virtual appliance, configure the VM
hardware to add a second interface.
Do the following:
1. Access the VM configuration for the VM hardware.
2. Add a second network adapter, and enable it as Connected.
For example:

3. Verify your interface configuration.
As user root, run: ifconfig -a
A list of all detected interfaces is displayed. Compare your interfaces to ensure

that they are configured as needed.
Note: You do not need to configure an IP address on the second interface. This
will be configured when you build the cluster.
Continue with Build an ASMS HA or DR cluster.

Build an ASMS HA or DR cluster

This procedure describes how to build an ASMS HA or DR cluster, or to rebuild one
with default parameters.
Do the following:
1. If you are configuring an HA cluster on AlgoSec Hardware Appliances by

connecting the appliances via network cable, connect one end of a crossover
cable to the ETH1 port on each appliance.
Tip: Connecting via network cable helps to ensure that failover does not occur
due to network connection issues.
2. From the appliance that will be the primary node, connect to the ASMS
Administration Interface. For details, see Connect to the Administration Interface.
3. In the Administration Interface, enter 13. The following prompt appears:
*HA/DR is not configured*

Please select an item or enter "a" to abort:
1. Build HA cluster
2. Build DR cluster
3. Collect Logs
Your choice:

4. Enter the number for the option you want to continue with, and then continue with
the wizard as prompted. The primary appliance is always the local machine.
HA Enter the following details, as prompted:

clusters l The cluster's virtual IP address and the virtual IP's subnet mask.
l The primary appliance's eth1 IP address.

l The secondary appliance's IP address, ping node IP address,
root password, and node name.
l The secondary appliance's eth1 IP address.
l The witness machine IP address (ping node address).
Tip: Select a ping node that reflects the local appliance's
connectivity, and is reachable exclusively from that interface.
We recommend selecting switches and routers for this purpose.
Do not select the local or remote appliance, or a workstation.
l The subnet mask for the primary and secondary appliances.
l The subnet mask for the eth1 of the primary and secondary
appliances.
DR Enter the following details, as prompted;

clusters The secondary appliance's IP address, ping node IP address, root
password, and node name.
A summary of the primary and secondary appliances' information appears and you
are prompted to confirm the details.
5. Enter y to confirm the summary.
The system begins to build the cluster. This may take some time, depending on
the amount of ASMS data.
When complete, a success message appears with the cluster status, and an email
confirmation is sent to the administrator email.
Tip: If initial synchronization results in an Rsync error, we recommend selecting

option 2: Continue despite rsync failure. Synchronization should succeed the

second time.
6. Optional: Customize HA/DR parameters. For details, see Configure HA/DR

parameters.
7. If your machine is now part of an HA cluster, you'll need to update the appliance's
IP address in other systems that send data to ASMS. For example, if you
previously had this set to a specific IP address, you'll need to change this to a
virtual IP address.
Note: Report synchronization from the primary appliance to the secondary appliance
is based on NAS configuration. Reports are only synched to the secondary
appliance is NAS is not configured.
Configure HA/DR parameters

This procedure describes how to configure HA/DR parameters, and can be performed
any time after building an HA or DR cluster.
Changing parameter values must be done from the primary appliance only. Viewing
parameter values is supported from either the primary or secondary appliance.
Do the following:
1. From the primary appliance, connect to the ASMS Administration Interface. For
details, see Connect to the Administration Interface.
2. In the Administration Interface, enter 13. A prompt similar to the following appears:
Cluster status:
1. Primary | 10.10.10.14 | Up (this appliance) |

AFA, ABF, AFF
2. Secondary (HA) | 10.10.10.13 | Up | DB
10.10.10.14 <-> 10.10.10.13 : Synced

* VIP - 10.10.10.18
3. Enter 4 to view / edit cluster parameters.
The parameters and their current values are displayed, and the system asks
whether you want to make any changes.
4. Enter y to make changes.
Each parameter appears, with the option to change the value. Make your changes
as needed for each parameter, until a confirmation message appears.
Note: When automatic failover is configured, if a ping does not arrive from the
primary appliance within the configured Failover Over Timeout value, the
secondary appliance automatically becomes active.
Automatic failover is not supported for DR clusters. DR cluster nodes must

have their roles switched manually, if needed. For details, see Switch
appliance roles.
5. Enter y to confirm the changes.
Your changes are applied, and a success message appears, along with the
cluster status. A confirmation email is also sent to the Administrator user.
Break a cluster
This topic describes how to break a cluster. Removing an appliance from a cluster
changes it to a standalone appliance, and also temporarily stops any AlgoSec services
running on the appliance.
Do the following:
1. From the primary appliance, connect to the ASMS Administration Interface. For
details, see Connect to the Administration Interface.
2. Enter 13. The console displays details about the cluster, including primary and

secondary nodes and their statuses.
For example:
Cluster status:
1. Primary | 10.10.10.14 | Up (this appliance) |

AFA, ABF, AFF
2. Secondary (HA) | 10.10.10.13 | Up | DB
10.10.10.14 <-> 10.10.10.13 : Synced
* VIP - 10.10.10.18
3. Enter 2 to remove the HA configuration. When prompted to confirm, enter yes.
AlgoSec services are stopped and the appliance is removed from the cluster.
When complete, the services are started again, and a success message appears
along with the cluster status. An email notification is also sent to the Administrator
user.
4. After breaking a cluster, make sure to bring down one of the appliances that used
to be in the cluster. This is required to prevent duplication, as both appliances
remain connected to the same Slaves / Remote Agents, as well as devices and
firewalls.
5. HA clusters only: After breaking an HA cluster, the virtual IP remains attached to

the node that used to be the primary node.
Remove it as needed by doing the following:
a. Connect to the ASMS Administration Interface, and enter 13 to configure

HA/DR. For details, see Connect to the Administration Interface.
b. Enter 4 to remove a VIP.
c. At the prompt, enter y to confirm.

d. If you have Load Slaves configured, run the Distributed Architecture

configuration from the main Administration interface. For details, see Add or
edit Load Slaves.
Switch appliance roles

This procedure describes how to switch appliance roles, so that the primary appliance
becomes the secondary, and the secondary appliance becomes primary. Perform this
procedure as part of a manual failover process for DR clusters, in HA clusters as
needed, if automatic failover is disabled.
Switching appliance roles may also be required as part of maintenance procedures. If

you need to take the primary appliance offline, first perform a manual failover to the
secondary appliance.
Do the following:
1. Connect to the ASMS Administration Interface. For details, see Connect to the
You can perform this procedure from either appliance, unless the primary
appliance is already down.
2. Enter 13. The console displays details about the cluster, including primary and
secondary nodes and their statuses.
For example:
AlgoSec HA cluster status:
1. Primary 10.10.0.101 - Up (this appliance)
2. Secondary 10.10.0.102 - Up
* VIP - 10.10.0.103
10.10.0.101 -> 10.10.0.102 : Synced
Please select an item or enter 'a' to abort:
1. View cluster status details

2. Remove HA configuration
3. Switch roles
4. View/Edit Cluster parameters
5. Collect Logs
3. Enter 3 to switch roles. The system prompts you to confirm.
4. Enter y to confirm that you want to switch roles.
The manual failover begins. Data from the primary appliance is synchronized to
the secondary appliance, and the secondary appliance becomes active.
When the process is complete, a success message appears, with the cluster
status. An email notification is also sent to the Administrator user.
5. Continue as instructed to do the following:
a. Enter algosec_conf to return to the main menu.
b. Enter 15 to run the Distributed Architecture configuration.
c. Adjust your load units by doing the following:
l Activate the DR load units
l Disable / remove the primary load units
Troubleshoot HA/DR clusters

This topic describes common troubleshooting issues and how to solve them.
DR clusters: primary appliance failed

If you have a DR cluster and your primary appliance has failed, perform a manual
failover to the secondary appliance by switching appliance roles.
For details, see Switch appliance roles.
DR clusters: secondary appliance failed

If you have a DR cluster and your secondary appliance has failed, do the following:

1. Fix the secondary appliance.
2. Re-build your cluster. For details, see Build a cluster.
Split-brain situations
If you've received an email notification that a split-brain situation was detected, do the
following:
1. Break the cluster. For details, see Break a cluster.
2. Examine any FireFlow tickets and AFA reports on each appliance, and determine
which appliance has the most recent data.
Note: If the data on both appliances seem to be equally recent, we recommend

choosing the primary appliance.
3. Re-build the cluster from the appliance with the most recent data. For details, see
Build a cluster.
Current synchronization operation canceled

If a new synchronization starts while the previous is still running, the new
synchronization is automatically canceled, and the system sends an email notification.
To resolve this issue, configure synchronizations to run less frequently. For details, see
Configure HA/DR parameters.
Manage nodes automatically removed from clusters

ASMS automatically removes a secondary cluster in the following scenarios:
l If there is less than 10% of disk space found on the Primary data partition.
In this case, a warning message will have been sent by email and to the Issues
Center when the Primary was found to have less than 20% free disk space.
l If the secondary node is unresponsive for more than 12 hours.

In this case, a warning message will have been sent by email and to the Issues
Center when the secondary node had been unresponsive for 6 hours.
When the node is removed, the Central Manager is left as a single-node cluster.
To continue with your cluster, first handle your disk space or connectivity issue, and
then re-build the cluster as follows:
Disk space If your node was removed for a disk space issue, do the following:
issues
1. Log in to the Central Manager and access the Administration
menu.
2. Enter 13 to re-build your cluster and enter the details for your
secondary node.
For more details, see Connect to the Administration Interface and Build
a cluster.
Connectivity If your node was removed for a connectivity issue, when the secondary
issues node is available again, it will still be configured to send data to the
primary node.
Do the following:
1. Forcibly remove the cluster configuration from the secondary

node, and from any other nodes in the cluster.
For more details, see Forcibly remove a node from a cluster.
2. Access the Central Manager node to rebuild the cluster again.
Forcibly remove a node from a cluster

This procedure describes how to forcibly remove a node from a cluster, which is
sometimes recommended after system or connectivity errors have occurred.
Note: Before you start, we recommend gathering any logs you may need before they
are overwritten as the cluster configuration is removed.
Do the following:
If you are recommended to forcibly remove a node from a cluster, do the following:

1. Log in to the node you want to remove and access the Administration (algosec_
conf) menu.
2. Enter 13 to access the HA/DR configuration.
3. Enter 1 to forcibly remove the cluster configuration from the node.
Note: This option appears only when the system detects that an error has
occurred.
If this option does not appear, you might be trying to break the cluster using the
standard procedure. For details, see Break a cluster.
4. Repeat steps 2-4 on all nodes in the cluster, including the Central Manager.
5. Log in to the Central Manager and access the Administration (algosec_conf)

menu.
6. Enter 13 to access the HA/DR configuration and rebuild your cluster.
For more details, see Connect to the Administration Interface and Build a cluster.
Collect logs for AlgoSec technical support

If you've been requested to send cluster logs to AlgoSec technical support for further
analysis, do the following:
1. From the primary or secondary appliance's administration interface main menu,

select option 13.
2. In the HA/DR sub-menu, select Collect HA logs. This is option 3 when there is no
cluster configured and option 5 when a cluster is configured.
A *.tar file containing all of the relevant logs will be created in the appliance’s /tmp
library.

Installation and Setup Guide | Set up the ASMS environment
Set up the ASMS environment

This section describes the basic procedures required to set up your initial ASMS
environment, and includes:
l Define the first ASMS Administrator
l Run the FireFlow setup program
l Additional optional configurations
If you are setting up AFA only, install your licenses as part of the procedure to Define the
first ASMS Administrator. If you are setting up both AFA and FireFlow, install your
licenses after both procedures are complete.
Define the first ASMS Administrator

This procedure describes how to define the first ASMS Administrator user, and must be
performed before other users can be added to the system.
Do the following:
1. Access your AFA user interface. In your browser, browse to https://<AFA_

server>/ where <AFA_server> is the AFA server IP address or DNS name.
Contact your local network administrator for this value. For more details, see AFA
server DNS name / IP address recommendations .
The Configure the First Administrator dialog appears.

Tip: If a warning message about the Web server's certificate appears, click
Accept or OK, depending on your browser and security settings.
For more details, see Security certificate recommendations.
2. In the Configure the First Administrator dialog, enter the following values:
Username Enter a username for the administrator.
Full name Enter the administrator user's full name.
E-Mail Enter the email address you want ASMS to use to contact the
Address administrator.
Password Enter a password for the administrator.

The password must have a minimum of 4 characters (letters or
numbers).
Repeat Enter your password again.
3. Click Next to log in to AFA as the new administrator.

Since this is your first login to ASMS, a message appears to notify you that you
don't have any devices defined yet.
From here, do one of the following:
l Click the Devices Setup page link to start defining devices immediately.
l Click OK to close the window and install a license. In the Welcome dialog
that appears, click Install License.
License installation
While you can define devices immediately, you cannot run an analysis until you
install a license. If you are also setting up FireFlow, install your license only after
that procedure is complete. For details, see:
l Run the FireFlow setup program
l ASMS licensing
When your license is installed, the Welcome dialog appears:

Click Close to access the AFA Home page.
Tip: Training courses are accessible from the AlgoSec portal.
Run the FireFlow setup program

This procedure describes how to set up FireFlow, and must be done after defining your
first AFA Administrator. For more details, see Define the first ASMS Administrator.
Do the following:
1. Start a session as follows, depending on your deployment mode:
AlgoSec Hardware Appliances Initiate an SSH session to the appliance's

IP address.
The default IP address is 192.168.1.1.
ASMS deployed on virtual Open the VM's console.

machines
The system prompts you to log in.
2. Log in as user: root
If you are working with a virtual appliance or an AlgoSec Hardware Appliance, the
default password is algosec.

3. Access the Administration Interface (the algosec_conf menu). For details, see
Connect to the Administration Interface.
4. Enter 14 to set up the FireFlow configuration.
For each prompt, enter the requested data, including:
Server Configure the FireFlow server's email address and database

Settings password.
dialog This email address is used to send all email coming from
FireFlow.
Predefined Configure a special user, named FireFlow_batch.

Users FireFlow users this username to perform batch operations in AFA.
dialog
Outgoing Configure the outgoing SMTP email details for both AlgoSec

Email Firewall Analyzer and FireFlow.
dialog
Incoming Configure FireFlow to fetch emails from a dedicate mail server

Email mailbox, using POP3 or IMAP.
dialog This enables users to submit change requests to FireFlow via
email, and to add comments to tickets by replying to FireFlow
system-generated emails.
When complete, the Setup Config is done dialog appears.
Additional optional configurations

You may also want to configure the following AFA and FireFlow settings:
Device rule AFA and FireFlow are configured to use the following regular
comments expression in all device rule comments:
FireFlow #<ticket ID>
where <ticket ID> is the ID number of the FireFlow ticket.
Device By default, automatic device analysis is scheduled for the ALL_

analysis FIREWALLS group, which includes all devices in the system, for 1:00
schedule AM, daily.

Log in to ASMS to continue your configurations. For details, see Logins and other
basics.

Installation and Setup Guide | Configure a distributed architecture
Configure a distributed architecture

ASMS supports the following types of distributed architectures:
l Configure load distribution
l Configure geographic distribution
Note: ASMS also support high availability (HA) distributions.
For more details, see Deploy clusters and distributed architectures and Manage
clusters.
Configure load distribution

ASMS load distributions have a single Master Appliances, and one or more Slave
Appliances, all in the same geographical location. Each device analysis and monitoring
is assigned and processed by a specified Slave. All Slaves run these processes in
parallel and send results back to the Master Appliance.
Reports are stored on the Master Appliance only. Additionally, access the AFA web
interface via the address of the Master Appliance only.
Do the following:
1. Log in to AFA from the appliance you want to define as the Master Appliance. For
details, see Logins and other basics.
2. Enable distributed processes. For details, see Enabling distributed processing.
3. In AFA, add each slave, and then add the new IP addresses to the AFA database.
For details, see Add or edit Load Slaves.
Maximum concurrent analysis and query processes

The maximum number of concurrently running analysis and query processes is equal to
the total number of CPU cores, on all Slaves together.

View the status of each analysis and the slave it's running on, in the Analysis Status
page in AFA. To view this, click the Analysis Status button next to the user menu.
Minimum and maximum numbers of Slaves

When distributed processing is enabled, a Slave is automatically added to the Master
Appliances, and half of the Master's cores are used to run analysis and queries.
For example, if the Master Appliance has 8 cores, 4 of them will be used for the Slave
Appliance.
ASMS supports an unlimited number of Slave Appliances.
Configure geographic distribution

ASMS geographic distribution configurations have a Central Manager appliance in one
location, and several Remote Agent appliances in other locations. Remote Agents
manage and collect data from any devices local to their locations, and send all data to
the Central Manager.
The Central Manager manages the Remote Agents, and can also act as a Remote
Agent for any co-located devices.
Reports are stored on the Central Manager only. Additionally, access the AFA web
interface via the address of the Central Manager.
Do the following:
1. Log in to AFA from the appliance you want to define as the Central Manager. For
details, see Logins and other basics.
2. Enable distributed processes. For details, see Enabling distributed processing.
3. In AFA, add each Remote Agent appliance. For details, see Add or edit Remote
Agents.

Note: ASMS also supports high availability configurations for remote agents.
Upon failover, the master remains connected to the cluster node that is currently
active. For more details, see Manage clusters.
Two devices in the same AFA environment that are manged by different Remote
Agents, cannot have the same name.
â See also:
l Networking requirements and recommendations
l Delete Load Slaves or Remote Agents
l Disable distributed processes
Enabling distributed processing

This procedure describes how to enable distributed processing, and must be performed
for both load and geographic distribution.
Do the following:
1. Ensure that you are logged in to AFA as an administrator user. For details, see
Logins and other basics.
2. In AFA, click your username at the top right, and select Administration.
3. In the Administration area, click the Architecture tab.

4. Click Enable Distributed Architecture. When a confirmation message appears,

click OK.
When you're done, continue with Add or edit Load Slaves or Add or edit Remote
Agents, depending on the architecture type you're configuring.
For more details, see Configure a distributed architecture.
Add or edit Load Slaves

This procedure describes how to add or edit Load Slaves to ASMS, as is part of
configuring load distribution.
Do the following:
1. Ensure that you are logged in to AFA as an administrator. For details, see Logins
and other basics.
2. Browse to the Administration area and select the ARCHITECTURE tab.
3. In the Load Distribution area, do one of the following:
l To add a new Slave, click New.
l To edit an existing Slave, click on the relevant row, and click Edit.

The Add New Slave/Edit Slave dialog box appears.
4. Enter the following details:
Name Enter a name for the Slave. Read-only when editing.
IP Address Enter the Slave's IP address. Read-only when editing.
Linux User Read only. The username of the Linux user you used to install
AFA on the Slave.
Appears only when adding a new Slave.
Linux Enter the password of the Linux user shown.

Password Appears only when adding a new Slave.
Notes Optional. Enter any notes about this Slave.
Enabled Select to enable the Slave.
5. Click OK.
6. If you added a new Slave, reconfigure the distributed architecture on all slaves. Do
the following:

a. Connect to the Administration interface on the Master Appliance. If the

Master Appliance is in a cluster, connect to the primary node.
For details, see Connect to the Administration Interface.
b. Enter 15 to configure load distribution.
If you added a new Slave, AFA attempts to connect to it. The Connected column on the
ARCHITECTURE tab indicates whether this connection is successful. Connection
statuses are indicated by the following colors:
l Green. Successful
l Red. Failed
l Grey. In progress
Note: If this is the first Slave that you've added, the number of CPU cores used by the
Master Appliance for running analysis is reduced by half, since the other half is now
used by the Slave.
â See also:
Add or edit Remote Agents

This procedure describes how to add or edit a Remote Agent, and is part of configuring
geographic distribution.
If you are adding an HA cluster of appliances as a Remote Agent, you must first build
the cluster. For details, see Manage clusters.

Do the following:
and other basics.
2. In the toolbar, click your username, and select Administration.
4. In the Geographic Distribution area, do one of the following:
l To add a new Remote Agent, click New.
l To edit an existing Remote Agent, click on the relevant row, and click Edit.
The Add New Remote Agent dialog box appears.

5. Enter the following details:
Name Enter a unique name for the Remote Agent. Read-only when
editing.
IP Address Enter the Remote Agent's unique IP address.
Linux User Read only. The username of the Linux user you used to install
AFA on the Remote Agent.
Linux Enter the password of the Linux user shown.

Password
Notes Optional. Enter any notes about this Remote Agent.
Enabled Select to enable the Remote Agent.
6. Click OK. If you added a new Remote Agent, AFA attempts to connect to it.
The Connected column on the ARCHITECTURE tab indicates whether this connection

is successful. Connection statuses are indicated by the following colors:
l Green. Successful
l Red. Failed
l Grey. In progress
Tip: If you are building a high availability architecture on two remote agents, continue

by building a cluster.
For more details, see Build a cluster.
â See also:
Delete Load Slaves or Remote Agents

This procedure describes how to delete a Load Slave or Remote Agent from your ASMS
environment.
Do the following:
and other basics.
4. Select the row for the Slave or Remote Agent you want to delete, and click Delete.
5. In the confirmation message that appears, click OK.
The Slave or Remote Agent is removed from your ASMS environment.
Note: After removing a load slave or remote agent from your environment, do not use
it again for ASMS without restoring factory settings.
For details, see General system maintenance.
â See also:
l Configure a distributed architecture

Disable distributed processes

This procedure describes how to disable distributed processing on ASMS. This cancels
all running and queued analysis, and all Remote Agents and Slaves are automatically
deleted.
Do the following:
and other basics.
4. Click Disable Distributed Architecture.
5. In the confirmation message that appears, click OK.
Distributed processing is disabled.
â See also:
l Configure a distributed architecture

Installation and Setup Guide | Basic sanity checks
Basic sanity checks

This section describes how to perform basic sanity checks, which should be run after
making changes to your environment, such as for clusters, distributed architectures, and
upgrades.
These sanity checks also define standards for basic ASMS functionality, and enable
you to verify that your environment is functioning as expected.
l ASMS basic functionality
l Test basic ASMS processes
l Test basic AFA functionality
l Test basic FireFlow functionality
l Test basic BusinessFlow functionality
ASMS basic functionality

Basic functionality for ASMS is defined as follows:
Product Description
Hardware or Basic functionality on virtual machines deployed with ASMS, or on

VM AlgoSec Hardware Appliances, includes all necessary processes
running.
For details, see Test basic ASMS processes.
AFA Basic AFA functionality includes:

l Add and analyze devices completely and successfully
l Identify device changes correctly
l Send email alerts
For details, see Test basic AFA functionality.

Product Description
FireFlow Basic FireFlow functionality includes:

l Both requestors and privileged users can successfully submit
change requests
l A single change request can move through all stages of the
configured workflow
l After changes are implemented on the device, the Validation
and AutoMatching functions respond correctly
For details, see Test basic FireFlow functionality.
BusinessFlow Basic BusinessFlow functionality includes:

l New applications can be added
l Flows can be added to applications, connectivity is accurately
updated, and the relevant change requests are opened
l Applications can be decommissioned
For details, see Test basic BusinessFlow functionality.
Test basic ASMS processes

This procedure describes how to test that basic ASMS processes are running on your
machines.
Do the following:
1. Connect to the Administration Interface. For details, see Connect to the

2. Enter 17 to verify service status.
Output similar to the following should appear, confirming that all of these services
are running:
|======================================|
| 147.172.44.40 |
| |

| (Thu Nov 28 13:45:10 IST 2019) |

|--------------------------------------|
| crond | OK |
| httpd | OK |
| postgresql | OK |
| activemq | OK |
| mongo Database | OK |
| syslog-ng | OK |
| apache-tomcat | OK |
| AlgoSec microservices | OK |
| metro | OK |
| map diagnostics | OK |
| Vulnerabilities | OK |
| cloudlicensing | OK |
| backup/restore | OK |
| watchdog | OK |
| device manager | OK |
| trafficlogmanager | OK |
| batch application | OK |
| configuration | OK |
| aff-boot | OK |
| ABF | OK |
|======================================|
Test basic AFA functionality

This procedure describes how to test basic AFA functionality.

Do the following:
1. Prepare for your test
a. Define an email server.
b. Define a user with permissions for all devices. Specify that the user receives
email notifications for all reports and configuration / policy changes.
2. Test device definition and analysis
a. Define a new device and assign a user with permissions for it, or use an
existing device to test AFA functionality.
b. Run a manual analysis on the device.
c. Verify that all sections of the new report have valid results.
In the report, on the Policy Optimization tab, in the Rule Usage Statistics
area, click All Rule Usage.
Check the first text line to verify that the report is based on logs collected
today.
3. Test change monitoring
a. Add a rule to the device's policy.
b. Wait for the next monitoring cycle to run. By default, this runs every 20
minutes.
c. View the device's Monitoring tab and verify that the change was detected.
4. Test email alerts
a. Check that the user you defined back in Prepare for your test receieved an
email alert about the analysis completed in Test device definition and
analysis.
b. Check that the same user received an alert about the change you made to
the device in Test change monitoring.

Test basic FireFlow functionality

This procedure describes how to test basic FireFlow functionality.
Do the following:
1. Test change request submission
Do the following as a Requestor user, and then again as a privileged user:
a. Log in to FireFlow and submit a change request. If your organization uses a

customized template or workflow, use the custom version.
b. Verify that the change request was submitted successfully.
2. Test workflow functionality and validation
a. Locate one of the change requests you created in Test change request
submission , and move it through the various stages of the workflow.
b. Verify that the following stages produce valid results:
l Initial Plan: Shows the relevant devices for the change request.
l Risk Check: Shows a list of risks.
l Work Order: Shows a valid suggestion to implemented the requested

change.
c. When you get to the Work Order stage in the change request, implement the
change on the device.
d. After the next monitoring cycle is complete, browse to the Validation stage of
the workflow, and verify that accurate validation results are shown.
e. In AFA, run an analysis on the device. Wait 2 hours, and then browse to the
AutoMatching FireFlow stage, and verify that the change request and
change are listed in the correct section.
Test basic BusinessFlow functionality

This procedure describes how to test basic BusinessFlow functionality.

Do the following:
1. Test new applications
a. Create a new application, and add flows to it. Add at least one flow that is
currently blocked by the organization's firewalls.
b. Verify that the application is created successfully.
2. Test connectivity and change requests
a. Apply the application draft and check the application connectivity.
b. Verify the connectivity for each flow, and that the connectivity of the entire
application updates automatically.
c. In the Change Requests tab, verify that a change request was created for the
new flows.
3. Test application decommissioning
a. Decommission the application you created in Test new applications.
b. Verify that the application's status changes to Decommissioned.
c. Verify that the relevant change requests were opened to drop the
application's traffic.
Note: If the application contains flows that are in use by other applications, change
requests for this traffic will not be opened.

Installation and Setup Guide | Populate your environment
Populate your environment

After your initial setup, add devices in AFA, users in FireFlow, and applications to
BusinessFlow, depending on the products supported by your licenses.
For details, see the following guides:
l AlgoSec Firewall Analyzer Administrator Guide. Describes how to add devices

and users to AFA.
l AlgoSec FireFlow User Guide. Describes how to add unprivileged users, also
known as Requestors, to FireFlow.
l AlgoSec BusinessFlow User Guide. Describes how to add applications to

BusinessFlow.
When FireFlow and BusinessFlow are licensed, users added to AFA automatically
have access to FireFlow and BusinessFlow, and FireFlow Requestors automatically
have access to BusinessFlow.

Installation and Setup Guide | Upgrade ASMS
Upgrade ASMS
This section describes how to upgrade an ASMS environment to a new version of
ASMS.
l Licensing during upgrade
l Enabling new features after upgrade
l Upgrade prerequisites
l Upgrade your system
Licensing during upgrade

Upgrading ASMS to a new version retains all your existing license information and
configuration settings. All reports are retained as well, unless otherwise specified.
For more details, see ASMS licensing.
Enabling new features after upgrade

Some new features in our new version may only be enabled and visible after you
generate new reports for all devices.
After upgrading, we recommend running a manual group report for the ALL_
FIREWALLS group so that you can view all features.
Upgrade prerequisites
Before you start upgrading your ASMS system, read through the following prerequisites
and ensure that you and the system are ready to start.
In this section:
l Mandatory upgrade prerequisites
l Recommended upgrade pre-requisites
Mandatory upgrade prerequisites

The following prerequisites are required before upgrading.

l Minimum version required for upgrades
l Downtime requirements for upgrades
l Disk space requirements for upgrades
l NAS storage requirements for upgrades with HA/DR clusters (2018.1 only)
Minimum version required for upgrades

AlgoSec's upgrade process is supported only from two versions backwards. Therefore,
upgrading your system to ASMS version 30.00 is supported only from 2018.1.
If you have an ASMS version earlier than 2018.1, you must first perform any upgrades
required to get to 2018.1. For details, see the upgrade procedure in the Installation and
Setup Guide for 2018.1 or any other version you are upgrading to. These guides are
available from the AlgoSec portal.
Note: Prerequisites and upgrade procedures will differ, depending on your system
version.
Example: If you are upgrading from 6.11 to 30.00, perform two upgrades:
1. First, upgrade from 6.11 to 2018.1. Use the procedure in the 2018.1 Installation
and Setup Guide.
2. Then, upgrade again from 2018.1 to 30.00. For more details, see Upgrade your
system.
Downtime requirements for upgrades

Downtime will be required while all of the servers in your system are upgraded. The
downtime will differ depending on the number and types of servers you have. Schedule
your upgrade at a time where you can afford this downtime.
Tip: Start the upgrade process to view the runtime estimation.

Disk space requirements for upgrades

5 GB of disk space is required per partition (OS and data) on all appliances:
l If less than 5 GB of disk space is found, the upgrade process aborts.
l If there is less than 10 GB of disk space found, the upgrade process presents a
warning and enables you to choose whether to continue or not.
To cancel and run the upgrade later, enter n at the confirmation prompt.
NAS storage requirements for upgrades with HA/DR clusters (2018.1 only)

If you are upgrading from 2018.1 and have NAS configured for HA/DR clusters in your
environment, you must de-configure NAS before upgrading.
Reconfigure the NAS when the upgrade is complete.
For details, see:
l Configure NAS storage
l Deconfigure NAS storage
If you are upgrading from 2018.2, these steps are not required.
Recommended upgrade pre-requisites

The following pre-requisites are not mandatory, but are recommended:
l Backup your system before upgrading
l CPU and RAM recommendations for upgrades
l VisualFlow recommendations for upgrades
l HA cluster recommendations for upgrades
l Service recommendations for upgrades
Backup your system before upgrading

If you have ASMS deployed on virtual machines, we recommend generating a fresh
backup before upgrading. This isn't relevant for physical appliances, as restoring or

rolling back upgrades on physical appliances is not supported.
CPU and RAM recommendations for upgrades

We recommend at least 4 cores CPU on each appliance, and 4 GB RAM for each core.
VisualFlow recommendations for upgrades

Upgrading VisualFlow overwrites any un‐applied workflow drafts, and discards all un‐
applied changes.
If you have un‐applied workflow changes in VisualFlow, we recommend that you apply
them before upgrading so that you don't lose any work.
HA cluster recommendations for upgrades

If you are upgrading AFA on HA clusters, and also have FireFlow configured, we highly
recommend that you upgrade FireFlow as well.
This is not required for DR clusters.
Service recommendations for upgrades

We recommend ensuring that the following services are running when you perform the
upgrade:
l psql
l metro (apache-tomcat)
l mongod
If these services are not running, the upgrade process requests that you confirm whether
you would like to continue. We recommend contacting AlgoSec customer support to
start these services before continuing.
Upgrade your system

This topic describes how to use the ASMS automated system upgrade on single
appliances, HA/DR clusters, and distributed systems,.

Note: Before you start, review the upgrade prerequisites and ensure that your system
complies. For details, see Upgrade prerequisites.
Perform an automated ASMS upgrade

Automated ASMS upgrades are supported for standalone hardware or VM appliances,
HA/DR clusters, and distributed systems.
Do the following:
1. Upgrading from 2018.1 only: If you are upgrading from 2018.1 and have NAS
configured, first deconfigure NAS before you upgrade. For details, see
Deconfigure NAS storage.
2. Determine the builds that you need to upgrade, and download the relevant
software packages from the AlgoSec portal. For details, see Download ASMS
software packages.
3. Access your appliance as user: root
Clusters / distributed nodes: Access the primary node on the Master / Central
Manager appliance.
4. Copy the downloaded software packages to the following directory:

/root/AlgoSec_Upgrade/
5. If you aren't already connected to the ASMS Administration interface (algosec_

conf), connect now. For details, see Connect to the Administration Interface.
Clusters: Connect to the primary node.
6. In the administration interface main menu, enter 8 to select Upgrade software.
Note: The system checks your pre-requisites to verify that your system is ready
for the upgrade. If any of the pre-requisite checks fail, relevant errors are
displayed to notify you. In such cases, we recommend making changes so that

your system complies, and then starting the upgrade process again.
The system lists the available builds from the files you saved in step 3, and
prompts you to select the build you want to install. For example:
************************************
*** Software upgrade is starting ***
************************************
Select an AlgoSec build to install:
1. algosec-appliance-3000.0.0-529-el6.x86_64.run
2. fa-3000.0.0-891.x86_64.run
3. Run All
Note: The option numbering may differ depending on your system

configuration.
Run all Select the option to Run All.

installations
together Note: The option to Run all does not appear at all if you
(recommended) have more than one build per packaged saved. In this
case, to run all installations together, first remove the
earlier builds.
Run each Enter the line number for the build you want to install. When
installation each upgrade is complete, start the process again to run the
separately next installation. If you do this, install the builds in the
following order:
a. Appliance build
b. AFA build
c. FireFlow
d. BusinessFlow build

The system displays details about the upgrade it is about to perform, and prompts
you to approve.
For example:
The following AlgoSec packages are going to be upgraded:

* algosec-appliance-3000.0.0-529.noarch TO algosec-appliance-
3000.0.0-529-el6.x86_64
* fa-3000.0.0-891.x86_64 TO fa-3000.0.0-891.x86_64
********************
*** Upgrade plan ***
********************
Local node : 10.23.0.41
Remote Agent nodes: 10.23.0.40
Runtime Estimation: Up to 80 minutes
Review the upgrade plan detailed above. Approve plan? (y/n):
8. Enter y to confirm and start the upgrade. The upgrade starts.
If you are working on a distributed system, the upgrade first starts on the local
node and then continues with the distributed nodes. The system displays
confirmation details as the downloaded packages are copied to the distribution
nodes and installed.
When the upgrade is complete, any clusters are resumed if relevant, and the
following message appears:
*** Software upgrade finished successfully ***
9. In case of a kernel upgrade on an appliance build, the system also prompts you to
reboot. Reboot your system as prompted.
Warning: Not rebooting at this stage leaves you with a legacy kernel, which
may present security issues.

10. Upgrading from 2018.1 only: If you had deconfigured NAS before you started,
reconfigure it. For details, see Configure NAS storage.
Troubleshoot your automated upgrade

If your automated upgrade fails for any reason, the system displays an error, as well as
the location of specific log files. The central upgrade log file is located at:
/var/log/algosec-software-upgrade.log
The system also prompts you with options to start the upgrade again.
If you have a distributed system and only some nodes failed, you can select the nodes
you want to reinstall, or rerun the entire upgrade from scratch. Select the option that
works best for you and run through the CLI process as prompted and described above.
For more details, see the AlgoPedia article at:

https://knowledge.algosec.com/skn/c6/AlgoPedia/e14320

Installation and Setup Guide | General system maintenance
General system maintenance

This section describes common maintenance procedures to perform on your ASMS
system.
l Reboot the appliance
l Reset the appliance to factory defaults
l Contact AlgoSec technical support
Reboot the appliance

This procedure describes how to reboot your appliance, which is sometimes required as
part of other maintenance and configuration procedures.
Note: Perform a graceful shutdown and restart of the ASMS services to prevent
unexpected behavior. For details, see ASMS graceful shutdown and startup in
AlgoPedia.
Do the following:
2. Press CTRL+C to exit the menu.
3. Run the following command:
reboot
If needed, Hardware Appliances can also be rebooted by pressing the power button on
the front panel of the appliance for 10 seconds, and then pressing it again. We do not
recommend this method as part of regular operation.

Reset the appliance to factory defaults

This procedure describes how to reset the appliance to factory defaults, and must be
performed if you are reusing an appliance in a new role.
For example, you might do this if you appliance was previously used as a Central
Manager, and you now want to use it as a Load Slave or Remote Agent.
Note: Resetting the appliance to factory defaults erases all of the information on the
appliance, including configurations, user data, and so on, and returns it to its initial,
out-of-the-box state.
Do the following:
1. We recommend backing up your data before you reset the appliance.
3. Run the following command:
reboot
4. When the appliance reboots and a message appears, press SPACE. Do this
within 5 seconds to prevent the appliance from fully rebooting.
The appliance OS menu appears.
5. Use the arrow keys to select Restore to Factory Defaults, then press ENTER.

A warning message appears.
6. Enter erase.
Another warning message appears.
7. Enter YES. Make sure you use capital letters.
The system is formatted and re-installed, and all data is deleted. This process can
take several minutes.
At the end of the process, the system is automatically restarted.
8. Continue by configuring your machine again. For details, see Configure ASMS
machines.
Contact AlgoSec technical support

This procedure describes how to contact AlgoSec support, and the files the send with
your support case.
Do the following:
1. Access the Support Home page on the AlgoSec portal.
2. Click Submit a Support Case.
3. Complete the fields and submit the ticket. Make sure to attach any relevant logs:
l AFA or FireFlow logs, depending on the nature of your case.
l HA logs, if the case relates to high availability issues. For details about
collecting these logs, see Collect logs for AlgoSec technical support.
â See also:
l Backup and restore
l ASMS licensing

Installation and Setup Guide | Backup and restore
Backup and restore

The AlgoSec Security Management Suite enables you to back up and restore the entire
ASMS environment as needed.
This topic describes how to start a backup or restore process from FireFlow or
BusinessFlow. The actual backup and restore is handled by AlgoSec Firewall Analyzer.
Starting from FireFlow or BusinessFlow switches you to AFA to complete the process.
Backup and restore prerequisites

Note the following before starting your backup or restore procedure:
User roles You must be an administrator to perform the backup or restore.
Version You can only restore ASMS to the same major version from which the
backup was taken.
If you have upgrades to perform, upgrade your system only before the
backup or after the restore. Do not attempt to upgrade your system
between backup and restore processes.
System Restoring your system requires some downtime. Disable any jobs
processes scheduled to run during the restore process, such as ASMS
monitoring or analysis.
Reinstate the scheduling once the restore is complete.
System We recommend always restoring to an appliance with the same

requirements number of cores as the appliance from which the backup was taken.
Access backup and restore from FireFlow or BusinessFlow

Do one of the following:
FireFlow In FireFlow, in the main menu on the left, click Advanced

Configuration.
Then, click the Backup and Restore tab on the right.

Installation and Setup Guide | Backup and restore
BusinessFlow In BusinessFlow, click your username and select Administration

from the drop-down menu.
On the Administration page,
1. In the toolbar, click your username. From the drop-down, select
Administration.
2. In the Administration page's Backup and Restore area, click
Manage Settings.
The AFA Backup/Restore page appears.
Complete the fields as needed.
Note: After performing a restore, you must run a report on 'All Firewalls' to ensure a
valid network map.

Installation and Setup Guide | ASMS licensing
ASMS licensing
This topic describes how to obtain and install ASMS licenses, as well as track license
usage across your devices.
AlgoSec licenses control the AFA modules available, whether FireFlow, BusinessFlow,
or AutoDiscovery are available, the number of routers supported, and more.
l Obtain a license
l Online license requirements
l Install a license
l License usage
l Update licenses
AlgoSec Licensing: Watch to learn about the ASMS license types available.
Obtain a license
Do the following to obtain a new license key:
1. Log in to http://portal.algosec.com using your username and password.
2. At the top of the screen, click .
3. Populate the request form as follows:
Field Description
Product/s Select the product you want a license for.

If you want a license for multiple products, select AlgoSec
Suite.
Note: To use the most recent version of AutoDiscovery,

your license must also include AutoDiscovery support.

Field Description
Internet Select whether your AFA server can connect to the internet
Connection while activating the license.
For details, see Online license requirements.
AlgoSec Server Enter the MAC address of your AFA server. To find the
MAC Address MAC address, do the following:
a. Browse to https://<AFA_server>/algosec/, where
<AFA_server> is the AFA server URL.
b. Click AlgoSec Appliance Status.
Note: If your AFA server has multiple interfaces, make

sure to submit the MAC address of the eth0 interface.
For details about native Linux installations, see Deploy or
upgrade a standalone native Linux server in AlgoPedia.
License Key Select your customer status.

For
Number of Enter the number of firewalls you want to manage with AFA
Firewalls
Comments Enter any additional comments required.

l If you need an offline license, enter: Please provide an
offline license
l If the license will be used for a prospect, name the
account
4. Click Submit.
Your license is sent to the email address you used to log in to the AlgoSec portal.
Save it to a location accessible by the AFA server.
Online license requirements

AlgoSec provides online licenses, which are inactivated to start.

To activate your license, ensure that the AFA server can access the AlgoSec licensing
server, including the following:
Internet The AFA server must be connected to the internet.

connection If your AFA server cannot connect to the internet for the duration of the
license activation, request a pre-activated, offline license from AlgoSec.
For details, see Obtain a license.
Note: Offline licenses may take several days to issue.
Proxies If your browser settings use a proxy, you must also configure AFA to use
the proxy.
HTTPS Your connection must allow HTTPS traffic (TCP/443) from your AlgoSec
traffic server to www.algosec.com.
Outbound web proxies must not manipulate or sanitize traffic.
No data about the configuration of analyzed devices is passed back to AlgoSec over the
internet or to any third party.
Install a license
This procedure describes how to install a license. For details about obtaining your
license, see Obtain a license.
If you have just defined your first administrator user directly in AFA, click Install License
in the Firewall Analyzer window.
In all other cases, do the following:
1. In AlgoSec Firewall Analyzer or BusinessFlow, click your username at the top

right, and select License.
From AlgoSec Firewall Analyzer
If you are in AlgoSec Firewall Analyzer, the License Information dialog appears.
For example:

From BusinessFlow
If you are in BusinessFlow, the License Information dialog is displayed as follows:
From there, click View and manage license to jump to the License Information
dialog in AlgoSec Firewall Analyzer.
2. In the AlgoSec Firewall Analyzer License Information dialog, click Install License.

3. Accept the End-User License Agreement that appears.
4. In the License Installation dialog, click Select a File. Then, browse to and select
the license file (license.lic) you received by email. For example:
5. Click Install.
6. Log out of AFA, and then log in again.
HA/DR clusters
If you are running AFA on an HA/DR cluster, apply the license to secondary appliance
as well.
Do the following:

1. On the secondary appliance, open a terminal and login as user: root
2. Connect to the ASMS Administration interface. For details, see Connect to the
3. Enter 12.
4. When prompted, enter the path to the license file (license.lic) you received by
email.
The license is installed.
License usage
An ASMS license is used for every on-premises or private cloud device shown at the
lowest level of the device tree.
For example, the highlighted devices in the following image each consume a single
license.
Note: Some exceptions exist. For details, see AlgoPedia.

Virtual router licensing

l In LSYS/VSYS systems, licenses are consumed at the LSYS/VSYS level instead
of the virtual router (VR level). This means that using multiple VRs in a single
VSYS consumes only one license.
l During upgrades, any licenses consumed by VRs are not calculated towards total
consumption.
Public cloud licensing

While public cloud assets (AWS and Azure) do not consume licenses, ASMS does track
your public cloud asset usage.
When you renew licenses, AlgoSec sales personnel will check your cloud usage and
sell you enough licenses for the number of assets actually in use.
View license usage statistics

Do the following:
1. In AlgoSec Firewall Analyzer, click your username at the top right, and select
License.
The License Information window appears. For example:

2. Click the links at the bottom of the dialog to download license usage
spreadsheets:
License Usage Licenses consumed by all on-premises devices.

Sample on-premises and private cloud license usage
report
Public Cloud Cloud asset details, including the following:

Usage l Number of cloud assets managed by ASMS,
sampled hourly
l Top monthly average count, per year.
Sample public cloud license usage report
Note: License usage spreadsheets are protected against modifications.
Sample on-premises and private cloud license usage report

Last
Tree Parent Completed Deleted Device
Display Name Name Device IP Brand Name Report Device License ID
Violet_ Violet_ 10.42.65.100 Fortinet N/A afa-23 no 201.13.190.60

Fortinet Fortinet FortiGate
gw-ab1323 gw_ 192.168.7.253 Check m_192_ afa-22 no gw_ab1323

ab1323 Point 168_7_
253
192.168.7.252 192_168_ 192.168.7.252 Cisco N/A afa-24 no 192_168_7_

7_252 ASA 252
192.168.7.251 192_168_ 192.168.7.251 Juniper N/A afa-25 no 192_168_7_

7_251 JUNOS 251
Rose_ Rose_ 10.82.18.20 Check N/A afa-26 no 192.168.6.254

checkpoint checkpoint Point
Sample public cloud license usage report

Summary - Top monthly average
Month avg. AWS_ Month avg. Azure_ Month avg.

Year Top Month Assets Assets total
2019 May 635 42 677
Report produced 30-May-

on: 2019
Breakdown
Date Hour AWS_Assets Azure_Assets Total
27-May-19 11 570 0 570

27-May-19 12 570 0 570
27-May-19 13 570 0 570
27-May-19 14 570 0 570
Update licenses
Contact AlgoSec to update your licenses in the following scenarios:

Expired When there are less than 45 days remaining on your license, the
licenses License link in the Administration menu turns red.
To ensure continuous use, make sure to update your license before
it expires.
Exceeded Your license is valid for a specific number of devices or reports.

licenses Update your license if you require additional devices or reports.
See also: Public cloud licensing
ASMS To upgrade your AlgoSec solution with additional modules or

product components, you must also update your license.
upgrades

Installation and Setup Guide | Logins and other basics
Logins and other basics

This topic describes the very basics of working with ASMS, such as logging in and out
and supported browsers.
Supported browsers
View ASMS in one the following web browsers, at screen resolution of 1920x1080 or
above.
l Mozilla Firefox
l Google Chrome
l Microsoft Edge
l Internet Explorer 11 and higher. Internet Explorer 8.0 is supported for FireFlow
requestors only.
Log in to ASMS
Log in to ASMS from any desktop computer using the credentials provided by an AFA
administrator.
Do the following:
1. In your browser, navigate to https://<algosec_server> where <algosec_server> is

the ASMS server IP address or DNS name.
If a warning message about the web server's certificate appears, click Accept or
OK. For more details, contact your network administrator.
The Security Management Suite login page appears.

2. In the Username and Password fields, enter your username and password, and click
Login.
You are logged in, and ASMS displays AFA by default.
For example:

Tip: If you have multiple AlgoSec products and want to change your default landing
page, see Customize your landing page.
Switch ASMS products

If you are a user in multiple ASMS products, such as AFA, FireFlow, and BusinessFlow,
switch between products using the dropdown at the top-left, above the main menu.
If you are an administrator for any of these products, the relevant administration menu is
available from your user dropdown at the top-right:

Adjust your screen space

To adjust the screen space available for your main workspace, hide, display, or change
the size of the main menu on the left.
l To adjust the size of the main menu, hover between the menu and the workspace
and drag the border left or right.
l To collapse the menu entirely, click at the top. When collapsed, click to
expand it again.
Customize your landing page

The following procedure describes how ASMS users can define their own landing page.
Do the following:
1. Click your username in the toolbar and select User Settings.
2. In the User details area > Landing page drop-down, select the landing page you
want to see when you first log in.

For example:
Log and out and log in again to view the change.
View ASMS product details

This procedure describes how you can identify your AFA, FireFlow, or BusinessFlow
installation version and build number.
Do the following:
1. In the toolbar, click your username and then select About or Info.
2. If you're in AFA, in the Info dialog, click About.

The About dialog appears, showing details about the product you have installed.
For example:
Note: If you are running the FIPS 140-2 compliant version of AFA, this information is
indicated in the window.
Log out of ASMS

Log out of ASMS by clicking your username at the top right, and selecting Logout.
You are logged out of all ASMS products available to you.

Note: If Single Sign On is configured, you must browse to the Logout page hosted on
your IdP to log out.
For more details, see the AlgoSec Firewall Analyzer Administrator Guide.

Installation and Setup Guide | Send us feedback
Send us feedback
Let us know how we can improve your experience with the Installation and Setup Guide.
Email us at: techdocs@algosec.com
Note: For more details not included in this guide, see the online ASMS Tech Docs.

Algosec Security Management Suite: Installation and Setup Guide

Uploaded by

Copyright:

Available Formats

Algosec Security Management Suite: Installation and Setup Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Algosec Security Management Suite: Installation and Setup Guide

Uploaded by

Copyright:

Available Formats

AlgoSec Security Management

Installation and Setup Guide

Specifications subject to change without notice.

Proprietary & Confidential Information

Security Management Suite (A30.00) Page 2 of 121

Security Management Suite (A30.00) Page 3 of 121

Deploy standalone appliances 30

Security Management Suite (A30.00) Page 4 of 121

Set up the ASMS environment 68

Security Management Suite (A30.00) Page 5 of 121

VisualFlow recommendations for upgrades 94

Security Management Suite (A30.00) Page 6 of 121

This section includes:

l Server installation options

FireFlow Manage your network security life cycles on devices managed by

BusinessFlow Manage application-centric security policy management tasks on

AlgoSec Installed on top of AlgoSec BusinessFlow, AutoDiscovery enables

Security Management Suite (A30.00) Page 7 of 121

Server installation options

Cloud Deploy ASMS on Amazon AWS or Microsoft Azure to manage

l High Availability / Disaster Recovery (HA/DR) clusters

Prevent data loss or downtime using cluster environments.

AlgoSec supports the following distributed architecture options:

Geographic Manage devices across multiple geographic locations using

Security Management Suite (A30.00) Page 8 of 121

For more details, see Deploy clusters and distributed architectures.

Security Management Suite (A30.00) Page 9 of 121

ASMS deployment checklist

Infrastructure and analytics

AlgoSec architecture Work with AlgoSec to understand our architecture

Infrastructure Ensure that your hardware or virtual components meet our

Standalone appliances Deploy your pre-installed, standalone VMware virtual

High-availability / Set up your environment, including high availability or

Security Management Suite (A30.00) Page 10 of 121

AlgoSec Firewall Analyzer deployment tasks

Licensing Install your license.

Networking Populate AFA with your devices.

Authentication Define how AFA handles user authentication and authorization.

User and role Define AFA users and their roles.

Outbound Configure AFA to send email notifications.

Storage and Configure AFA settings for data storage.

Security Management Suite (A30.00) Page 11 of 121

Infrastructure Configure monitoring systems for each ASMS product.

Schedule AFA Configure AFA settings for scheduled analysis jobs.

Network visibility and awareness

Sanity end-to-end Run an end-to-end traffic simulation query to ensure that

Intelligent policy change automation

FireFlow initial FireFlow templates and workflows are fully configurable.

Security Management Suite (A30.00) Page 12 of 121

Application discovery and management

BusinessFlow initial Set up BusinessFlow to view your network details from a

AlgoSec Install and configure AutoDiscovery so that BusinessFlow

l Hardware minimum requirements

l Networking requirements and recommendations

Note: ASMS performance on VMs depends on the other, non-AlgoSec machines

Hardware minimum requirements

Security Management Suite (A30.00) Page 13 of 121

Network For details, see Bandwidth requirements for distributed environments

Differences per environment configuration